diff --git a/examples/plugins/altemplate/src/detect.rs b/examples/plugins/altemplate/src/detect.rs index 47c276adcb..7ae3d1e596 100644 --- a/examples/plugins/altemplate/src/detect.rs +++ b/examples/plugins/altemplate/src/detect.rs @@ -24,7 +24,7 @@ use super::template::{TemplateTransaction, ALPROTO_TEMPLATE}; use std::os::raw::{c_int, c_void}; use suricata::cast_pointer; use suricata::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use suricata::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; @@ -46,7 +46,7 @@ unsafe extern "C" fn template_buffer_setup( } /// Get the request/response buffer for a transaction from C. -unsafe extern "C" fn template_buffer_get_data( +unsafe extern "C" fn template_buffer_get( tx: *const c_void, flags: u8, buf: *mut *const u8, len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, TemplateTransaction); @@ -64,21 +64,6 @@ unsafe extern "C" fn template_buffer_get_data( return false; } -unsafe extern "C" fn template_buffer_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - template_buffer_get_data, - ); -} - pub(super) unsafe extern "C" fn detect_template_register() { // TODO create a suricata-verify test // Setup a keyword structure and register it diff --git a/rust/src/applayertemplate/detect.rs b/rust/src/applayertemplate/detect.rs index 31d0d473de..9f1222e866 100644 --- a/rust/src/applayertemplate/detect.rs +++ b/rust/src/applayertemplate/detect.rs @@ -21,7 +21,7 @@ use crate::conf::conf_get_node; /* TEMPLATE_END_REMOVE */ use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use crate::direction::Direction; @@ -43,7 +43,7 @@ unsafe extern "C" fn template_buffer_setup( } /// Get the request/response buffer for a transaction from C. -unsafe extern "C" fn template_buffer_get_data( +unsafe extern "C" fn template_buffer_get( tx: *const c_void, flags: u8, buf: *mut *const u8, len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, TemplateTransaction); @@ -61,21 +61,6 @@ unsafe extern "C" fn template_buffer_get_data( return false; } -unsafe extern "C" fn template_buffer_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - template_buffer_get_data, - ); -} - #[no_mangle] pub unsafe extern "C" fn SCDetectTemplateRegister() { /* TEMPLATE_START_REMOVE */ diff --git a/rust/src/detect/mod.rs b/rust/src/detect/mod.rs index c27347abe8..f466bc14bf 100644 --- a/rust/src/detect/mod.rs +++ b/rust/src/detect/mod.rs @@ -120,21 +120,14 @@ pub const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; // BIT_U16(9) /// cbindgen:ignore extern "C" { - pub fn DetectHelperGetData( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, - get_buf: unsafe extern "C" fn(*const c_void, u8, *mut *const u8, *mut u32) -> bool, - ) -> *mut c_void; pub fn DetectHelperBufferMpmRegister( name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, dir: u8, get_data: unsafe extern "C" fn( - *mut c_void, - *const c_void, *const c_void, u8, - *const c_void, - i32, - ) -> *mut c_void, + *mut *const u8, + *mut u32, + ) -> bool, ) -> c_int; // from detect-parse.h pub fn DetectSignatureSetAppProto(s: *mut Signature, alproto: AppProto) -> c_int; diff --git a/rust/src/enip/detect.rs b/rust/src/enip/detect.rs index 6278668108..e0a0fb90fc 100644 --- a/rust/src/enip/detect.rs +++ b/rust/src/enip/detect.rs @@ -36,7 +36,7 @@ use crate::detect::uint::{ SCDetectU8Match, SCDetectU8Parse, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use suricata_sys::sys::{ @@ -1253,7 +1253,7 @@ pub unsafe extern "C" fn product_name_setup( return 0; } -unsafe extern "C" fn product_name_get( +unsafe extern "C" fn product_name_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, EnipTransaction); @@ -1273,21 +1273,6 @@ unsafe extern "C" fn product_name_get( return false; } -unsafe extern "C" fn product_name_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - product_name_get, - ); -} - pub unsafe extern "C" fn service_name_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1300,7 +1285,7 @@ pub unsafe extern "C" fn service_name_setup( return 0; } -unsafe extern "C" fn service_name_get( +unsafe extern "C" fn service_name_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, EnipTransaction); @@ -1320,20 +1305,6 @@ unsafe extern "C" fn service_name_get( return false; } -unsafe extern "C" fn service_name_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - service_name_get, - ); -} #[no_mangle] pub unsafe extern "C" fn SCDetectEnipRegister() { let kw = SCSigTableAppLiteElmt { diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs index 114f7fa606..4bc281491f 100644 --- a/rust/src/ldap/detect.rs +++ b/rust/src/ldap/detect.rs @@ -22,7 +22,7 @@ use crate::detect::uint::{ SCDetectU8Free, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use crate::ldap::types::{LdapMessage, LdapResultCode, ProtocolOp, ProtocolOpCode}; @@ -319,21 +319,6 @@ unsafe extern "C" fn ldap_detect_request_dn_setup( } unsafe extern "C" fn ldap_detect_request_dn_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - ldap_tx_get_request_dn, - ); -} - -unsafe extern "C" fn ldap_tx_get_request_dn( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, LdapTransaction); diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs index c761a3f91e..138b488a70 100644 --- a/rust/src/mqtt/detect.rs +++ b/rust/src/mqtt/detect.rs @@ -23,7 +23,7 @@ use crate::detect::uint::{ SCDetectU8Free, SCDetectU8Parse, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use suricata_sys::sys::{ @@ -55,7 +55,7 @@ fn mqtt_tx_has_type(tx: &MQTTTransaction, mtype: &DetectUintData) -> c_int { return 0; } -unsafe extern "C" fn mqtt_tx_get_connect_clientid( +unsafe extern "C" fn mqtt_conn_clientid_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -75,7 +75,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_clientid( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_username( +unsafe extern "C" fn mqtt_conn_username_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -96,7 +96,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_username( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_password( +unsafe extern "C" fn mqtt_conn_password_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -117,7 +117,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_password( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_willtopic( +unsafe extern "C" fn mqtt_conn_willtopic_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -138,7 +138,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_willtopic( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_willmessage( +unsafe extern "C" fn mqtt_conn_willmsg_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -159,7 +159,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_willmessage( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_protocol_string( +unsafe extern "C" fn mqtt_conn_protocolstring_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -179,7 +179,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_protocol_string( return false; } -unsafe extern "C" fn mqtt_tx_get_publish_topic( +unsafe extern "C" fn mqtt_pub_topic_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -199,7 +199,7 @@ unsafe extern "C" fn mqtt_tx_get_publish_topic( return false; } -unsafe extern "C" fn mqtt_tx_get_publish_message( +unsafe extern "C" fn mqtt_pub_msg_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -598,21 +598,6 @@ unsafe extern "C" fn mqtt_pub_topic_setup( return 0; } -unsafe extern "C" fn mqtt_pub_topic_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_publish_topic, - ); -} - unsafe extern "C" fn mqtt_pub_msg_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -625,21 +610,6 @@ unsafe extern "C" fn mqtt_pub_msg_setup( return 0; } -unsafe extern "C" fn mqtt_pub_msg_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_publish_message, - ); -} - unsafe extern "C" fn mqtt_protocol_version_setup( de: *mut DetectEngineCtx, s: *mut Signature, raw: *const libc::c_char, ) -> c_int { @@ -922,21 +892,6 @@ unsafe extern "C" fn mqtt_conn_willtopic_setup( return 0; } -unsafe extern "C" fn mqtt_conn_willtopic_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_willtopic, - ); -} - unsafe extern "C" fn mqtt_conn_willmsg_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -949,21 +904,6 @@ unsafe extern "C" fn mqtt_conn_willmsg_setup( return 0; } -unsafe extern "C" fn mqtt_conn_willmsg_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_willmessage, - ); -} - unsafe extern "C" fn mqtt_conn_username_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -976,21 +916,6 @@ unsafe extern "C" fn mqtt_conn_username_setup( return 0; } -unsafe extern "C" fn mqtt_conn_username_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_username, - ); -} - unsafe extern "C" fn mqtt_conn_protocolstring_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1003,21 +928,6 @@ unsafe extern "C" fn mqtt_conn_protocolstring_setup( return 0; } -unsafe extern "C" fn mqtt_conn_protocolstring_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_protocol_string, - ); -} - unsafe extern "C" fn mqtt_conn_password_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1030,21 +940,6 @@ unsafe extern "C" fn mqtt_conn_password_setup( return 0; } -unsafe extern "C" fn mqtt_conn_password_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_password, - ); -} - unsafe extern "C" fn mqtt_conn_clientid_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1057,21 +952,6 @@ unsafe extern "C" fn mqtt_conn_clientid_setup( return 0; } -unsafe extern "C" fn mqtt_conn_clientid_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_clientid, - ); -} - #[no_mangle] pub unsafe extern "C" fn SCDetectMqttRegister() { let keyword_name = b"mqtt.unsubscribe.topic\0".as_ptr() as *const libc::c_char; diff --git a/rust/src/rfb/detect.rs b/rust/src/rfb/detect.rs index 0ec574b01e..696df7f9d6 100644 --- a/rust/src/rfb/detect.rs +++ b/rust/src/rfb/detect.rs @@ -24,7 +24,7 @@ use crate::detect::uint::{ detect_match_uint, detect_parse_uint_enum, DetectUintData, SCDetectU32Free, SCDetectU32Parse, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use std::ffi::CStr; @@ -36,7 +36,7 @@ use suricata_sys::sys::{ SigMatchCtx, Signature, }; -unsafe extern "C" fn rfb_name_get_data( +unsafe extern "C" fn rfb_name_get( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, RFBTransaction); @@ -54,21 +54,6 @@ unsafe extern "C" fn rfb_name_get_data( return false; } -unsafe extern "C" fn rfb_name_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - rfb_name_get_data, - ); -} - static mut G_RFB_NAME_BUFFER_ID: c_int = 0; static mut G_RFB_SEC_TYPE_KW_ID: c_int = 0; static mut G_RFB_SEC_TYPE_BUFFER_ID: c_int = 0; diff --git a/rust/src/sdp/detect.rs b/rust/src/sdp/detect.rs index 1801bff3b1..a6103dd248 100644 --- a/rust/src/sdp/detect.rs +++ b/rust/src/sdp/detect.rs @@ -19,7 +19,7 @@ use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use crate::direction::Direction; @@ -62,21 +62,6 @@ unsafe extern "C" fn sdp_session_name_setup( } unsafe extern "C" fn sdp_session_name_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_session_name_get_data, - ); -} - -unsafe extern "C" fn sdp_session_name_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -110,21 +95,6 @@ unsafe extern "C" fn sdp_session_info_setup( } unsafe extern "C" fn sdp_session_info_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_session_info_get_data, - ); -} - -unsafe extern "C" fn sdp_session_info_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -157,21 +127,6 @@ unsafe extern "C" fn sdp_origin_setup( } unsafe extern "C" fn sdp_origin_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_origin_get_data, - ); -} - -unsafe extern "C" fn sdp_origin_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -205,21 +160,6 @@ unsafe extern "C" fn sdp_uri_setup( } unsafe extern "C" fn sdp_uri_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_uri_get_data, - ); -} - -unsafe extern "C" fn sdp_uri_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -252,21 +192,6 @@ unsafe extern "C" fn sdp_email_setup( } unsafe extern "C" fn sdp_email_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_email_get_data, - ); -} - -unsafe extern "C" fn sdp_email_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -299,21 +224,6 @@ unsafe extern "C" fn sdp_phone_number_setup( } unsafe extern "C" fn sdp_phone_number_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_phone_number_get_data, - ); -} - -unsafe extern "C" fn sdp_phone_number_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -346,21 +256,6 @@ unsafe extern "C" fn sdp_conn_data_setup( } unsafe extern "C" fn sdp_conn_data_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_conn_data_get_data, - ); -} - -unsafe extern "C" fn sdp_conn_data_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -502,21 +397,6 @@ unsafe extern "C" fn sdp_timezone_setup( } unsafe extern "C" fn sdp_timezone_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_timezone_get_data, - ); -} - -unsafe extern "C" fn sdp_timezone_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -549,21 +429,6 @@ unsafe extern "C" fn sdp_encryption_key_setup( } unsafe extern "C" fn sdp_encryption_key_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_encryption_key_get_data, - ); -} - -unsafe extern "C" fn sdp_encryption_key_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index 5aa34edab7..173cf83c21 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -19,14 +19,17 @@ use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use crate::direction::Direction; use crate::sip::sip::{SIPTransaction, ALPROTO_SIP}; use std::os::raw::{c_int, c_void}; use std::ptr; -use suricata_sys::sys::{DetectEngineCtx, SCDetectBufferSetActiveList, Signature, SCDetectHelperMultiBufferMpmRegister, DetectEngineThreadCtx}; +use suricata_sys::sys::{ + DetectEngineCtx, DetectEngineThreadCtx, SCDetectBufferSetActiveList, + SCDetectHelperMultiBufferMpmRegister, Signature, +}; static mut G_SIP_PROTOCOL_BUFFER_ID: c_int = 0; static mut G_SIP_STAT_CODE_BUFFER_ID: c_int = 0; @@ -91,21 +94,6 @@ unsafe extern "C" fn sip_protocol_setup( } unsafe extern "C" fn sip_protocol_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_protocol_get_data, - ); -} - -unsafe extern "C" fn sip_protocol_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -149,21 +137,6 @@ unsafe extern "C" fn sip_stat_code_setup( } unsafe extern "C" fn sip_stat_code_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_stat_code_get_data, - ); -} - -unsafe extern "C" fn sip_stat_code_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -193,20 +166,6 @@ unsafe extern "C" fn sip_stat_msg_setup( } unsafe extern "C" fn sip_stat_msg_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_stat_msg_get_data, - ); -} -unsafe extern "C" fn sip_stat_msg_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -236,21 +195,6 @@ unsafe extern "C" fn sip_request_line_setup( } unsafe extern "C" fn sip_request_line_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_request_line_get_data, - ); -} - -unsafe extern "C" fn sip_request_line_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -279,21 +223,6 @@ unsafe extern "C" fn sip_response_line_setup( } unsafe extern "C" fn sip_response_line_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_response_line_get_data, - ); -} - -unsafe extern "C" fn sip_response_line_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); diff --git a/rust/src/snmp/detect.rs b/rust/src/snmp/detect.rs index 6669f0d95d..4e0a66da2e 100644 --- a/rust/src/snmp/detect.rs +++ b/rust/src/snmp/detect.rs @@ -21,7 +21,7 @@ use super::snmp::{SNMPTransaction, ALPROTO_SNMP}; use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::uint::{DetectUintData, SCDetectU32Free, SCDetectU32Match, SCDetectU32Parse}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use std::os::raw::{c_int, c_void}; @@ -120,7 +120,7 @@ unsafe extern "C" fn snmp_detect_usm_setup( return 0; } -unsafe extern "C" fn snmp_detect_usm_get( +unsafe extern "C" fn snmp_detect_usm_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SNMPTransaction); @@ -132,21 +132,6 @@ unsafe extern "C" fn snmp_detect_usm_get( return false; } -unsafe extern "C" fn snmp_detect_usm_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - snmp_detect_usm_get, - ); -} - unsafe extern "C" fn snmp_detect_community_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -159,7 +144,7 @@ unsafe extern "C" fn snmp_detect_community_setup( return 0; } -unsafe extern "C" fn snmp_detect_community_get( +unsafe extern "C" fn snmp_detect_community_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SNMPTransaction); @@ -171,21 +156,6 @@ unsafe extern "C" fn snmp_detect_community_get( return false; } -unsafe extern "C" fn snmp_detect_community_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - snmp_detect_community_get, - ); -} - pub(super) unsafe extern "C" fn detect_snmp_register() { let kw = SCSigTableAppLiteElmt { name: b"snmp.version\0".as_ptr() as *const libc::c_char, diff --git a/rust/src/websocket/detect.rs b/rust/src/websocket/detect.rs index d1bd9d6760..c2cd320ceb 100644 --- a/rust/src/websocket/detect.rs +++ b/rust/src/websocket/detect.rs @@ -22,7 +22,7 @@ use crate::detect::uint::{ SCDetectU32Match, SCDetectU32Parse, SCDetectU8Free, SCDetectU8Match, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use crate::websocket::parser::WebSocketOpcode; @@ -257,7 +257,7 @@ pub unsafe extern "C" fn websocket_detect_payload_setup( return 0; } -pub unsafe extern "C" fn websocket_detect_payload_get( +pub unsafe extern "C" fn websocket_detect_payload_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, WebSocketTransaction); @@ -266,21 +266,6 @@ pub unsafe extern "C" fn websocket_detect_payload_get( return true; } -pub unsafe extern "C" fn websocket_detect_payload_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - websocket_detect_payload_get, - ); -} - #[no_mangle] pub unsafe extern "C" fn SCDetectWebsocketRegister() { let kw = SCSigTableAppLiteElmt { diff --git a/src/detect-email.c b/src/detect-email.c index 4cc36a4aa5..cee39793da 100644 --- a/src/detect-email.c +++ b/src/detect-email.c @@ -45,27 +45,13 @@ static int DetectMimeEmailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const return 0; } -static InspectionBuffer *GetMimeEmailFromData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailFromData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_from = NULL; - uint32_t b_email_from_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_from, &b_email_from_len, "from") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_from, b_email_from_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "from") == 1); } static int DetectMimeEmailSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -79,28 +65,13 @@ static int DetectMimeEmailSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, co return 0; } -static InspectionBuffer *GetMimeEmailSubjectData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailSubjectData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_sub = NULL; - uint32_t b_email_sub_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_sub, &b_email_sub_len, "subject") != - 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_sub, b_email_sub_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "subject") == 1); } static int DetectMimeEmailToSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -114,29 +85,13 @@ static int DetectMimeEmailToSetup(DetectEngineCtx *de_ctx, Signature *s, const c return 0; } -static InspectionBuffer *GetMimeEmailToData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailToData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_to = NULL; - uint32_t b_email_to_len = 0; - - if ((tx->mime_state != NULL)) { - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_to, &b_email_to_len, "to") != 1) - return NULL; - } - - if (b_email_to == NULL || b_email_to_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_to, b_email_to_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "to") == 1); } static int DetectMimeEmailCcSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -150,27 +105,13 @@ static int DetectMimeEmailCcSetup(DetectEngineCtx *de_ctx, Signature *s, const c return 0; } -static InspectionBuffer *GetMimeEmailCcData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailCcData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_cc = NULL; - uint32_t b_email_cc_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_cc, &b_email_cc_len, "cc") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_cc, b_email_cc_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "cc") == 1); } static int DetectMimeEmailDateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -184,27 +125,13 @@ static int DetectMimeEmailDateSetup(DetectEngineCtx *de_ctx, Signature *s, const return 0; } -static InspectionBuffer *GetMimeEmailDateData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailDateData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_date = NULL; - uint32_t b_email_date_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_date, &b_email_date_len, "date") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_date, b_email_date_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "date") == 1); } static int DetectMimeEmailMessageIdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -218,28 +145,13 @@ static int DetectMimeEmailMessageIdSetup(DetectEngineCtx *de_ctx, Signature *s, return 0; } -static InspectionBuffer *GetMimeEmailMessageIdData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailMessageIdData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_msg_id = NULL; - uint32_t b_email_msg_id_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData( - tx->mime_state, &b_email_msg_id, &b_email_msg_id_len, "message-id") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_msg_id, b_email_msg_id_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "message-id") == 1); } static int DetectMimeEmailXMailerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -253,28 +165,13 @@ static int DetectMimeEmailXMailerSetup(DetectEngineCtx *de_ctx, Signature *s, co return 0; } -static InspectionBuffer *GetMimeEmailXMailerData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailXMailerData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_x_mailer = NULL; - uint32_t b_email_x_mailer_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData( - tx->mime_state, &b_email_x_mailer, &b_email_x_mailer_len, "x-mailer") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_x_mailer, b_email_x_mailer_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "x-mailer") == 1); } static int DetectMimeEmailUrlSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index 7c6221ca45..6a74ab7aed 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -44,38 +44,20 @@ int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t dir return DetectBufferTypeRegister(name); } -InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, - const int list_id, - bool (*GetBuf)(void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (!GetBuf(txv, flow_flags, &b, &b_len)) - return NULL; - - InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); - } - return buffer; -} - int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, - uint8_t direction, InspectionBufferGetDataPtr GetData) + uint8_t direction, InspectionSingleBufferGetDataPtr GetData) { if (direction & STREAM_TOSERVER) { - DetectAppLayerInspectEngineRegister( - name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister( - name, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + DetectAppLayerInspectEngineRegisterSingle( + name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferSingle, GetData); + DetectAppLayerMpmRegisterSingle( + name, SIG_FLAG_TOSERVER, 2, PrefilterSingleMpmRegister, GetData, alproto, 0); } if (direction & STREAM_TOCLIENT) { - DetectAppLayerInspectEngineRegister( - name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister( - name, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + DetectAppLayerInspectEngineRegisterSingle( + name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectBufferSingle, GetData); + DetectAppLayerMpmRegisterSingle( + name, SIG_FLAG_TOCLIENT, 2, PrefilterSingleMpmRegister, GetData, alproto, 0); } DetectBufferTypeSetDescriptionByName(name, desc); return DetectBufferTypeGetByName(name); diff --git a/src/detect-engine-helper.h b/src/detect-engine-helper.h index 170cda374e..ece83be3b5 100644 --- a/src/detect-engine-helper.h +++ b/src/detect-engine-helper.h @@ -42,6 +42,8 @@ typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(struct DetectEngineThrea typedef bool (*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len); +typedef bool (*InspectionSingleBufferGetDataPtr)( + const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len); /// App-layer light version of SigTableElmt typedef struct SCSigTableAppLiteElmt { @@ -80,13 +82,8 @@ int SCDetectHelperKeywordRegister(const SCSigTableAppLiteElmt *kw); void SCDetectHelperKeywordAliasRegister(int kwid, const char *alias); int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t direction); -typedef bool (*SimpleGetTxBuffer)(void *, uint8_t, const uint8_t **, uint32_t *); - -InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, - const int list_id, SimpleGetTxBuffer GetBuf); int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, - uint8_t direction, InspectionBufferGetDataPtr GetData); + uint8_t direction, InspectionSingleBufferGetDataPtr GetData); int SCDetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData); int SCDetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 3ac3896a91..1b223da8a8 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -88,6 +88,7 @@ static int g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_SIZE] = { 0, 0, 0 }; */ static void RegisterInternal(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, + InspectionSingleBufferGetDataPtr GetDataSingle, InspectionMultiBufferGetDataPtr GetMultiData, AppProto alproto, int tx_min_progress) { SCLogDebug("registering %s/%d/%d/%p/%p/%u/%d", name, direction, priority, @@ -109,8 +110,8 @@ static void RegisterInternal(const char *name, int direction, int priority, // every HTTP2 can be accessed from DOH2 if (alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) { - RegisterInternal(name, direction, priority, PrefilterRegister, GetData, GetMultiData, - ALPROTO_DOH2, tx_min_progress); + RegisterInternal(name, direction, priority, PrefilterRegister, GetData, GetDataSingle, + GetMultiData, ALPROTO_DOH2, tx_min_progress); } DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am)); BUG_ON(am == NULL); @@ -126,6 +127,8 @@ static void RegisterInternal(const char *name, int direction, int priority, am->PrefilterRegisterWithListId = PrefilterRegister; if (GetData != NULL) { am->app_v2.GetData = GetData; + } else if (GetDataSingle != NULL) { + am->app_v2.GetDataSingle = GetDataSingle; } else if (GetMultiData != NULL) { am->app_v2.GetMultiData = GetMultiData; } @@ -152,16 +155,24 @@ void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress) { - RegisterInternal( - name, direction, priority, PrefilterRegister, GetData, NULL, alproto, tx_min_progress); + RegisterInternal(name, direction, priority, PrefilterRegister, GetData, NULL, NULL, alproto, + tx_min_progress); +} + +void DetectAppLayerMpmRegisterSingle(const char *name, int direction, int priority, + PrefilterRegisterFunc PrefilterRegister, InspectionSingleBufferGetDataPtr GetData, + AppProto alproto, int tx_min_progress) +{ + RegisterInternal(name, direction, priority, PrefilterRegister, NULL, GetData, NULL, alproto, + tx_min_progress); } void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress) { - RegisterInternal( - name, direction, priority, PrefilterRegister, NULL, GetData, alproto, tx_min_progress); + RegisterInternal(name, direction, priority, PrefilterRegister, NULL, NULL, GetData, alproto, + tx_min_progress); } /** \brief copy a mpm engine from parent_id, add in transforms */ diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index 34d67ae767..6bde23a202 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -87,6 +87,9 @@ typedef int (*PrefilterRegisterFunc)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress); +void DetectAppLayerMpmRegisterSingle(const char *name, int direction, int priority, + PrefilterRegisterFunc PrefilterRegister, InspectionSingleBufferGetDataPtr GetData, + AppProto alproto, int tx_min_progress); void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress); diff --git a/src/detect-engine-prefilter.c b/src/detect-engine-prefilter.c index 73976d707b..071b2382db 100644 --- a/src/detect-engine-prefilter.c +++ b/src/detect-engine-prefilter.c @@ -1499,11 +1499,49 @@ const char *PrefilterStoreGetName(const uint32_t id) typedef struct PrefilterMpmCtx { int list_id; - InspectionBufferGetDataPtr GetData; + union { + InspectionBufferGetDataPtr GetData; + InspectionSingleBufferGetDataPtr GetDataSingle; + }; const MpmCtx *mpm_ctx; const DetectEngineTransforms *transforms; } PrefilterMpmCtx; +/** \brief Generic Mpm prefilter callback for simple InspectionSingleBufferGetDataPtr + * + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context + */ +static void PrefilterMpmTxSingle(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, + Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags) +{ + SCEnter(); + + const PrefilterMpmCtx *ctx = (const PrefilterMpmCtx *)pectx; + const MpmCtx *mpm_ctx = ctx->mpm_ctx; + SCLogDebug("running on list %d", ctx->list_id); + + InspectionBuffer *buffer = DetectGetSingleData( + det_ctx, ctx->transforms, f, flags, txv, ctx->list_id, ctx->GetDataSingle); + if (buffer == NULL) + return; + + const uint32_t data_len = buffer->inspect_len; + const uint8_t *data = buffer->inspect; + + SCLogDebug("mpm'ing buffer:"); + // PrintRawDataFp(stdout, data, data_len); + + if (data != NULL && data_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search( + mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len); + PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len); + } +} + /** \brief Generic Mpm prefilter callback * * \param det_ctx detection engine thread ctx @@ -1521,8 +1559,7 @@ static void PrefilterMpm(DetectEngineThreadCtx *det_ctx, const void *pectx, Pack const MpmCtx *mpm_ctx = ctx->mpm_ctx; SCLogDebug("running on list %d", ctx->list_id); - InspectionBuffer *buffer = ctx->GetData(det_ctx, ctx->transforms, - f, flags, txv, ctx->list_id); + InspectionBuffer *buffer = ctx->GetData(det_ctx, ctx->transforms, f, flags, txv, ctx->list_id); if (buffer == NULL) return; @@ -1565,6 +1602,26 @@ int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmC return r; } +int PrefilterSingleMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, + const DetectBufferMpmRegistry *mpm_reg, int list_id) +{ + SCEnter(); + PrefilterMpmCtx *pectx = SCCalloc(1, sizeof(*pectx)); + if (pectx == NULL) + return -1; + pectx->list_id = list_id; + pectx->GetDataSingle = mpm_reg->app_v2.GetDataSingle; + pectx->mpm_ctx = mpm_ctx; + pectx->transforms = &mpm_reg->transforms; + + int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmTxSingle, mpm_reg->app_v2.alproto, + mpm_reg->app_v2.tx_min_progress, pectx, PrefilterGenericMpmFree, mpm_reg->pname); + if (r != 0) { + SCFree(pectx); + } + return r; +} + static void PrefilterMultiGenericMpmFree(void *ptr) { // PrefilterMpmListId diff --git a/src/detect-engine-prefilter.h b/src/detect-engine-prefilter.h index 3dbd2a45e4..62e5ad502b 100644 --- a/src/detect-engine-prefilter.h +++ b/src/detect-engine-prefilter.h @@ -97,6 +97,9 @@ void PrefilterDeinit(DetectEngineCtx *de_ctx); int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id); +int PrefilterSingleMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, + const DetectBufferMpmRegistry *mpm_reg, int list_id); + int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id); diff --git a/src/detect-engine.c b/src/detect-engine.c index eec091f566..c2243d88c9 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -172,6 +172,7 @@ void DetectPktInspectEngineRegister(const char *name, * \note errors are fatal */ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData, + InspectionSingleBufferGetDataPtr GetDataSingle, InspectionMultiBufferGetDataPtr GetMultiData) { BUG_ON(progress >= 48); @@ -192,6 +193,10 @@ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alp SCLogError("Invalid arguments: must register " "GetData with DetectEngineInspectBufferGeneric"); BUG_ON(1); + } else if (Callback == DetectEngineInspectBufferSingle && GetDataSingle == NULL) { + SCLogError("Invalid arguments: must register " + "GetData with DetectEngineInspectBufferGeneric"); + BUG_ON(1); } else if (Callback == DetectEngineInspectMultiBufferGeneric && GetMultiData == NULL) { SCLogError("Invalid arguments: must register " "GetData with DetectEngineInspectMultiBufferGeneric"); @@ -207,7 +212,7 @@ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alp // every DNS or HTTP2 can be accessed from DOH2 if (alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) { AppLayerInspectEngineRegisterInternal( - name, ALPROTO_DOH2, dir, progress, Callback, GetData, GetMultiData); + name, ALPROTO_DOH2, dir, progress, Callback, GetData, GetDataSingle, GetMultiData); } DetectEngineAppInspectionEngine *new_engine = @@ -223,6 +228,8 @@ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alp new_engine->v2.Callback = Callback; if (Callback == DetectEngineInspectBufferGeneric) { new_engine->v2.GetData = GetData; + } else if (Callback == DetectEngineInspectBufferSingle) { + new_engine->v2.GetDataSingle = GetDataSingle; } else if (Callback == DetectEngineInspectMultiBufferGeneric) { new_engine->v2.GetMultiData = GetMultiData; } @@ -257,7 +264,31 @@ void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uin t = t->next; } - AppLayerInspectEngineRegisterInternal(name, alproto, dir, progress, Callback, GetData, NULL); + AppLayerInspectEngineRegisterInternal( + name, alproto, dir, progress, Callback, GetData, NULL, NULL); +} + +void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, + int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData) +{ + /* before adding, check that we don't add a duplicate entry, which will + * propegate all the way into the packet runtime if allowed. */ + DetectEngineAppInspectionEngine *t = g_app_inspect_engines; + while (t != NULL) { + const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT; + const int sm_list = DetectBufferTypeGetByName(name); + + if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir && + t->progress == progress && t->v2.Callback == Callback && + t->v2.GetDataSingle == GetData) { + DEBUG_VALIDATE_BUG_ON(1); + return; + } + t = t->next; + } + + AppLayerInspectEngineRegisterInternal( + name, alproto, dir, progress, Callback, NULL, GetData, NULL); } /* copy an inspect engine with transforms to a new list id. */ @@ -1927,6 +1958,66 @@ uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThre return DETECT_ENGINE_INSPECT_SIG_MATCH; } +/** + * \brief Do the content inspection & validation for a signature + * + * \param de_ctx Detection engine context + * \param det_ctx Detection engine thread context + * \param s Signature to inspect + * \param f Flow + * \param flags app layer flags + * \param state App layer state + * + * \retval 0 no match. + * \retval 1 match. + * \retval 2 Sig can't match. + */ +uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id) +{ + const int list_id = engine->sm_list; + SCLogDebug("running inspect on %d", list_id); + + const bool eof = + (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress); + + SCLogDebug("list %d mpm? %s transforms %p", engine->sm_list, engine->mpm ? "true" : "false", + engine->v2.transforms); + + /* if prefilter didn't already run, we need to consider transformations */ + const DetectEngineTransforms *transforms = NULL; + if (!engine->mpm) { + transforms = engine->v2.transforms; + } + + const InspectionBuffer *buffer = DetectGetSingleData( + det_ctx, transforms, f, flags, txv, list_id, engine->v2.GetDataSingle); + if (unlikely(buffer == NULL)) { + if (eof && engine->match_on_null) { + return DETECT_ENGINE_INSPECT_SIG_MATCH; + } + return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH; + } + + const uint32_t data_len = buffer->inspect_len; + const uint8_t *data = buffer->inspect; + const uint64_t offset = buffer->inspect_offset; + + uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0; + ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0); + ci_flags |= buffer->flags; + + /* Inspect all the uricontents fetched on each + * transaction at the app layer */ + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data, + data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { + return DETECT_ENGINE_INSPECT_SIG_MATCH; + } else { + return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH; + } +} /** * \brief Do the content inspection & validation for a signature @@ -1995,12 +2086,29 @@ uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineTh void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority) { - AppLayerInspectEngineRegisterInternal( - name, alproto, dir, progress, DetectEngineInspectMultiBufferGeneric, NULL, GetData); + AppLayerInspectEngineRegisterInternal(name, alproto, dir, progress, + DetectEngineInspectMultiBufferGeneric, NULL, NULL, GetData); DetectAppLayerMpmMultiRegister( name, dir, priority, PrefilterMultiGenericMpmRegister, GetData, alproto, progress); } +InspectionBuffer *DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, InspectionSingleBufferGetDataPtr GetBuf) +{ + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + const uint8_t *b = NULL; + uint32_t b_len = 0; + + if (!GetBuf(txv, flow_flags, &b, &b_len)) + return NULL; + + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); + } + return buffer; +} + InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf) diff --git a/src/detect-engine.h b/src/detect-engine.h index 3a883289a8..557009fcfd 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -131,6 +131,13 @@ uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineTh const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id); +uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id); + +InspectionBuffer *DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, InspectionSingleBufferGetDataPtr GetBuf); InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf); @@ -156,6 +163,9 @@ int DetectEngineInspectPktBufferGeneric( void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback2, InspectionBufferGetDataPtr GetData); +void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, + int progress, InspectEngineFuncPtr Callback2, InspectionSingleBufferGetDataPtr GetData); + void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority); diff --git a/src/detect-ftp-command-data.c b/src/detect-ftp-command-data.c index 7d84424f47..63b0fd21d7 100644 --- a/src/detect-ftp-command-data.c +++ b/src/detect-ftp-command-data.c @@ -62,7 +62,7 @@ static int DetectFtpCommandDataSetup(DetectEngineCtx *de_ctx, Signature *s, cons } static bool DetectFTPCommandDataGetData( - void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len) + const void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len) { FTPTransaction *tx = (FTPTransaction *)txv; @@ -86,14 +86,6 @@ static bool DetectFTPCommandDataGetData( return false; } -static InspectionBuffer *GetDataWrapper(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, - const int list_id) -{ - return DetectHelperGetData( - det_ctx, transforms, _f, _flow_flags, txv, list_id, DetectFTPCommandDataGetData); -} - void DetectFtpCommandDataRegister(void) { /* ftp.command sticky buffer */ @@ -105,7 +97,7 @@ void DetectFtpCommandDataRegister(void) sigmatch_table[DETECT_FTP_COMMAND_DATA].flags |= SIGMATCH_NOOPT; DetectHelperBufferMpmRegister( - BUFFER_NAME, BUFFER_NAME, ALPROTO_FTP, STREAM_TOSERVER, GetDataWrapper); + BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandDataGetData); DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); diff --git a/src/detect-ftp-command.c b/src/detect-ftp-command.c index 479f632525..80940ae0d8 100644 --- a/src/detect-ftp-command.c +++ b/src/detect-ftp-command.c @@ -56,27 +56,22 @@ static int DetectFtpCommandSetup(DetectEngineCtx *de_ctx, Signature *s, const ch return 0; } -static InspectionBuffer *DetectFTPCommandGetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool DetectFTPCommandGetData( + const void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - FTPTransaction *tx = (FTPTransaction *)txv; - - if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN) - return NULL; - - const char *b = NULL; - uint8_t b_len = 0; - if (SCGetFtpCommandInfo(tx->command_descriptor.command_index, &b, NULL, &b_len)) { - InspectionBufferSetupAndApplyTransforms( - det_ctx, list_id, buffer, (const uint8_t *)b, b_len, transforms); - } else { - return NULL; - } + FTPTransaction *tx = (FTPTransaction *)txv; + + if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN) + return false; + + uint8_t b_len = 0; + if (SCGetFtpCommandInfo( + tx->command_descriptor.command_index, (const char **)buffer, NULL, &b_len)) { + *buffer_len = b_len; + return true; + } else { + return false; } - return buffer; } void DetectFtpCommandRegister(void) diff --git a/src/detect-smtp.c b/src/detect-smtp.c index 756640dee8..890d616236 100644 --- a/src/detect-smtp.c +++ b/src/detect-smtp.c @@ -28,6 +28,7 @@ #include "detect-engine-buffer.h" #include "detect-engine-content-inspection.h" #include "detect-engine-helper.h" +#include "detect-engine-prefilter.h" #include "detect-parse.h" #include "app-layer-smtp.h" #include "rust.h" @@ -75,19 +76,15 @@ static int DetectSmtpMailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const return 0; } -static InspectionBuffer *GetSmtpMailFromData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetSmtpMailFromData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - if (tx->mail_from == NULL || tx->mail_from_len == 0) - return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, tx->mail_from, tx->mail_from_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mail_from == NULL) + return false; + *data = tx->mail_from; + *data_len = tx->mail_from_len; + return true; } static int DetectSmtpRcptToSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -137,8 +134,12 @@ void SCDetectSMTPRegister(void) kw.Setup = DetectSmtpHeloSetup; kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; SCDetectHelperKeywordRegister(&kw); - g_smtp_helo_buffer_id = DetectHelperBufferMpmRegister( - "smtp.helo", "SMTP helo", ALPROTO_SMTP, STREAM_TOSERVER, GetSmtpHeloData); + DetectAppLayerInspectEngineRegister("smtp.helo", ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0, + DetectEngineInspectBufferGeneric, GetSmtpHeloData); + DetectAppLayerMpmRegister("smtp.helo", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, + GetSmtpHeloData, ALPROTO_SMTP, 0); + DetectBufferTypeSetDescriptionByName("smtp.helo", "SMTP helo"); + g_smtp_helo_buffer_id = DetectBufferTypeGetByName("smtp.helo"); kw.name = "smtp.mail_from"; kw.desc = "SMTP mail from buffer"; diff --git a/src/detect.h b/src/detect.h index 2d4ecb5d38..da613ff55e 100644 --- a/src/detect.h +++ b/src/detect.h @@ -401,6 +401,9 @@ typedef InspectionBuffer *(*InspectionBufferGetDataPtr)( Flow *f, const uint8_t flow_flags, void *txv, const int list_id); +typedef bool (*InspectionSingleBufferGetDataPtr)( + const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len); + typedef bool (*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len); @@ -426,6 +429,7 @@ typedef struct DetectEngineAppInspectionEngine_ { struct { union { InspectionBufferGetDataPtr GetData; + InspectionSingleBufferGetDataPtr GetDataSingle; InspectionMultiBufferGetDataPtr GetMultiData; }; InspectEngineFuncPtr Callback; @@ -764,6 +768,7 @@ typedef struct DetectBufferMpmRegistry_ { struct { union { InspectionBufferGetDataPtr GetData; + InspectionSingleBufferGetDataPtr GetDataSingle; InspectionMultiBufferGetDataPtr GetMultiData; }; AppProto alproto;