aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: simplify content inspection types

Browse Source 
Instead of a type per buffer type, pass just 3 possible types:
packet, stream, state.

The individual types weren't used. State is just there to be
not packet and not stream.
pull/2310/head
Victor Julien 9 years ago
parent e1eb481647
commit ae5846b4de
21 changed files with 27 additions and 51 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-base64-data.c
Unescape Escape View File

@ -77,7 +77,7 @@ int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx,
return DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_BASE64_DATA], f, det_ctx->base64_decoded,
det_ctx->base64_decoded_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_BASE64, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
}
return 0;

30
src/detect-engine-content-inspection.h
Unescape Escape View File

@ -24,37 +24,13 @@
#ifndef __DETECT_ENGINE_CONTENT_INSPECTION_H__
#define __DETECT_ENGINE_CONTENT_INSPECTION_H__
/** \warning make sure to add new entries to the proper position
* wrt flow lock status
/** indication to content engine what type of data
* we're inspecting
*/
enum {
/* called with flow unlocked */
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD = 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM,
/* called with flow locked */
DETECT_ENGINE_CONTENT_INSPECTION_MODE_DCE,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRL,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRUD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRHD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCBD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSBD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSCD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSMD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HUAD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHHD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRHHD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_DNSQUERY,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSNI,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSISSUER,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSUBJECT,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FD_SMTP,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_BASE64,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TEMPLATE_BUFFER,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
};
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,

4
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -90,7 +90,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
dce_stub_data,
dce_stub_data_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_DCE, dcerpc_state);
0, dcerpc_state);
//r = DoInspectDcePayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_DMATCH], f,
//dce_stub_data, dce_stub_data_len, dcerpc_state);
if (r == 1) {
@ -113,7 +113,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
dce_stub_data,
dce_stub_data_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_DCE, dcerpc_state);
0, dcerpc_state);
//r = DoInspectDcePayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_DMATCH], f,
//dce_stub_data, dce_stub_data_len, dcerpc_state);
if (r == 1) {

2
src/detect-engine-dns.c
Unescape Escape View File

@ -88,7 +88,7 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv,
r = DetectEngineContentInspection(de_ctx, det_ctx,
s, s->sm_lists[DETECT_SM_LIST_DNSQUERYNAME_MATCH],
f, buffer, buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_DNSQUERY, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
break;
}

2
src/detect-engine-filedata-smtp.c
Unescape Escape View File

@ -208,7 +208,7 @@ int DetectEngineInspectSMTPFiledata(ThreadVars *tv,
(uint8_t *)buffer,
buffer_len,
stream_start_offset,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FD_SMTP, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (match == 1)
r = 1;
}

2
src/detect-engine-hcbd.c
Unescape Escape View File

@ -282,7 +282,7 @@ int DetectEngineInspectHttpClientBody(ThreadVars *tv,
(uint8_t *)buffer,
buffer_len,
stream_start_offset,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCBD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

2
src/detect-engine-hcd.c
Unescape Escape View File

@ -198,7 +198,7 @@ int DetectEngineInspectHttpCookie(ThreadVars *tv,
(uint8_t *)bstr_ptr(h->value),
bstr_len(h->value),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

2
src/detect-engine-hhd.c
Unescape Escape View File

@ -338,7 +338,7 @@ int DetectEngineInspectHttpHeader(ThreadVars *tv,
buffer,
buffer_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

2
src/detect-engine-hhhd.c
Unescape Escape View File

@ -136,7 +136,7 @@ int DetectEngineInspectHttpHH(ThreadVars *tv,
f,
hname, hname_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHHD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

2
src/detect-engine-hmd.c
Unescape Escape View File

@ -134,7 +134,7 @@ int DetectEngineInspectHttpMethod(ThreadVars *tv,
(uint8_t *)bstr_ptr(tx->request_method),
bstr_len(tx->request_method),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
else

2
src/detect-engine-hrhd.c
Unescape Escape View File

@ -202,7 +202,7 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv,
headers_raw,
headers_raw_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRHD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

2
src/detect-engine-hrhhd.c
Unescape Escape View File

@ -159,7 +159,7 @@ int DetectEngineInspectHttpHRH(ThreadVars *tv,
f,
hname, hname_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRHHD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

2
src/detect-engine-hrl.c
Unescape Escape View File

@ -94,7 +94,7 @@ int DetectEngineInspectHttpRequestLine(ThreadVars *tv,
bstr_ptr(tx->request_line),
bstr_len(tx->request_line),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRL, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {

2
src/detect-engine-hrud.c
Unescape Escape View File

@ -136,7 +136,7 @@ int DetectEngineInspectHttpRawUri(ThreadVars *tv,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRUD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
else

2
src/detect-engine-hsbd.c
Unescape Escape View File

@ -288,7 +288,7 @@ int DetectEngineInspectHttpServerBody(ThreadVars *tv,
(uint8_t *)buffer,
buffer_len,
stream_start_offset,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSBD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

2
src/detect-engine-hscd.c
Unescape Escape View File

@ -134,7 +134,7 @@ int DetectEngineInspectHttpStatCode(ThreadVars *tv,
(uint8_t *)bstr_ptr(tx->response_status),
bstr_len(tx->response_status),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSCD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
else

2
src/detect-engine-hsmd.c
Unescape Escape View File

@ -134,7 +134,7 @@ int DetectEngineInspectHttpStatMsg(ThreadVars *tv,
(uint8_t *)bstr_ptr(tx->response_message),
bstr_len(tx->response_message),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSMD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
else

2
src/detect-engine-hua.c
Unescape Escape View File

@ -142,7 +142,7 @@ int DetectEngineInspectHttpUA(ThreadVars *tv,
(uint8_t *)bstr_ptr(h->value),
bstr_len(h->value),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HUAD, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

4
src/detect-engine-template.c
Unescape Escape View File

@ -47,13 +47,13 @@ int DetectEngineInspectTemplateBuffer(ThreadVars *tv, DetectEngineCtx *de_ctx,
ret = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH], f,
tx->request_buffer, tx->request_buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TEMPLATE_BUFFER, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
}
else if (flags & STREAM_TOCLIENT && tx->response_buffer != NULL) {
ret = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH], f,
tx->response_buffer, tx->response_buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TEMPLATE_BUFFER, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
}
SCLogNotice("Returning %d.", ret);

6
src/detect-engine-tls.c
Unescape Escape View File

@ -117,7 +117,7 @@ int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx,
cnt = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TLSSNI_MATCH],
f, buffer, buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSNI, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
return cnt;
}
@ -193,7 +193,7 @@ int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx,
cnt = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TLSISSUER_MATCH],
f, buffer, buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSISSUER, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
return cnt;
}
@ -269,7 +269,7 @@ int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx,
cnt = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH],
f, buffer, buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSUBJECT, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
return cnt;
}

2
src/detect-engine-uri.c
Unescape Escape View File

@ -136,7 +136,7 @@ int DetectEngineInspectPacketUris(ThreadVars *tv,
bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI, NULL);
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {

Write Preview
Loading…
Cancel
Save