aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/multi-buf: harmonize wrapper

Browse Source 
Introduce DetectGetMultiData which does the generic wrapping,
including the transforms.

And let each keyword do just the getter.
pull/13092/head
Philippe Antoine 7 months ago committed by Victor Julien
parent bed96505aa
commit 8ecc3efdc8
34 changed files with 344 additions and 995 deletions
Show Stats Download Patch File Download Diff File

1
rust/cbindgen.toml
Unescape Escape View File

@ -98,6 +98,7 @@ exclude = [
"AppLayerParserState",
"CLuaState",
"DetectEngineState",
"DetectEngineThreadCtx",
"GenericVar",
"Flow",
"StreamingBufferConfig",

4
rust/src/core.rs
Unescape Escape View File

@ -28,6 +28,10 @@ use crate::flow::Flow;
pub enum DetectEngineState {}
pub enum AppLayerDecoderEvents {}
pub enum GenericVar {}
#[repr(C)]
pub struct DetectEngineThreadCtx {
_unused: [u8; 0],
}
#[repr(C)]
#[derive(Debug, PartialEq, Eq, Clone, Copy)]

29
rust/src/detect/mod.rs
Unescape Escape View File

@ -38,6 +38,7 @@ pub mod datasets;
use std::os::raw::{c_char, c_int, c_void};
use std::ffi::CString;
use crate::core::DetectEngineThreadCtx;
use suricata_sys::sys::AppProto;
/// EnumString trait that will be implemented on enums that
@ -180,41 +181,29 @@ extern "C" {
de: *mut c_void, s: *mut c_void, kwid: c_int, ctx: *const c_void, bufid: c_int,
) -> *mut c_void;
// in detect-engine-helper.h
pub fn DetectHelperGetMultiData(
de: *mut c_void,
transforms: *const c_void,
flow: *const c_void,
flow_flags: u8,
tx: *const c_void,
list_id: c_int,
local_id: u32,
get_buf: unsafe extern "C" fn(*const c_void, u8, u32, *mut *const u8, *mut u32) -> bool,
) -> *mut c_void;
pub fn DetectHelperMultiBufferMpmRegister(
name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, toclient: bool,
toserver: bool,
get_multi_data: unsafe extern "C" fn(
*mut c_void,
*const c_void,
*mut DetectEngineThreadCtx,
*const c_void,
u8,
*const c_void,
i32,
u32,
) -> *mut c_void,
*mut *const u8,
*mut u32,
) -> bool,
) -> c_int;
pub fn DetectHelperMultiBufferProgressMpmRegister(
name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, toclient: bool,
toserver: bool,
get_multi_data: unsafe extern "C" fn(
*mut c_void,
*const c_void,
*mut DetectEngineThreadCtx,
*const c_void,
u8,
*const c_void,
i32,
u32,
) -> *mut c_void,
*mut *const u8,
*mut u32,
) -> bool,
progress: c_int,
) -> c_int;
}

70
rust/src/dns/detect.rs
Unescape Escape View File

@ -16,13 +16,14 @@
*/
use super::dns::{DNSRcode, DNSRecordType, DNSTransaction, ALPROTO_DNS};
use crate::core::DetectEngineThreadCtx;
use crate::detect::uint::{
detect_match_uint, detect_parse_uint_enum, DetectUintData, SCDetectU16Free, SCDetectU8Free,
SCDetectU8Parse,
};
use crate::detect::{
helper_keyword_register_sticky_buffer, DetectBufferSetActiveList, DetectHelperBufferRegister,
DetectHelperGetMultiData, DetectHelperKeywordAliasRegister, DetectHelperKeywordRegister,
DetectHelperKeywordAliasRegister, DetectHelperKeywordRegister,
DetectHelperMultiBufferProgressMpmRegister, DetectSignatureSetAppProto, SCSigTableAppLiteElmt,
SigMatchAppendSMToList, SigTableElmtStickyBuffer,
};
@ -238,7 +239,8 @@ unsafe extern "C" fn dns_detect_answer_name_setup(
/// Get the DNS response answer name and index i.
unsafe extern "C" fn dns_tx_get_answer_name(
tx: *const c_void, flags: u8, i: u32, buf: *mut *const u8, len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flags: u8, i: u32, buf: *mut *const u8,
len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, DNSTransaction);
let answers = if flags & Direction::ToClient as u8 != 0 {
@ -261,22 +263,6 @@ unsafe extern "C" fn dns_tx_get_answer_name(
false
}
unsafe extern "C" fn dns_answer_name_get_data_wrapper(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
dns_tx_get_answer_name,
);
}
unsafe extern "C" fn dns_detect_query_name_setup(
de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
) -> c_int {
@ -291,7 +277,8 @@ unsafe extern "C" fn dns_detect_query_name_setup(
/// Get the DNS response answer name and index i.
unsafe extern "C" fn dns_tx_get_query_name(
tx: *const c_void, flags: u8, i: u32, buf: *mut *const u8, len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flags: u8, i: u32, buf: *mut *const u8,
len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, DNSTransaction);
let queries = if flags & Direction::ToClient as u8 != 0 {
@ -315,9 +302,10 @@ unsafe extern "C" fn dns_tx_get_query_name(
}
unsafe extern "C" fn dns_tx_get_query(
tx: *const c_void, _flags: u8, i: u32, buf: *mut *const u8, len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, i: u32, buf: *mut *const u8,
len: *mut u32,
) -> bool {
return dns_tx_get_query_name(tx, Direction::ToServer as u8, i, buf, len);
return dns_tx_get_query_name(_de, tx, Direction::ToServer as u8, i, buf, len);
}
unsafe extern "C" fn dns_detect_query_setup(
@ -332,38 +320,6 @@ unsafe extern "C" fn dns_detect_query_setup(
return 0;
}
unsafe extern "C" fn dns_query_name_get_data_wrapper(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
dns_tx_get_query_name,
);
}
unsafe extern "C" fn dns_query_get_data_wrapper(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
dns_tx_get_query,
);
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectDNSRegister() {
let kw = SigTableElmtStickyBuffer {
@ -381,7 +337,7 @@ pub unsafe extern "C" fn SCDetectDNSRegister() {
/* Register also in the TO_SERVER direction, even though this is not
normal, it could be provided as part of a request. */
true,
dns_answer_name_get_data_wrapper,
dns_tx_get_answer_name,
1, // response complete
);
let kw = SCSigTableAppLiteElmt {
@ -415,7 +371,7 @@ pub unsafe extern "C" fn SCDetectDNSRegister() {
/* Register in both directions as the query is usually echoed back
in the response. */
true,
dns_query_name_get_data_wrapper,
dns_tx_get_query_name,
1, // request or response complete
);
let kw = SCSigTableAppLiteElmt {
@ -467,8 +423,8 @@ pub unsafe extern "C" fn SCDetectDNSRegister() {
ALPROTO_DNS,
false, // only toserver
true,
dns_query_get_data_wrapper, // reuse, will be called only toserver
1, // request complete
dns_tx_get_query, // reuse, will be called only toserver
1, // request complete
);
}

44
rust/src/dns/dns.rs
Unescape Escape View File

@ -19,6 +19,7 @@ use std;
use std::collections::HashMap;
use std::collections::VecDeque;
use std::ffi::CString;
use std::os::raw::c_void;
use crate::applayer::*;
use crate::core::{self, *};
@ -983,9 +984,11 @@ export_state_data_get!(rs_dns_get_state_data, DNSState);
/// Get the DNS query name at index i.
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetQueryName(
tx: &mut DNSTransaction, to_client: bool, i: u32, buf: *mut *const u8, len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, i: u32,
buf: *mut *const u8, len: *mut u32,
) -> bool {
let queries = if to_client {
let tx = cast_pointer!(tx, DNSTransaction);
let queries = if (flow_flags & STREAM_TOSERVER) == 0 {
tx.response.as_ref().map(|response| &response.queries)
} else {
tx.request.as_ref().map(|request| &request.queries)
@ -1008,9 +1011,11 @@ pub unsafe extern "C" fn SCDnsTxGetQueryName(
/// Get the DNS response answer name and index i.
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetAnswerName(
tx: &mut DNSTransaction, to_client: bool, i: u32, buf: *mut *const u8, len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, i: u32,
buf: *mut *const u8, len: *mut u32,
) -> bool {
let answers = if to_client {
let tx = cast_pointer!(tx, DNSTransaction);
let answers = if (flow_flags & STREAM_TOSERVER) == 0 {
tx.response.as_ref().map(|response| &response.answers)
} else {
tx.request.as_ref().map(|request| &request.answers)
@ -1033,8 +1038,10 @@ pub unsafe extern "C" fn SCDnsTxGetAnswerName(
/// Get the DNS response authority name at index i.
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetAuthorityName(
tx: &mut DNSTransaction, i: u32, buf: *mut *const u8, len: *mut u32,
) -> bool {
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flow_flags: u8, i: u32,
buf: *mut *const u8, len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, DNSTransaction);
let index = i as usize;
if let Some(response) = &tx.response {
@ -1053,8 +1060,10 @@ pub unsafe extern "C" fn SCDnsTxGetAuthorityName(
/// Get the DNS response additional name at index i.
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetAdditionalName(
tx: &mut DNSTransaction, i: u32, buf: *mut *const u8, len: *mut u32,
) -> bool {
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flow_flags: u8, i: u32,
buf: *mut *const u8, len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, DNSTransaction);
let index = i as usize;
if let Some(response) = &tx.response {
@ -1072,18 +1081,11 @@ pub unsafe extern "C" fn SCDnsTxGetAdditionalName(
fn get_rdata_name(data: &DNSRData) -> Option<&DNSName> {
match data {
DNSRData::CNAME(name)
| DNSRData::PTR(name)
| DNSRData::MX(name)
| DNSRData::NS(name) => {
DNSRData::CNAME(name) | DNSRData::PTR(name) | DNSRData::MX(name) | DNSRData::NS(name) => {
Some(name)
}
DNSRData::SOA(soa) => {
Some(&soa.mname)
}
_ => {
None
}
DNSRData::SOA(soa) => Some(&soa.mname),
_ => None,
}
}
@ -1091,7 +1093,7 @@ fn get_rdata_name(data: &DNSRData) -> Option<&DNSName> {
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetAnswerRdata(
tx: &mut DNSTransaction, i: u32, buf: *mut *const u8, len: *mut u32,
) -> bool {
) -> bool {
let index = i as usize;
if let Some(response) = &tx.response {
@ -1113,7 +1115,7 @@ pub unsafe extern "C" fn SCDnsTxGetAnswerRdata(
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetAuthorityRdata(
tx: &mut DNSTransaction, i: u32, buf: *mut *const u8, len: *mut u32,
) -> bool {
) -> bool {
let index = i as usize;
if let Some(response) = &tx.response {
@ -1135,7 +1137,7 @@ pub unsafe extern "C" fn SCDnsTxGetAuthorityRdata(
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetAdditionalRdata(
tx: &mut DNSTransaction, i: u32, buf: *mut *const u8, len: *mut u32,
) -> bool {
) -> bool {
let index = i as usize;
if let Some(response) = &tx.response {

32
rust/src/http2/detect.rs
Unescape Escape View File

@ -19,12 +19,14 @@ use super::http2::{
HTTP2Event, HTTP2Frame, HTTP2FrameTypeData, HTTP2State, HTTP2Transaction, HTTP2TransactionState,
};
use super::parser;
use crate::direction::Direction;
use crate::core::DetectEngineThreadCtx;
use crate::detect::uint::{detect_match_uint, DetectUintData};
use crate::direction::Direction;
use base64::{engine::general_purpose::STANDARD, Engine};
use std::ffi::CStr;
use std::str::FromStr;
use std::os::raw::c_void;
use std::rc::Rc;
use base64::{Engine, engine::general_purpose::STANDARD};
use std::str::FromStr;
fn http2_tx_has_frametype(
tx: &HTTP2Transaction, direction: Direction, value: u8,
@ -359,8 +361,10 @@ pub unsafe extern "C" fn rs_http2_detect_sizeupdatectx_match(
// and rs_http2_detect_sizeupdatectx_match explicitly casting
#[no_mangle]
pub unsafe extern "C" fn rs_http2_tx_get_header_name(
tx: &HTTP2Transaction, direction: u8, nb: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, direction: u8, nb: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, HTTP2Transaction);
let mut pos = 0_u32;
match direction.into() {
Direction::ToServer => {
@ -869,8 +873,10 @@ pub unsafe extern "C" fn rs_http2_tx_get_headers_raw(
#[no_mangle]
pub unsafe extern "C" fn rs_http2_tx_get_header(
tx: &mut HTTP2Transaction, direction: u8, nb: u32, buffer: *mut *const u8, buffer_len: *mut u32,
) -> u8 {
_de: *mut DetectEngineThreadCtx, tx: *const c_void, direction: u8, nb: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, HTTP2Transaction);
let mut pos = 0_u32;
match direction.into() {
Direction::ToServer => {
@ -883,7 +889,7 @@ pub unsafe extern "C" fn rs_http2_tx_get_header(
let value = &tx.escaped[idx];
*buffer = value.as_ptr(); //unsafe
*buffer_len = value.len() as u32;
return 1;
return true;
} else {
pos += blocks.len() as u32;
}
@ -900,7 +906,7 @@ pub unsafe extern "C" fn rs_http2_tx_get_header(
let value = &tx.escaped[idx];
*buffer = value.as_ptr(); //unsafe
*buffer_len = value.len() as u32;
return 1;
return true;
} else {
pos += blocks.len() as u32;
}
@ -908,7 +914,7 @@ pub unsafe extern "C" fn rs_http2_tx_get_header(
}
}
}
return 0;
return false;
}
fn http2_tx_set_header(state: &mut HTTP2State, name: &[u8], input: &[u8]) {
@ -933,7 +939,9 @@ fn http2_tx_set_header(state: &mut HTTP2State, name: &[u8], input: &[u8]) {
blocks,
};
let txdata = HTTP2FrameTypeData::HEADERS(hs);
let tx = state.find_or_create_tx(&head, &txdata, Direction::ToServer).unwrap();
let tx = state
.find_or_create_tx(&head, &txdata, Direction::ToServer)
.unwrap();
tx.frames_ts.push(HTTP2Frame {
header: head,
data: txdata,
@ -976,7 +984,9 @@ fn http2_tx_set_settings(state: &mut HTTP2State, input: &[u8]) {
match parser::http2_parse_frame_settings(&dec) {
Ok((_, set)) => {
let txdata = HTTP2FrameTypeData::SETTINGS(set);
let tx = state.find_or_create_tx(&head, &txdata, Direction::ToServer).unwrap();
let tx = state
.find_or_create_tx(&head, &txdata, Direction::ToServer)
.unwrap();
tx.frames_ts.push(HTTP2Frame {
header: head,
data: txdata,

26
rust/src/ike/detect.rs
Unescape Escape View File

@ -18,8 +18,10 @@
// Author: Frank Honza <frank.honza@dcso.de>
use super::ipsec_parser::IkeV2Transform;
use crate::core::DetectEngineThreadCtx;
use crate::ike::ike::*;
use std::ffi::CStr;
use std::os::raw::c_void;
use std::ptr;
#[no_mangle]
@ -116,23 +118,21 @@ pub extern "C" fn rs_ike_state_get_key_exchange(
}
#[no_mangle]
pub extern "C" fn rs_ike_tx_get_vendor(
tx: &IKETransaction, i: u32, buf: *mut *const u8, len: *mut u32,
) -> u8 {
pub unsafe extern "C" fn rs_ike_tx_get_vendor(
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, i: u32, buf: *mut *const u8,
len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, IKETransaction);
if tx.ike_version == 1 && i < tx.hdr.ikev1_header.vendor_ids.len() as u32 {
unsafe {
*len = tx.hdr.ikev1_header.vendor_ids[i as usize].len() as u32;
*buf = tx.hdr.ikev1_header.vendor_ids[i as usize].as_ptr();
}
return 1;
*len = tx.hdr.ikev1_header.vendor_ids[i as usize].len() as u32;
*buf = tx.hdr.ikev1_header.vendor_ids[i as usize].as_ptr();
return true;
}
unsafe {
*buf = ptr::null();
*len = 0;
}
*buf = ptr::null();
*len = 0;
return 0;
return false;
}
#[no_mangle]

22
rust/src/krb/detect.rs
Unescape Escape View File

@ -17,6 +17,7 @@
// written by Pierre Chifflier <chifflier@wzdftpd.net>
use crate::core::DetectEngineThreadCtx;
use crate::krb::krb5::{test_weak_encryption, KRB5Transaction};
use kerberos_parser::krb5::EncryptionType;
@ -29,6 +30,7 @@ use nom7::multi::many1;
use nom7::IResult;
use std::ffi::CStr;
use std::os::raw::c_void;
#[no_mangle]
pub unsafe extern "C" fn rs_krb5_tx_get_msgtype(tx: &KRB5Transaction, ptr: *mut u32) {
@ -50,32 +52,36 @@ pub unsafe extern "C" fn rs_krb5_tx_get_errcode(tx: &KRB5Transaction, ptr: *mut
#[no_mangle]
pub unsafe extern "C" fn rs_krb5_tx_get_cname(
tx: &KRB5Transaction, i: u32, buffer: *mut *const u8, buffer_len: *mut u32,
) -> u8 {
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, i: u32, buffer: *mut *const u8,
buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, KRB5Transaction);
if let Some(ref s) = tx.cname {
if (i as usize) < s.name_string.len() {
let value = &s.name_string[i as usize];
*buffer = value.as_ptr();
*buffer_len = value.len() as u32;
return 1;
return true;
}
}
0
false
}
#[no_mangle]
pub unsafe extern "C" fn rs_krb5_tx_get_sname(
tx: &KRB5Transaction, i: u32, buffer: *mut *const u8, buffer_len: *mut u32,
) -> u8 {
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, i: u32, buffer: *mut *const u8,
buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, KRB5Transaction);
if let Some(ref s) = tx.sname {
if (i as usize) < s.name_string.len() {
let value = &s.name_string[i as usize];
*buffer = value.as_ptr();
*buffer_len = value.len() as u32;
return 1;
return true;
}
}
0
false
}
const KRB_TICKET_FASTARRAY_SIZE: usize = 256;

90
rust/src/ldap/detect.rs
Unescape Escape View File

@ -16,6 +16,7 @@
*/
use super::ldap::{LdapTransaction, ALPROTO_LDAP};
use crate::core::DetectEngineThreadCtx;
use crate::detect::uint::{
detect_match_uint, detect_parse_uint_enum, DetectUintData, SCDetectU32Free, SCDetectU32Parse,
SCDetectU8Free,
@ -23,9 +24,8 @@ use crate::detect::uint::{
use crate::detect::{
helper_keyword_register_sticky_buffer, DetectBufferSetActiveList,
DetectHelperBufferMpmRegister, DetectHelperBufferRegister, DetectHelperGetData,
DetectHelperGetMultiData, DetectHelperKeywordRegister, DetectHelperMultiBufferMpmRegister,
DetectSignatureSetAppProto, SCSigTableAppLiteElmt, SigMatchAppendSMToList,
SigTableElmtStickyBuffer,
DetectHelperKeywordRegister, DetectHelperMultiBufferMpmRegister, DetectSignatureSetAppProto,
SCSigTableAppLiteElmt, SigMatchAppendSMToList, SigTableElmtStickyBuffer,
};
use crate::ldap::types::{LdapMessage, LdapResultCode, ProtocolOp, ProtocolOpCode};
@ -368,24 +368,9 @@ unsafe extern "C" fn ldap_detect_responses_dn_setup(
return 0;
}
unsafe extern "C" fn ldap_detect_responses_dn_get_data(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
ldap_tx_get_responses_dn,
);
}
unsafe extern "C" fn ldap_tx_get_responses_dn(
tx: *const c_void, _flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, LdapTransaction);
@ -515,24 +500,9 @@ unsafe extern "C" fn ldap_detect_responses_msg_setup(
return 0;
}
unsafe extern "C" fn ldap_detect_responses_msg_get_data(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
ldap_tx_get_responses_msg,
);
}
unsafe extern "C" fn ldap_tx_get_responses_msg(
tx: *const c_void, _flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, LdapTransaction);
@ -575,24 +545,9 @@ unsafe extern "C" fn ldap_detect_request_attibute_type_setup(
return 0;
}
unsafe extern "C" fn ldap_detect_request_attribute_type_get_data(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
ldap_tx_get_req_attribute_type,
);
}
unsafe extern "C" fn ldap_tx_get_req_attribute_type(
tx: *const c_void, _flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, LdapTransaction);
@ -649,24 +604,9 @@ unsafe extern "C" fn ldap_detect_responses_attibute_type_setup(
return 0;
}
unsafe extern "C" fn ldap_detect_responses_attribute_type_get_data(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
ldap_tx_get_resp_attribute_type,
);
}
unsafe extern "C" fn ldap_tx_get_resp_attribute_type(
tx: *const c_void, _flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, LdapTransaction);
@ -769,7 +709,7 @@ pub unsafe extern "C" fn SCDetectLdapRegister() {
ALPROTO_LDAP,
true, //to client
false, //to server
ldap_detect_responses_dn_get_data,
ldap_tx_get_responses_dn,
);
let kw = SCSigTableAppLiteElmt {
name: b"ldap.responses.result_code\0".as_ptr() as *const libc::c_char,
@ -801,7 +741,7 @@ pub unsafe extern "C" fn SCDetectLdapRegister() {
ALPROTO_LDAP,
true, //to client
false, //to server
ldap_detect_responses_msg_get_data,
ldap_tx_get_responses_msg,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("ldap.request.attribute_type"),
@ -816,7 +756,7 @@ pub unsafe extern "C" fn SCDetectLdapRegister() {
ALPROTO_LDAP,
false, //to client
true, //to server
ldap_detect_request_attribute_type_get_data,
ldap_tx_get_req_attribute_type,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("ldap.responses.attribute_type"),
@ -831,6 +771,6 @@ pub unsafe extern "C" fn SCDetectLdapRegister() {
ALPROTO_LDAP,
true, //to client
false, //to server
ldap_detect_responses_attribute_type_get_data,
ldap_tx_get_resp_attribute_type,
);
}

70
rust/src/mqtt/detect.rs
Unescape Escape View File

@ -17,6 +17,7 @@
// written by Sascha Steinbiss <sascha@steinbiss.name>
use crate::core::DetectEngineThreadCtx;
use crate::detect::uint::{
detect_match_uint, detect_parse_uint, detect_parse_uint_enum, DetectUintData, DetectUintMode,
SCDetectU8Free, SCDetectU8Parse,
@ -24,9 +25,8 @@ use crate::detect::uint::{
use crate::detect::{
helper_keyword_register_sticky_buffer, DetectBufferSetActiveList,
DetectHelperBufferMpmRegister, DetectHelperBufferRegister, DetectHelperGetData,
DetectHelperGetMultiData, DetectHelperKeywordRegister, DetectHelperMultiBufferMpmRegister,
DetectSignatureSetAppProto, SCSigTableAppLiteElmt, SigMatchAppendSMToList,
SigTableElmtStickyBuffer,
DetectHelperKeywordRegister, DetectHelperMultiBufferMpmRegister, DetectSignatureSetAppProto,
SCSigTableAppLiteElmt, SigMatchAppendSMToList, SigTableElmtStickyBuffer,
};
use nom7::branch::alt;
@ -300,7 +300,8 @@ static mut G_MQTT_CONN_FLAGS_KW_ID: c_int = 0;
static mut G_MQTT_CONN_FLAGS_BUFFER_ID: c_int = 0;
unsafe extern "C" fn unsub_topic_get_data(
tx: *const c_void, _flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let ml = UNSUB_TOPIC_MATCH_LIMIT;
if ml > 0 && local_id >= ml as u32 {
@ -326,22 +327,6 @@ unsafe extern "C" fn unsub_topic_get_data(
return false;
}
unsafe extern "C" fn unsub_topic_get_data_wrapper(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
unsub_topic_get_data,
);
}
unsafe extern "C" fn unsub_topic_setup(
de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
) -> c_int {
@ -356,7 +341,8 @@ unsafe extern "C" fn unsub_topic_setup(
}
unsafe extern "C" fn sub_topic_get_data(
tx: *const c_void, _flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let ml = SUB_TOPIC_MATCH_LIMIT;
if ml > 0 && local_id >= ml as u32 {
@ -382,22 +368,6 @@ unsafe extern "C" fn sub_topic_get_data(
return false;
}
unsafe extern "C" fn sub_topic_get_data_wrapper(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sub_topic_get_data,
);
}
unsafe extern "C" fn sub_topic_setup(
de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
) -> c_int {
@ -1122,7 +1092,7 @@ pub unsafe extern "C" fn SCDetectMqttRegister() {
ALPROTO_MQTT,
false, // only to server
true,
unsub_topic_get_data_wrapper,
unsub_topic_get_data,
);
let kw = SCSigTableAppLiteElmt {
@ -1163,7 +1133,7 @@ pub unsafe extern "C" fn SCDetectMqttRegister() {
ALPROTO_MQTT,
false, // only to server
true,
sub_topic_get_data_wrapper,
sub_topic_get_data,
);
let kw = SCSigTableAppLiteElmt {
@ -1517,23 +1487,24 @@ mod test {
let mut s: *const u8 = std::ptr::null_mut();
let mut slen: u32 = 0;
let tx = &t as *const _ as *mut _;
let mut r = unsafe { unsub_topic_get_data(tx, 0, 0, &mut s, &mut slen) };
let mut r =
unsafe { unsub_topic_get_data(std::ptr::null_mut(), tx, 0, 0, &mut s, &mut slen) };
assert!(r);
let mut topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "foo");
r = unsafe { unsub_topic_get_data(tx, 0, 1, &mut s, &mut slen) };
r = unsafe { unsub_topic_get_data(std::ptr::null_mut(), tx, 0, 1, &mut s, &mut slen) };
assert!(r);
topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "baar");
r = unsafe { unsub_topic_get_data(tx, 0, 2, &mut s, &mut slen) };
r = unsafe { unsub_topic_get_data(std::ptr::null_mut(), tx, 0, 2, &mut s, &mut slen) };
assert!(r);
topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "fieee");
r = unsafe { unsub_topic_get_data(tx, 0, 3, &mut s, &mut slen) };
r = unsafe { unsub_topic_get_data(std::ptr::null_mut(), tx, 0, 3, &mut s, &mut slen) };
assert!(r);
topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "baaaaz");
r = unsafe { unsub_topic_get_data(tx, 0, 4, &mut s, &mut slen) };
r = unsafe { unsub_topic_get_data(std::ptr::null_mut(), tx, 0, 4, &mut s, &mut slen) };
assert!(!r);
}
@ -1591,23 +1562,24 @@ mod test {
let mut s: *const u8 = std::ptr::null_mut();
let mut slen: u32 = 0;
let tx = &t as *const _ as *mut _;
let mut r = unsafe { sub_topic_get_data(tx, 0, 0, &mut s, &mut slen) };
let mut r =
unsafe { sub_topic_get_data(std::ptr::null_mut(), tx, 0, 0, &mut s, &mut slen) };
assert!(r);
let mut topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "foo");
r = unsafe { sub_topic_get_data(tx, 0, 1, &mut s, &mut slen) };
r = unsafe { sub_topic_get_data(std::ptr::null_mut(), tx, 0, 1, &mut s, &mut slen) };
assert!(r);
topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "baar");
r = unsafe { sub_topic_get_data(tx, 0, 2, &mut s, &mut slen) };
r = unsafe { sub_topic_get_data(std::ptr::null_mut(), tx, 0, 2, &mut s, &mut slen) };
assert!(r);
topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "fieee");
r = unsafe { sub_topic_get_data(tx, 0, 3, &mut s, &mut slen) };
r = unsafe { sub_topic_get_data(std::ptr::null_mut(), tx, 0, 3, &mut s, &mut slen) };
assert!(r);
topic = String::from_utf8_lossy(unsafe { build_slice!(s, slen as usize) });
assert_eq!(topic, "baaaaz");
r = unsafe { sub_topic_get_data(tx, 0, 4, &mut s, &mut slen) };
r = unsafe { sub_topic_get_data(std::ptr::null_mut(), tx, 0, 4, &mut s, &mut slen) };
assert!(!r);
}
}

22
rust/src/quic/detect.rs
Unescape Escape View File

@ -15,7 +15,9 @@
* 02110-1301, USA.
*/
use crate::core::DetectEngineThreadCtx;
use crate::quic::quic::QuicTransaction;
use std::os::raw::c_void;
use std::ptr;
#[no_mangle]
@ -96,8 +98,10 @@ pub unsafe extern "C" fn rs_quic_tx_get_version(
#[no_mangle]
pub unsafe extern "C" fn rs_quic_tx_get_cyu_hash(
tx: &QuicTransaction, i: u32, buffer: *mut *const u8, buffer_len: *mut u32,
) -> u8 {
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, i: u32, buffer: *mut *const u8,
buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, QuicTransaction);
if (i as usize) < tx.cyu.len() {
let cyu = &tx.cyu[i as usize];
@ -106,19 +110,21 @@ pub unsafe extern "C" fn rs_quic_tx_get_cyu_hash(
*buffer = p.as_ptr();
*buffer_len = p.len() as u32;
1
true
} else {
*buffer = ptr::null();
*buffer_len = 0;
0
false
}
}
#[no_mangle]
pub unsafe extern "C" fn rs_quic_tx_get_cyu_string(
tx: &QuicTransaction, i: u32, buffer: *mut *const u8, buffer_len: *mut u32,
) -> u8 {
_de: *mut DetectEngineThreadCtx, tx: *const c_void, _flags: u8, i: u32, buffer: *mut *const u8,
buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, QuicTransaction);
if (i as usize) < tx.cyu.len() {
let cyu = &tx.cyu[i as usize];
@ -126,11 +132,11 @@ pub unsafe extern "C" fn rs_quic_tx_get_cyu_string(
*buffer = p.as_ptr();
*buffer_len = p.len() as u32;
1
true
} else {
*buffer = ptr::null();
*buffer_len = 0;
0
false
}
}

173
rust/src/sdp/detect.rs
Unescape Escape View File

@ -17,10 +17,11 @@
// written by Giuseppe Longo <giuseppe@glongo.it>
use crate::core::DetectEngineThreadCtx;
use crate::detect::{
helper_keyword_register_sticky_buffer, DetectBufferSetActiveList,
DetectHelperBufferMpmRegister, DetectHelperGetData, DetectHelperGetMultiData,
DetectHelperMultiBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer,
DetectHelperBufferMpmRegister, DetectHelperGetData, DetectHelperMultiBufferMpmRegister,
DetectSignatureSetAppProto, SigTableElmtStickyBuffer,
};
use crate::direction::Direction;
use crate::sip::sip::{SIPTransaction, ALPROTO_SIP};
@ -388,24 +389,9 @@ unsafe extern "C" fn sdp_bandwidth_setup(
return 0;
}
unsafe extern "C" fn sdp_bandwidth_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_bandwidth_get_data,
);
}
unsafe extern "C" fn sip_bandwidth_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -440,24 +426,9 @@ unsafe extern "C" fn sdp_time_setup(
return 0;
}
unsafe extern "C" fn sdp_time_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sdp_time_get_data,
);
}
unsafe extern "C" fn sdp_time_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -490,24 +461,9 @@ unsafe extern "C" fn sdp_repeat_time_setup(
return 0;
}
unsafe extern "C" fn sdp_repeat_time_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sdp_repeat_time_get_data,
);
}
unsafe extern "C" fn sdp_repeat_time_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -636,24 +592,9 @@ unsafe extern "C" fn sdp_attribute_setup(
return 0;
}
unsafe extern "C" fn sdp_attribute_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_attribute_get_data,
);
}
unsafe extern "C" fn sip_attribute_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -688,24 +629,9 @@ unsafe extern "C" fn sdp_media_desc_media_setup(
return 0;
}
unsafe extern "C" fn sdp_media_desc_media_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_media_desc_media_get_data,
);
}
unsafe extern "C" fn sip_media_desc_media_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -740,24 +666,9 @@ unsafe extern "C" fn sdp_media_desc_session_info_setup(
return 0;
}
unsafe extern "C" fn sdp_media_desc_session_info_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_media_desc_session_info_get_data,
);
}
unsafe extern "C" fn sip_media_desc_session_info_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -793,24 +704,9 @@ unsafe extern "C" fn sdp_media_desc_connection_data_setup(
return 0;
}
unsafe extern "C" fn sdp_media_desc_connection_data_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_media_desc_connection_data_get_data,
);
}
unsafe extern "C" fn sip_media_desc_connection_data_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -846,24 +742,9 @@ unsafe extern "C" fn sdp_media_desc_encryption_key_setup(
return 0;
}
unsafe extern "C" fn sdp_media_desc_encryption_key_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_media_desc_encryption_key_get_data,
);
}
unsafe extern "C" fn sip_media_desc_encryption_key_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
let direction = flow_flags.into();
@ -1007,7 +888,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_bandwidth_get,
sip_bandwidth_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sdp.time"),
@ -1022,7 +903,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_time_get,
sdp_time_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sdp.repeat_time"),
@ -1037,7 +918,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_repeat_time_get,
sdp_repeat_time_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sdp.timezone"),
@ -1082,7 +963,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_attribute_get,
sip_attribute_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sdp.media.media"),
@ -1099,7 +980,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_media_desc_media_get,
sip_media_desc_media_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sdp.media.media_info"),
@ -1114,7 +995,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_media_desc_session_info_get,
sip_media_desc_session_info_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sdp.media.connection_data"),
@ -1129,7 +1010,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_media_desc_connection_data_get,
sip_media_desc_connection_data_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sdp.media.encryption_key"),
@ -1144,6 +1025,6 @@ pub unsafe extern "C" fn SCDetectSdpRegister() {
ALPROTO_SIP,
true,
true,
sdp_media_desc_encryption_key_get,
sip_media_desc_encryption_key_get_data,
);
}

131
rust/src/sip/detect.rs
Unescape Escape View File

@ -17,10 +17,11 @@
// written by Giuseppe Longo <giuseppe@glongo.it>
use crate::core::DetectEngineThreadCtx;
use crate::detect::{
helper_keyword_register_sticky_buffer, DetectBufferSetActiveList,
DetectHelperBufferMpmRegister, DetectHelperGetData, DetectHelperGetMultiData,
DetectHelperMultiBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer,
DetectHelperBufferMpmRegister, DetectHelperGetData, DetectHelperMultiBufferMpmRegister,
DetectSignatureSetAppProto, SigTableElmtStickyBuffer,
};
use crate::direction::Direction;
use crate::sip::sip::{SIPTransaction, ALPROTO_SIP};
@ -338,24 +339,9 @@ unsafe extern "C" fn sip_from_hdr_setup(
return 0;
}
unsafe extern "C" fn sip_from_hdr_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_from_hdr_get_data,
);
}
unsafe extern "C" fn sip_from_hdr_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
if let Some(value) = sip_get_header_value(tx, local_id, flow_flags.into(), "From") {
@ -380,24 +366,9 @@ unsafe extern "C" fn sip_to_hdr_setup(
return 0;
}
unsafe extern "C" fn sip_to_hdr_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_to_hdr_get_data,
);
}
unsafe extern "C" fn sip_to_hdr_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
if let Some(value) = sip_get_header_value(tx, local_id, flow_flags.into(), "To") {
@ -422,24 +393,9 @@ unsafe extern "C" fn sip_via_hdr_setup(
return 0;
}
unsafe extern "C" fn sip_via_hdr_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_via_hdr_get_data,
);
}
unsafe extern "C" fn sip_via_hdr_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
if let Some(value) = sip_get_header_value(tx, local_id, flow_flags.into(), "Via") {
@ -464,24 +420,9 @@ unsafe extern "C" fn sip_ua_hdr_setup(
return 0;
}
unsafe extern "C" fn sip_ua_hdr_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_ua_hdr_get_data,
);
}
unsafe extern "C" fn sip_ua_hdr_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
if let Some(value) = sip_get_header_value(tx, local_id, flow_flags.into(), "User-Agent") {
@ -506,24 +447,9 @@ unsafe extern "C" fn sip_content_type_hdr_setup(
return 0;
}
unsafe extern "C" fn sip_content_type_hdr_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_content_type_hdr_get_data,
);
}
unsafe extern "C" fn sip_content_type_hdr_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
if let Some(value) = sip_get_header_value(tx, local_id, flow_flags.into(), "Content-Type") {
@ -548,24 +474,9 @@ unsafe extern "C" fn sip_content_length_hdr_setup(
return 0;
}
unsafe extern "C" fn sip_content_length_hdr_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int, local_id: u32,
) -> *mut c_void {
return DetectHelperGetMultiData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
local_id,
sip_content_length_hdr_get_data,
);
}
unsafe extern "C" fn sip_content_length_hdr_get_data(
tx: *const c_void, flow_flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32,
_de: *mut DetectEngineThreadCtx, tx: *const c_void, flow_flags: u8, local_id: u32,
buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, SIPTransaction);
if let Some(value) = sip_get_header_value(tx, local_id, flow_flags.into(), "Content-Length") {
@ -667,7 +578,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() {
ALPROTO_SIP,
true,
true,
sip_from_hdr_get,
sip_from_hdr_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sip.to"),
@ -682,7 +593,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() {
ALPROTO_SIP,
true,
true,
sip_to_hdr_get,
sip_to_hdr_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sip.via"),
@ -697,7 +608,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() {
ALPROTO_SIP,
true,
true,
sip_via_hdr_get,
sip_via_hdr_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sip.user_agent"),
@ -712,7 +623,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() {
ALPROTO_SIP,
true,
true,
sip_ua_hdr_get,
sip_ua_hdr_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sip.content_type"),
@ -727,7 +638,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() {
ALPROTO_SIP,
true,
true,
sip_content_type_hdr_get,
sip_content_type_hdr_get_data,
);
let kw = SigTableElmtStickyBuffer {
name: String::from("sip.content_length"),
@ -742,6 +653,6 @@ pub unsafe extern "C" fn SCDetectSipRegister() {
ALPROTO_SIP,
true,
true,
sip_content_length_hdr_get,
sip_content_length_hdr_get_data,
);
}

82
src/detect-dns-name.c
Unescape Escape View File

@ -77,80 +77,6 @@ static int SetupAuthoritiesBuffer(DetectEngineCtx *de_ctx, Signature *s, const c
return DetectSetup(de_ctx, s, str, authority_buffer_id);
}
static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t index, enum DnsSection what)
{
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
if (buffer == NULL) {
return NULL;
}
if (buffer->initialized) {
return buffer;
}
bool to_client = (flags & STREAM_TOSERVER) == 0;
const uint8_t *data = NULL;
uint32_t data_len = 0;
bool ok = false;
switch (what) {
case DNS_QUERY:
ok = SCDnsTxGetQueryName(txv, to_client, index, &data, &data_len);
break;
case DNS_ANSWER:
ok = SCDnsTxGetAnswerName(txv, to_client, index, &data, &data_len);
break;
case DNS_AUTHORITY:
ok = SCDnsTxGetAuthorityName(txv, index, &data, &data_len);
break;
case DNS_ADDITIONAL:
ok = SCDnsTxGetAdditionalName(txv, index, &data, &data_len);
break;
default:
DEBUG_VALIDATE_BUG_ON("unhandled dns rrname type");
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
if (ok) {
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
}
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
static InspectionBuffer *GetQueryBuffer(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t index)
{
return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_QUERY);
}
static InspectionBuffer *GetAnswerBuffer(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t index)
{
return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_ANSWER);
}
static InspectionBuffer *GetAuthorityBuffer(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t index)
{
return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_AUTHORITY);
}
static InspectionBuffer *GetAdditionalBuffer(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t index)
{
return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_ADDITIONAL);
}
static int Register(const char *keyword, const char *desc, const char *doc,
int (*Setup)(DetectEngineCtx *, Signature *, const char *),
InspectionMultiBufferGetDataPtr GetBufferFn)
@ -175,14 +101,14 @@ static int Register(const char *keyword, const char *desc, const char *doc,
void DetectDnsNameRegister(void)
{
query_buffer_id = Register("dns.queries.rrname", "DNS query rrname sticky buffer",
"/rules/dns-keywords.html#dns.queries.rrname", SetupQueryBuffer, GetQueryBuffer);
"/rules/dns-keywords.html#dns.queries.rrname", SetupQueryBuffer, SCDnsTxGetQueryName);
answer_buffer_id = Register("dns.answers.rrname", "DNS answer rrname sticky buffer",
"/rules/dns-keywords.html#dns.answers.rrname", SetupAnswerBuffer, GetAnswerBuffer);
"/rules/dns-keywords.html#dns.answers.rrname", SetupAnswerBuffer, SCDnsTxGetAnswerName);
additional_buffer_id =
Register("dns.additionals.rrname", "DNS additionals rrname sticky buffer",
"/rules/dns-keywords.html#dns-additionals-rrname", SetupAdditionalsBuffer,
GetAdditionalBuffer);
SCDnsTxGetAdditionalName);
authority_buffer_id = Register("dns.authorities.rrname", "DNS authorities rrname sticky buffer",
"/rules/dns-keywords.html#dns-authorities-rrname", SetupAuthoritiesBuffer,
GetAuthorityBuffer);
SCDnsTxGetAuthorityName);
}

12
src/detect-dns-response.c
Unescape Escape View File

@ -110,25 +110,29 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, uint8_t flags
/* Get name values. */
switch (cbdata->response_section) {
case DNS_RESPONSE_QUERY:
if (!SCDnsTxGetQueryName(txv, true, cbdata->response_id, &data, &data_len)) {
if (!SCDnsTxGetQueryName(
det_ctx, txv, STREAM_TOCLIENT, cbdata->response_id, &data, &data_len)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
break;
case DNS_RESPONSE_ANSWER:
if (!SCDnsTxGetAnswerName(txv, true, cbdata->response_id, &data, &data_len)) {
if (!SCDnsTxGetAnswerName(
det_ctx, txv, STREAM_TOCLIENT, cbdata->response_id, &data, &data_len)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
break;
case DNS_RESPONSE_AUTHORITY:
if (!SCDnsTxGetAuthorityName(txv, cbdata->response_id, &data, &data_len)) {
if (!SCDnsTxGetAuthorityName(
det_ctx, txv, 0, cbdata->response_id, &data, &data_len)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
break;
case DNS_RESPONSE_ADDITIONAL:
if (!SCDnsTxGetAdditionalName(txv, cbdata->response_id, &data, &data_len)) {
if (!SCDnsTxGetAdditionalName(
det_ctx, txv, 0, cbdata->response_id, &data, &data_len)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}

52
src/detect-email.c
Unescape Escape View File

@ -287,32 +287,18 @@ static int DetectMimeEmailUrlSetup(DetectEngineCtx *de_ctx, Signature *s, const
return 0;
}
static InspectionBuffer *GetMimeEmailUrlData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv,
const int list_id, uint32_t idx)
static bool GetMimeEmailUrlData(DetectEngineThreadCtx *det_ctx, const void *txv,
const uint8_t flags, uint32_t idx, const uint8_t **buf, uint32_t *buf_len)
{
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, idx);
if (buffer == NULL || buffer->initialized)
return buffer;
SMTPTransaction *tx = (SMTPTransaction *)txv;
const uint8_t *b_email_url = NULL;
uint32_t b_email_url_len = 0;
if (tx->mime_state == NULL) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
return false;
}
if (SCDetectMimeEmailGetUrl(tx->mime_state, &b_email_url, &b_email_url_len, idx) != 1) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
if (SCDetectMimeEmailGetUrl(tx->mime_state, buf, buf_len, idx) != 1) {
return false;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, b_email_url, b_email_url_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
return true;
}
static int DetectMimeEmailReceivedSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
@ -326,33 +312,19 @@ static int DetectMimeEmailReceivedSetup(DetectEngineCtx *de_ctx, Signature *s, c
return 0;
}
static InspectionBuffer *GetMimeEmailReceivedData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv,
const int list_id, uint32_t idx)
static bool GetMimeEmailReceivedData(DetectEngineThreadCtx *det_ctx, const void *txv,
const uint8_t flags, uint32_t idx, const uint8_t **buf, uint32_t *buf_len)
{
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, idx);
if (buffer == NULL || buffer->initialized)
return buffer;
SMTPTransaction *tx = (SMTPTransaction *)txv;
const uint8_t *b_email_received = NULL;
uint32_t b_email_received_len = 0;
if (tx->mime_state == NULL) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
return false;
}
if (SCDetectMimeEmailGetDataArray(
tx->mime_state, &b_email_received, &b_email_received_len, "received", idx) != 1) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
if (SCDetectMimeEmailGetDataArray(tx->mime_state, buf, buf_len, "received", idx) != 1) {
return false;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, b_email_received, b_email_received_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
return true;
}
void DetectEmailRegister(void)

24
src/detect-engine-helper.c
Unescape Escape View File

@ -169,30 +169,6 @@ int DetectHelperTransformRegister(const SCTransformTableElmt *kw)
return transform_id;
}
InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
const int list_id, uint32_t index, MultiGetTxBuffer GetBuf)
{
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
if (buffer == NULL) {
return NULL;
}
if (buffer->initialized) {
return buffer;
}
const uint8_t *data = NULL;
uint32_t data_len = 0;
if (!GetBuf(txv, flow_flags, index, &data, &data_len)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
}
const uint8_t *InspectionBufferPtr(InspectionBuffer *buf)
{
return buf->inspect;

5
src/detect-engine-helper.h
Unescape Escape View File

@ -35,7 +35,6 @@ void DetectHelperKeywordAliasRegister(int kwid, const char *alias);
int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver);
typedef bool (*SimpleGetTxBuffer)(void *, uint8_t, const uint8_t **, uint32_t *);
typedef bool (*MultiGetTxBuffer)(void *, uint8_t, uint32_t, const uint8_t **, uint32_t *);
InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
@ -47,10 +46,6 @@ int DetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppPr
int DetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, AppProto alproto,
bool toclient, bool toserver, InspectionMultiBufferGetDataPtr GetData, int progress);
InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
const int list_id, uint32_t index, MultiGetTxBuffer GetBuf);
int DetectHelperTransformRegister(const SCTransformTableElmt *kw);
const uint8_t *InspectionBufferPtr(InspectionBuffer *buf);
uint32_t InspectionBufferLength(InspectionBuffer *buf);

4
src/detect-engine-prefilter.c
Unescape Escape View File

@ -1583,8 +1583,8 @@ static void PrefilterMultiMpm(DetectEngineThreadCtx *det_ctx, const void *pectx,
do {
// loop until we get a NULL
InspectionBuffer *buffer =
ctx->GetData(det_ctx, ctx->transforms, f, flags, txv, ctx->list_id, local_id);
InspectionBuffer *buffer = DetectGetMultiData(
det_ctx, ctx->transforms, f, flags, txv, ctx->list_id, local_id, ctx->GetData);
if (buffer == NULL)
break;

28
src/detect-engine.c
Unescape Escape View File

@ -2308,6 +2308,30 @@ void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t di
alproto, tx_min_progress);
}
InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
{
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
if (buffer == NULL) {
return NULL;
}
if (buffer->initialized) {
return buffer;
}
const uint8_t *data = NULL;
uint32_t data_len = 0;
if (!GetBuf(det_ctx, txv, flow_flags, index, &data, &data_len)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
}
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine,
const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
@ -2319,8 +2343,8 @@ uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx,
}
do {
InspectionBuffer *buffer = engine->v2.GetMultiData(
det_ctx, transforms, f, flags, txv, engine->sm_list, local_id);
InspectionBuffer *buffer = DetectGetMultiData(det_ctx, transforms, f, flags, txv,
engine->sm_list, local_id, engine->v2.GetMultiData);
if (buffer == NULL || buffer->inspect == NULL)
break;

3
src/detect-engine.h
Unescape Escape View File

@ -151,6 +151,9 @@ uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineTh
const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
void *alstate, void *txv, uint64_t tx_id);
InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf);
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine,
const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);

14
src/detect-ftp-reply.c
Unescape Escape View File

@ -59,8 +59,8 @@ static int DetectFtpReplySetup(DetectEngineCtx *de_ctx, Signature *s, const char
return 0;
}
static bool DetectFTPReplyGetData(void *txv, uint8_t _flow_flags, uint32_t index,
const uint8_t **buffer, uint32_t *buffer_len)
static bool DetectFTPReplyGetData(DetectEngineThreadCtx *_det_ctx, const void *txv,
uint8_t _flow_flags, uint32_t index, const uint8_t **buffer, uint32_t *buffer_len)
{
FTPTransaction *tx = (FTPTransaction *)txv;
@ -86,14 +86,6 @@ static bool DetectFTPReplyGetData(void *txv, uint8_t _flow_flags, uint32_t index
return false;
}
static InspectionBuffer *GetDataWrapper(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
const int list_id, uint32_t index)
{
return DetectHelperGetMultiData(
det_ctx, transforms, _f, _flow_flags, txv, list_id, index, DetectFTPReplyGetData);
}
void DetectFtpReplyRegister(void)
{
/* ftp.reply sticky buffer */
@ -104,7 +96,7 @@ void DetectFtpReplyRegister(void)
sigmatch_table[DETECT_FTP_REPLY].flags |= SIGMATCH_NOOPT;
DetectAppLayerMultiRegister(
BUFFER_NAME, ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, GetDataWrapper, 2, 1);
BUFFER_NAME, ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectFTPReplyGetData, 2, 1);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);

56
src/detect-http-header.c
Unescape Escape View File

@ -496,47 +496,11 @@ static void HttpMultiBufHeaderThreadDataFree(void *data)
SCFree(td);
}
static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
static bool GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx, const void *txv, const uint8_t flags,
uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL)
return NULL;
if (buffer->initialized)
return buffer;
uint32_t b_len = 0;
const uint8_t *b = NULL;
if (rs_http2_tx_get_header(txv, flags, local_id, &b, &b_len) != 1) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
if (b == NULL || b_len == 0) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}
static InspectionBuffer *GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL)
return NULL;
if (buffer->initialized)
return buffer;
int kw_thread_id;
if (flags & STREAM_TOSERVER) {
kw_thread_id = g_request_header_thread_id;
@ -546,7 +510,7 @@ static InspectionBuffer *GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx,
HttpMultiBufHeaderThreadData *hdr_td =
DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, kw_thread_id);
if (unlikely(hdr_td == NULL)) {
return NULL;
return false;
}
htp_tx_t *tx = (htp_tx_t *)txv;
@ -598,13 +562,11 @@ static InspectionBuffer *GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx,
// hdr_td->len is the number of header buffers
if (local_id < hdr_td->len) {
// we have one valid header buffer
InspectionBufferSetupMulti(det_ctx, buffer, transforms, hdr_td->items[local_id].buffer,
hdr_td->items[local_id].len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
*buf = hdr_td->items[local_id].buffer;
*buf_len = hdr_td->items[local_id].len;
return true;
} // else there are no more header buffer to get
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
return false;
}
static int DetectHTTPRequestHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
@ -629,7 +591,7 @@ void DetectHttpRequestHeaderRegister(void)
SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister("http_request_header", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
HTTP2StateOpen, GetHttp2HeaderData, 2, HTTP2StateOpen);
HTTP2StateOpen, rs_http2_tx_get_header, 2, HTTP2StateOpen);
DetectAppLayerMultiRegister("http_request_header", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
HTP_REQUEST_PROGRESS_HEADERS, GetHttp1HeaderData, 2, HTP_REQUEST_PROGRESS_HEADERS);
@ -662,7 +624,7 @@ void DetectHttpResponseHeaderRegister(void)
SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister("http_response_header", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,
HTTP2StateOpen, GetHttp2HeaderData, 2, HTTP2StateOpen);
HTTP2StateOpen, rs_http2_tx_get_header, 2, HTTP2StateOpen);
DetectAppLayerMultiRegister("http_response_header", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
HTP_RESPONSE_PROGRESS_HEADERS, GetHttp1HeaderData, 2, HTP_RESPONSE_PROGRESS_HEADERS);

13
src/detect-http2.c
Unescape Escape View File

@ -99,14 +99,6 @@ static int g_http2_header_name_buffer_id = 0;
* \brief Registration function for HTTP2 keywords
*/
static InspectionBuffer *GetHttp2HNameData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
{
return DetectHelperGetMultiData(det_ctx, transforms, _f, flags, txv, list_id, local_id,
(MultiGetTxBuffer)rs_http2_tx_get_header_name);
}
void DetectHttp2Register(void)
{
sigmatch_table[DETECT_HTTP2_FRAMETYPE].name = "http2.frametype";
@ -182,9 +174,10 @@ void DetectHttp2Register(void)
sigmatch_table[DETECT_HTTP2_HEADERNAME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister("http2_header_name", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,
HTTP2StateOpen, GetHttp2HNameData, 2, HTTP2StateOpen);
HTTP2StateOpen, rs_http2_tx_get_header_name, 2, HTTP2StateOpen);
DetectAppLayerMultiRegister("http2_header_name", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
HTTP2StateOpen, GetHttp2HNameData, 2, HTTP2StateOpen);
HTTP2StateOpen, rs_http2_tx_get_header_name, 2, HTTP2StateOpen);
DetectBufferTypeSupportsMultiInstance("http2_header_name");
DetectBufferTypeSetDescriptionByName("http2_header_name",
"HTTP2 header name");

27
src/detect-ike-vendor.c
Unescape Escape View File

@ -39,31 +39,6 @@ static int DetectIkeVendorSetup(DetectEngineCtx *, Signature *, const char *);
static int g_ike_vendor_buffer_id = 0;
static InspectionBuffer *IkeVendorGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL)
return NULL;
if (buffer->initialized)
return buffer;
const uint8_t *data;
uint32_t data_len;
if (rs_ike_tx_get_vendor(txv, local_id, &data, &data_len) == 0) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}
/**
* \brief Registration function for ike.vendor keyword.
*/
@ -77,7 +52,7 @@ void DetectIkeVendorRegister(void)
sigmatch_table[DETECT_IKE_VENDOR].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister(
"ike.vendor", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, IkeVendorGetData, 1, 1);
"ike.vendor", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, rs_ike_tx_get_vendor, 1, 1);
g_ike_vendor_buffer_id = DetectBufferTypeGetByName("ike.vendor");

32
src/detect-krb5-cname.c
Unescape Escape View File

@ -49,36 +49,6 @@ static int DetectKrb5CNameSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
return 0;
}
static InspectionBuffer *GetKrb5CNameData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL)
return NULL;
if (buffer->initialized)
return buffer;
uint32_t b_len = 0;
const uint8_t *b = NULL;
if (rs_krb5_tx_get_cname(txv, local_id, &b, &b_len) != 1) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
if (b == NULL || b_len == 0) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}
void DetectKrb5CNameRegister(void)
{
sigmatch_table[DETECT_KRB5_CNAME].name = "krb5.cname";
@ -89,7 +59,7 @@ void DetectKrb5CNameRegister(void)
sigmatch_table[DETECT_KRB5_CNAME].desc = "sticky buffer to match on Kerberos 5 client name";
DetectAppLayerMultiRegister(
"krb5_cname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, GetKrb5CNameData, 2, 1);
"krb5_cname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, rs_krb5_tx_get_cname, 2, 1);
DetectBufferTypeSetDescriptionByName("krb5_cname",
"Kerberos 5 ticket client name");

32
src/detect-krb5-sname.c
Unescape Escape View File

@ -49,36 +49,6 @@ static int DetectKrb5SNameSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
return 0;
}
static InspectionBuffer *GetKrb5SNameData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL)
return NULL;
if (buffer->initialized)
return buffer;
uint32_t b_len = 0;
const uint8_t *b = NULL;
if (rs_krb5_tx_get_sname(txv, local_id, &b, &b_len) != 1) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
if (b == NULL || b_len == 0) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}
void DetectKrb5SNameRegister(void)
{
sigmatch_table[DETECT_KRB5_SNAME].name = "krb5.sname";
@ -89,7 +59,7 @@ void DetectKrb5SNameRegister(void)
sigmatch_table[DETECT_KRB5_SNAME].desc = "sticky buffer to match on Kerberos 5 server name";
DetectAppLayerMultiRegister(
"krb5_sname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, GetKrb5SNameData, 2, 1);
"krb5_sname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, rs_krb5_tx_get_sname, 2, 1);
DetectBufferTypeSetDescriptionByName("krb5_sname",
"Kerberos 5 ticket server name");

29
src/detect-quic-cyu-hash.c
Unescape Escape View File

@ -55,33 +55,6 @@ static int DetectQuicCyuHashSetup(DetectEngineCtx *de_ctx, Signature *s, const c
return 0;
}
static InspectionBuffer *QuicHashGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
{
SCEnter();
if (local_id > UINT16_MAX)
return NULL;
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL)
return NULL;
if (buffer->initialized)
return buffer;
const uint8_t *data;
uint32_t data_len;
if (rs_quic_tx_get_cyu_hash(txv, local_id, &data, &data_len) == 0) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}
void DetectQuicCyuHashRegister(void)
{
/* quic.cyu.hash sticky buffer */
@ -95,7 +68,7 @@ void DetectQuicCyuHashRegister(void)
#endif
DetectAppLayerMultiRegister(
BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 0, QuicHashGetData, 2, 1);
BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 0, rs_quic_tx_get_cyu_hash, 2, 1);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);

27
src/detect-quic-cyu-string.c
Unescape Escape View File

@ -53,31 +53,6 @@ static int DetectQuicCyuStringSetup(DetectEngineCtx *de_ctx, Signature *s, const
return 0;
}
static InspectionBuffer *QuicStringGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL)
return NULL;
if (buffer->initialized)
return buffer;
const uint8_t *data;
uint32_t data_len;
if (rs_quic_tx_get_cyu_string(txv, local_id, &data, &data_len) == 0) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}
void DetectQuicCyuStringRegister(void)
{
/* quic.cyu.string sticky buffer */
@ -91,7 +66,7 @@ void DetectQuicCyuStringRegister(void)
#endif
DetectAppLayerMultiRegister(
BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 0, QuicStringGetData, 2, 1);
BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 0, rs_quic_tx_get_cyu_string, 2, 1);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);

21
src/detect-smtp.c
Unescape Escape View File

@ -100,18 +100,12 @@ static int DetectSmtpRcptToSetup(DetectEngineCtx *de_ctx, Signature *s, const ch
return 0;
}
static InspectionBuffer *GetSmtpRcptToData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv,
const int list_id, uint32_t idx)
static bool GetSmtpRcptToData(DetectEngineThreadCtx *_det_ctx, const void *txv, uint8_t _flow_flags,
uint32_t idx, const uint8_t **buffer, uint32_t *buffer_len)
{
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, idx);
if (buffer == NULL || buffer->initialized)
return buffer;
SMTPTransaction *tx = (SMTPTransaction *)txv;
if (TAILQ_EMPTY(&tx->rcpt_to_list)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
return false;
}
SMTPString *s;
@ -125,13 +119,12 @@ static InspectionBuffer *GetSmtpRcptToData(DetectEngineThreadCtx *det_ctx,
}
}
if (s == NULL) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
return false;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, s->str, s->len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
*buffer = s->str;
*buffer_len = s->len;
return true;
}
void SCDetectSMTPRegister(void)

85
src/detect-tls-alpn.c
Unescape Escape View File

@ -52,12 +52,45 @@
#include "util-profiling.h"
static int DetectTlsAlpnSetup(DetectEngineCtx *, Signature *, const char *);
static InspectionBuffer *TlsAlpnGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t index);
static int g_tls_alpn_buffer_id = 0;
static bool TlsAlpnGetData(DetectEngineThreadCtx *det_ctx, const void *txv, const uint8_t flags,
uint32_t idx, const uint8_t **buf, uint32_t *buf_len)
{
SCEnter();
const SSLState *ssl_state = (SSLState *)txv;
const SSLStateConnp *connp;
if (flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
if (TAILQ_EMPTY(&connp->alpns)) {
return false;
}
SSLAlpns *a;
if (idx == 0) {
a = TAILQ_FIRST(&connp->alpns);
} else {
// TODO optimize ?
a = TAILQ_FIRST(&connp->alpns);
for (uint32_t i = 0; i < idx; i++) {
a = TAILQ_NEXT(a, next);
}
}
if (a == NULL) {
return false;
}
*buf = a->alpn;
*buf_len = a->size;
return true;
}
/**
* \brief Registration function for keyword: tls.alpn
*/
@ -102,47 +135,3 @@ static int DetectTlsAlpnSetup(DetectEngineCtx *de_ctx, Signature *s, const char
return 0;
}
static InspectionBuffer *TlsAlpnGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t idx)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, idx);
if (buffer == NULL || buffer->initialized)
return buffer;
const SSLState *ssl_state = (SSLState *)f->alstate;
const SSLStateConnp *connp;
if (flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
if (TAILQ_EMPTY(&connp->alpns)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
SSLAlpns *a;
if (idx == 0) {
a = TAILQ_FIRST(&connp->alpns);
} else {
// TODO optimize ?
a = TAILQ_FIRST(&connp->alpns);
for (uint32_t i = 0; i < idx; i++) {
a = TAILQ_NEXT(a, next);
}
}
if (a == NULL) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, a->alpn, a->size);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}

26
src/detect-tls-certs.c
Unescape Escape View File

@ -62,17 +62,10 @@ static void DetectTlsCertsRegisterTests(void);
static int g_tls_certs_buffer_id = 0;
static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
int list_id, uint32_t local_id)
static bool TlsCertsGetData(DetectEngineThreadCtx *det_ctx, const void *txv, const uint8_t flags,
uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
if (buffer == NULL || buffer->initialized)
return buffer;
const SSLState *ssl_state = (SSLState *)f->alstate;
const SSLState *ssl_state = (SSLState *)txv;
const SSLStateConnp *connp;
if (flags & STREAM_TOSERVER) {
@ -82,8 +75,7 @@ static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx,
}
if (TAILQ_EMPTY(&connp->certs)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
return false;
}
SSLCertsChain *cert;
@ -97,14 +89,12 @@ static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx,
}
}
if (cert == NULL) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
return false;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, cert->cert_data, cert->cert_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
*buf = cert->cert_data;
*buf_len = cert->cert_len;
return true;
}
/**

46
src/detect-tls-subjectaltname.c
Unescape Escape View File

@ -52,12 +52,25 @@
#include "util-profiling.h"
static int DetectTlsSubjectAltNameSetup(DetectEngineCtx *, Signature *, const char *);
static InspectionBuffer *TlsSubjectAltNameGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t index);
static int g_tls_subjectaltname_buffer_id = 0;
static bool TlsSubjectAltNameGetData(DetectEngineThreadCtx *det_ctx, const void *txv,
const uint8_t flags, uint32_t idx, const uint8_t **buf, uint32_t *buf_len)
{
const SSLState *ssl_state = (SSLState *)txv;
const SSLStateConnp *connp;
connp = &ssl_state->server_connp;
if (idx >= connp->cert0_sans_len) {
return false;
}
*buf = (const uint8_t *)connp->cert0_sans[idx];
*buf_len = strlen(connp->cert0_sans[idx]);
return true;
}
/**
* \brief Registration function for keyword: tls.subjectaltname
*/
@ -101,28 +114,3 @@ static int DetectTlsSubjectAltNameSetup(DetectEngineCtx *de_ctx, Signature *s, c
return 0;
}
static InspectionBuffer *TlsSubjectAltNameGetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
uint32_t idx)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, idx);
if (buffer == NULL || buffer->initialized)
return buffer;
const SSLState *ssl_state = (SSLState *)f->alstate;
const SSLStateConnp *connp;
connp = &ssl_state->server_connp;
if (idx >= connp->cert0_sans_len) {
return NULL;
}
InspectionBufferSetupMulti(det_ctx, buffer, transforms, (const uint8_t *)connp->cert0_sans[idx],
strlen(connp->cert0_sans[idx]));
buffer->flags = DETECT_CI_FLAGS_SINGLE;
SCReturnPtr(buffer, "InspectionBuffer");
}

7
src/detect.h
Unescape Escape View File

@ -423,9 +423,10 @@ typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
const DetectEngineTransforms *transforms,
Flow *f, const uint8_t flow_flags,
void *txv, const int list_id);
typedef InspectionBuffer *(*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
const int list_id, const uint32_t local_id);
typedef bool (*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx,
const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf,
uint32_t *buf_len);
struct DetectEngineAppInspectionEngine_;
typedef uint8_t (*InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx,

Write Preview
Loading…
Cancel
Save