suricata/src/detect-content.h

#ifndef __DETECT_CONTENT_H__
#define __DETECT_CONTENT_H__

#define DETECT_CONTENT_NOCASE            0x0001
#define DETECT_CONTENT_DISTANCE          0x0002
#define DETECT_CONTENT_WITHIN            0x0004

#define DETECT_CONTENT_FAST_PATTERN      0x0008
#define DETECT_CONTENT_DISTANCE_NEXT     0x0010
#define DETECT_CONTENT_WITHIN_NEXT       0x0020
#define DETECT_CONTENT_ISDATAAT_RELATIVE 0x0040
#define DETECT_CONTENT_BYTETEST_NEXT     0x0080

#define DETECT_CONTENT_RAWBYTES          0x0100

/** Set if the pattern is split into multiple chunks */
#define DETECT_CONTENT_IS_CHUNK          0x0200

#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
                                       (c)->flags & DETECT_CONTENT_WITHIN || \
                                       (c)->flags & DETECT_CONTENT_DISTANCE_NEXT || \
                                       (c)->flags & DETECT_CONTENT_WITHIN_NEXT || \
                                       (c)->flags & DETECT_CONTENT_ISDATAAT_RELATIVE || \
                                       (c)->flags & DETECT_CONTENT_IS_CHUNK || \
                                       (c)->depth > 0 || \
                                       (c)->within > 0))

/** Used for modifier propagations, to know if they are
 * yet updated or not */
#define CHUNK_UPDATED_DEPTH         0x01
#define CHUNK_UPDATED_OFFSET        0x02
#define CHUNK_UPDATED_ISDATAAT      0x04
#define CHUNK_UPDATED_DISTANCE      0x08
#define CHUNK_UPDATED_WITHIN        0x10

typedef struct DetectContentData_ {
    uint8_t *content;   /**< ptr to chunk of memory containing the pattern */
    uint8_t content_len;/**< length of the pattern (and size of the memory) */
    uint32_t id;        /**< unique pattern id */

    uint8_t negated;

    uint16_t depth;
    uint16_t offset;
    uint32_t isdataat;
    int32_t distance;
    int32_t within;
    uint16_t flags;

    /** The group this chunk belongs to, relative to the signature
     * It start from 1, and the last SigMatch of the list should be
     * also the total number of DetectContent "Real" Patterns loaded
     * from the Signature */
    uint8_t chunk_group_id;
    /** The id number for this chunk in the current group of chunks
     * Starts from 0, and a chunk with chunk_id == 0 should be the
     * of the current chunk group where real modifiers are set before
     * propagation */
    uint8_t chunk_id;
    /** For modifier propagations (the new flags) */
    uint8_t chunk_flags;
} DetectContentData;

/* prototypes */
void DetectContentRegister (void);
uint32_t DetectContentMaxId(DetectEngineCtx *);
DetectContentData *DetectContentParse (char *contentstr);

void DetectContentPrint(DetectContentData *);

/** This function search backwards the first applicable SigMatch holding
 * a DETECT_CONTENT context (If it belongs to a chunk group, the first chunk
 * of the group will be returned). Modifiers must call this */
SigMatch *DetectContentFindPrevApplicableSM(SigMatch *);

/** This function search forwards the first applicable SigMatch holding
 * a DETECT_CONTENT context. The Match process call this */
SigMatch *DetectContentFindNextApplicableSM(SigMatch *);

/** This function search backwards if we have a SigMatch holding
 * a Pattern before the SigMatch passed as argument */
SigMatch *DetectContentHasPrevSMPattern(SigMatch *);

SigMatch *SigMatchGetLastPattern(Signature *s);

/** After setting a new modifier, we should call one of the followings */
int DetectContentPropagateDepth(SigMatch *);
int DetectContentPropagateIsdataat(SigMatch *);
int DetectContentPropagateWithin(SigMatch *);
int DetectContentPropagateOffset(SigMatch *);
int DetectContentPropagateDistance(SigMatch *);
int DetectContentPropagateIsdataat(SigMatch *);

/** This shall not be called from outside detect-content.c (used internally)*/
int DetectContentPropagateModifiers(SigMatch *);

void DetectContentFree(void *);

int DetectContentTableInitHash(DetectEngineCtx *);
void DetectContentTableFreeHash(DetectEngineCtx *);
uint32_t DetectContentGetId(DetectEngineCtx *, DetectContentData *);

#endif /* __DETECT_CONTENT_H__ */
Initial add of the files. 17 years ago			`#ifndef __DETECT_CONTENT_H__`
			`#define __DETECT_CONTENT_H__`

http_cookie keywork support 15 years ago			`#define DETECT_CONTENT_NOCASE 0x0001`
			`#define DETECT_CONTENT_DISTANCE 0x0002`
			`#define DETECT_CONTENT_WITHIN 0x0004`
Initial add of the files. 17 years ago
http_cookie keywork support 15 years ago			`#define DETECT_CONTENT_FAST_PATTERN 0x0008`
			`#define DETECT_CONTENT_DISTANCE_NEXT 0x0010`
			`#define DETECT_CONTENT_WITHIN_NEXT 0x0020`
			`#define DETECT_CONTENT_ISDATAAT_RELATIVE 0x0040`
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase. 15 years ago			`#define DETECT_CONTENT_BYTETEST_NEXT 0x0080`
Initial add of the files. 17 years ago
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase. 15 years ago			`#define DETECT_CONTENT_RAWBYTES 0x0100`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
			`/** Set if the pattern is split into multiple chunks */`
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase. 15 years ago			`#define DETECT_CONTENT_IS_CHUNK 0x0200`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
Share content id's between identical patterns. 15 years ago			`#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE \|\| \`
			`(c)->flags & DETECT_CONTENT_WITHIN \|\| \`
			`(c)->flags & DETECT_CONTENT_DISTANCE_NEXT \|\| \`
			`(c)->flags & DETECT_CONTENT_WITHIN_NEXT \|\| \`
			`(c)->flags & DETECT_CONTENT_ISDATAAT_RELATIVE \|\| \`
			`(c)->flags & DETECT_CONTENT_IS_CHUNK \|\| \`
			`(c)->depth > 0 \|\| \`
			`(c)->within > 0))`

Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago			`/** Used for modifier propagations, to know if they are`
			`* yet updated or not */`
			`#define CHUNK_UPDATED_DEPTH 0x01`
			`#define CHUNK_UPDATED_OFFSET 0x02`
			`#define CHUNK_UPDATED_ISDATAAT 0x04`
			`#define CHUNK_UPDATED_DISTANCE 0x08`
			`#define CHUNK_UPDATED_WITHIN 0x10`
Initial add of the files. 17 years ago
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct DetectContentData_ {`
Fixup code to compile with -Wall -Werror -Wextra -Wno-unused-parameter compiler options. 15 years ago			`uint8_t content; /< ptr to chunk of memory containing the pattern /`
			`uint8_t content_len;/*< length of the pattern (and size of the memory) /`
			`uint32_t id; /*< unique pattern id /`
Initial add of the files. 17 years ago
Support for negated content 16 years ago			`uint8_t negated;`

64 bit cleanup part2 16 years ago			`uint16_t depth;`
			`uint16_t offset;`
Adding window and isdataat keyword and some unittests 16 years ago			`uint32_t isdataat;`
Initial add of the files. 17 years ago			`int32_t distance;`
			`int32_t within;`
http_cookie keywork support 15 years ago			`uint16_t flags;`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
			`/** The group this chunk belongs to, relative to the signature`
			`* It start from 1, and the last SigMatch of the list should be`
			`* also the total number of DetectContent "Real" Patterns loaded`
			`* from the Signature */`
			`uint8_t chunk_group_id;`
			`/** The id number for this chunk in the current group of chunks`
			`* Starts from 0, and a chunk with chunk_id == 0 should be the`
			`* of the current chunk group where real modifiers are set before`
			`* propagation */`
			`uint8_t chunk_id;`
			`/** For modifier propagations (the new flags) */`
			`uint8_t chunk_flags;`
Initial add of the files. 17 years ago			`} DetectContentData;`

			`/* prototypes */`
			`void DetectContentRegister (void);`
64 bit cleanup part2 16 years ago			`uint32_t DetectContentMaxId(DetectEngineCtx *);`
Improvements to content keyword memory handling. First version of a simple pattern based L7 proto detection engine. Currently just works by matching a single pattern in the initial data. Implemented HTTP, SSL, MSN, JABBER, SMTP and a few more. Couple of pattern matcher cleanups. 16 years ago			`DetectContentData DetectContentParse (char contentstr);`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
			`void DetectContentPrint(DetectContentData *);`

			`/** This function search backwards the first applicable SigMatch holding`
Updating real unittests. Small fix on TestWithinDistanceOffsetDepth to skip to the next DETECT_CONTENT SigMatch. Adding some checks on within/distance setups. 16 years ago			`* a DETECT_CONTENT context (If it belongs to a chunk group, the first chunk`
			`* of the group will be returned). Modifiers must call this */`
			`SigMatch DetectContentFindPrevApplicableSM(SigMatch );`

			`/** This function search forwards the first applicable SigMatch holding`
			`* a DETECT_CONTENT context. The Match process call this */`
			`SigMatch DetectContentFindNextApplicableSM(SigMatch );`

			`/** This function search backwards if we have a SigMatch holding`
			`* a Pattern before the SigMatch passed as argument */`
			`SigMatch DetectContentHasPrevSMPattern(SigMatch );`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
Remove all search code from the pattern matchers, cleanup mpm api, remove unused http code, more cleanups. 15 years ago			`SigMatch SigMatchGetLastPattern(Signature s);`

Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago			`/** After setting a new modifier, we should call one of the followings */`
			`int DetectContentPropagateDepth(SigMatch *);`
			`int DetectContentPropagateIsdataat(SigMatch *);`
			`int DetectContentPropagateWithin(SigMatch *);`
			`int DetectContentPropagateOffset(SigMatch *);`
			`int DetectContentPropagateDistance(SigMatch *);`
			`int DetectContentPropagateIsdataat(SigMatch *);`

			`/** This shall not be called from outside detect-content.c (used internally)*/`
			`int DetectContentPropagateModifiers(SigMatch *);`

Fix compiler warning. 16 years ago			`void DetectContentFree(void *);`
Initial add of the files. 17 years ago
Share content id's between identical patterns. 15 years ago			`int DetectContentTableInitHash(DetectEngineCtx *);`
			`void DetectContentTableFreeHash(DetectEngineCtx *);`
			`uint32_t DetectContentGetId(DetectEngineCtx , DetectContentData );`

Initial add of the files. 17 years ago			`#endif /* __DETECT_CONTENT_H__ */`