suricata/src/detect-content.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 */

#ifndef __DETECT_CONTENT_H__
#define __DETECT_CONTENT_H__

/* Flags affecting this content */

#define DETECT_CONTENT_NOCASE            (1)
#define DETECT_CONTENT_DISTANCE          (1 << 1)
#define DETECT_CONTENT_WITHIN            (1 << 2)
#define DETECT_CONTENT_OFFSET            (1 << 3)
#define DETECT_CONTENT_DEPTH             (1 << 4)
#define DETECT_CONTENT_FAST_PATTERN      (1 << 5)
#define DETECT_CONTENT_FAST_PATTERN_ONLY (1 << 6)
#define DETECT_CONTENT_FAST_PATTERN_CHOP (1 << 7)
/** content applies to a "raw"/undecoded field if applicable */
#define DETECT_CONTENT_RAWBYTES          (1 << 8)
/** content is negated */
#define DETECT_CONTENT_NEGATED           (1 << 9)

/** a relative match to this content is next, used in matching phase */
#define DETECT_CONTENT_RELATIVE_NEXT     (1 << 10)

/* BE - byte extract */
#define DETECT_CONTENT_OFFSET_BE         (1 << 11)
#define DETECT_CONTENT_DEPTH_BE          (1 << 12)
#define DETECT_CONTENT_DISTANCE_BE       (1 << 13)
#define DETECT_CONTENT_WITHIN_BE         (1 << 14)

/* replace data */
#define DETECT_CONTENT_REPLACE           (1 << 15)
/* this flag is set during the staging phase.  It indicates that a content
 * has been added to the mpm phase and requires no further inspection inside
 * the inspection phase */
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED (1 << 16)

#define DETECT_CONTENT_IS_SINGLE(c) (!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
                                        ((c)->flags & DETECT_CONTENT_WITHIN) || \
                                        ((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) || \
                                        ((c)->flags & DETECT_CONTENT_DEPTH) || \
                                        ((c)->flags & DETECT_CONTENT_OFFSET) ))

/* if a pattern has no depth/offset limits, no relative specifiers and isn't
 * chopped for the mpm, we can take the mpm and consider this pattern a match
 * w/o futher inspection. Warning: this may still mean other patterns depend
 * on this pattern that force match validation anyway. */
#define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c) \
                                    !( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
                                       ((c)->flags & DETECT_CONTENT_WITHIN)   || \
                                       ((c)->flags & DETECT_CONTENT_DEPTH)    || \
                                       ((c)->flags & DETECT_CONTENT_OFFSET)   || \
                                       ((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))


#include "util-spm-bm.h"

typedef struct DetectContentData_ {
    uint8_t *content;
    uint16_t content_len;
    uint16_t replace_len;
    /* for chopped fast pattern, the length */
    uint16_t fp_chop_len;
    /* for chopped fast pattern, the offset */
    uint16_t fp_chop_offset;
    /* would want to move PatIntId here and flags down to remove the padding
     * gap, but I think the first four members was used as a template for
     * casting.  \todo check this and fix it if posssible */
    uint32_t flags;
    PatIntId id;
    uint16_t depth;
    uint16_t offset;
    int32_t distance;
    int32_t within;
    /* Boyer Moore context (for spm search) */
    BmCtx *bm_ctx;
    /* pointer to replacement data */
    uint8_t *replace;
} DetectContentData;

/* prototypes */
void DetectContentRegister (void);
uint32_t DetectContentMaxId(DetectEngineCtx *);
DetectContentData *DetectContentParse (char *contentstr);
int DetectContentDataParse(const char *keyword, const char *contentstr,
    uint8_t **pstr, uint16_t *plen, uint32_t *flags);
DetectContentData *DetectContentParseEncloseQuotes(char *);

int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr);
void DetectContentPrint(DetectContentData *);

void DetectContentFree(void *);

#endif /* __DETECT_CONTENT_H__ */
Import of GPLv2 Header 050410 15 years ago			`/* Copyright (C) 2007-2010 Open Information Security Foundation`
			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

			`/**`
			`* \file`
			`*`
			`* \author Victor Julien <victor@inliniac.net>`
			`*/`

Initial add of the files. 17 years ago			`#ifndef __DETECT_CONTENT_H__`
			`#define __DETECT_CONTENT_H__`

Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 15 years ago			`/* Flags affecting this content */`
Initial add of the files. 17 years ago
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it. 13 years ago			`#define DETECT_CONTENT_NOCASE (1)`
			`#define DETECT_CONTENT_DISTANCE (1 << 1)`
			`#define DETECT_CONTENT_WITHIN (1 << 2)`
			`#define DETECT_CONTENT_OFFSET (1 << 3)`
			`#define DETECT_CONTENT_DEPTH (1 << 4)`
			`#define DETECT_CONTENT_FAST_PATTERN (1 << 5)`
			`#define DETECT_CONTENT_FAST_PATTERN_ONLY (1 << 6)`
			`#define DETECT_CONTENT_FAST_PATTERN_CHOP (1 << 7)`
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 15 years ago			`/** content applies to a "raw"/undecoded field if applicable */`
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it. 13 years ago			`#define DETECT_CONTENT_RAWBYTES (1 << 8)`
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 15 years ago			`/** content is negated */`
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it. 13 years ago			`#define DETECT_CONTENT_NEGATED (1 << 9)`
Initial add of the files. 17 years ago
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 15 years ago			`/** a relative match to this content is next, used in matching phase */`
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it. 13 years ago			`#define DETECT_CONTENT_RELATIVE_NEXT (1 << 10)`
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags 15 years ago
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines 14 years ago			`/* BE - byte extract */`
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it. 13 years ago			`#define DETECT_CONTENT_OFFSET_BE (1 << 11)`
			`#define DETECT_CONTENT_DEPTH_BE (1 << 12)`
			`#define DETECT_CONTENT_DISTANCE_BE (1 << 13)`
			`#define DETECT_CONTENT_WITHIN_BE (1 << 14)`
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines 14 years ago
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago			`/* replace data */`
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it. 13 years ago			`#define DETECT_CONTENT_REPLACE (1 << 15)`
			`/* this flag is set during the staging phase. It indicates that a content`
			`* has been added to the mpm phase and requires no further inspection inside`
			`* the inspection phase */`
			`#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED (1 << 16)`
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio) 13 years ago			`#define DETECT_CONTENT_IS_SINGLE(c) (!( ((c)->flags & DETECT_CONTENT_DISTANCE) \|\| \`
			`((c)->flags & DETECT_CONTENT_WITHIN) \|\| \`
			`((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) \|\| \`
			`((c)->flags & DETECT_CONTENT_DEPTH) \|\| \`
			`((c)->flags & DETECT_CONTENT_OFFSET) ))`
Share content id's between identical patterns. 15 years ago
mpm: improve negated mpm The idea is: if mpm is negated, it's both on mpm and nonmpm sid lists and we can kick it out in that case during the merge sort. It only works for patterns that are 'independent'. This means that the rule doesn't need to only match if the negated mpm pattern is limited to the first 10 bytes for example. Or more generally, an negated mpm pattern that has depth, offset, distance or within settings can't be handled this way. These patterns are not added to the mpm at all, but just to to non-mpm list. This makes sense as they will always need manual inspection. Similarly, a pattern that is 'chopped' always needs validation. This is because in this case we only inspect a part of the final pattern. 10 years ago			`/* if a pattern has no depth/offset limits, no relative specifiers and isn't`
			`* chopped for the mpm, we can take the mpm and consider this pattern a match`
			`* w/o futher inspection. Warning: this may still mean other patterns depend`
			`* on this pattern that force match validation anyway. */`
			`#define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c) \`
			`!( ((c)->flags & DETECT_CONTENT_DISTANCE) \|\| \`
			`((c)->flags & DETECT_CONTENT_WITHIN) \|\| \`
			`((c)->flags & DETECT_CONTENT_DEPTH) \|\| \`
			`((c)->flags & DETECT_CONTENT_OFFSET) \|\| \`
			`((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))`


Adding Boyer Moore context to content patterns, should speed up the search 15 years ago			`#include "util-spm-bm.h"`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct DetectContentData_ {`
unifying content structure - uricontent now uses DetectContentData 15 years ago			`uint8_t *content;`
Bug 1281 - Accept rule content with lengths greater than 255. 11 years ago			`uint16_t content_len;`
			`uint16_t replace_len;`
content: reorder DetectContentData member, shrinking the struct from 64 to 48 bytes. 11 years ago			`/* for chopped fast pattern, the length */`
			`uint16_t fp_chop_len;`
detect: allow for more than 64k mpm rules 9 years ago			`/* for chopped fast pattern, the offset */`
			`uint16_t fp_chop_offset;`
support fast pattern for http raw header. Also support relative modifiers for http raw header 14 years ago			`/* would want to move PatIntId here and flags down to remove the padding`
			`* gap, but I think the first four members was used as a template for`
			`* casting. \todo check this and fix it if posssible */`
			`uint32_t flags;`
unifying content structure - uricontent now uses DetectContentData 15 years ago			`PatIntId id;`
64 bit cleanup part2 16 years ago			`uint16_t depth;`
			`uint16_t offset;`
Initial add of the files. 17 years ago			`int32_t distance;`
			`int32_t within;`
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags 15 years ago			`/* Boyer Moore context (for spm search) */`
			`BmCtx *bm_ctx;`
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago			`/* pointer to replacement data */`
			`uint8_t *replace;`
Initial add of the files. 17 years ago			`} DetectContentData;`

			`/* prototypes */`
			`void DetectContentRegister (void);`
64 bit cleanup part2 16 years ago			`uint32_t DetectContentMaxId(DetectEngineCtx *);`
Improvements to content keyword memory handling. First version of a simple pattern based L7 proto detection engine. Currently just works by matching a single pattern in the initial data. Implemented HTTP, SSL, MSN, JABBER, SMTP and a few more. Couple of pattern matcher cleanups. 16 years ago			`DetectContentData DetectContentParse (char contentstr);`
Update DetectContentDataParse to reflect the actual data types content uses. 12 years ago			`int DetectContentDataParse(const char keyword, const char contentstr,`
			`uint8_t *pstr, uint16_t plen, uint32_t *flags);`
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords 14 years ago			`DetectContentData DetectContentParseEncloseQuotes(char );`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
code cleanup for all content based keywords. 12 years ago			`int DetectContentSetup(DetectEngineCtx de_ctx, Signature s, char *contentstr);`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago			`void DetectContentPrint(DetectContentData *);`

Fix compiler warning. 16 years ago			`void DetectContentFree(void *);`
Initial add of the files. 17 years ago
			`#endif /* __DETECT_CONTENT_H__ */`