aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/github_actions/actions/checkout-4.2.1
dependabot/github_actions/github/codeql-action-3.26.12
dependabot/github_actions/actions/upload-artifact-4.4.3
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '73ed780095'
${ noResults }
suricata/src/flow-var.c

205 lines
5.4 KiB
C
Raw Blame History

/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
*
* Flow level variable support for complex detection rules
* Supported types atm are String and Integers
*/
#include "suricata-common.h"
#include "threads.h"
#include "flow-var.h"
#include "flow.h"
#include "detect.h"
#include "util-debug.h"
/* puts a new value into a flowvar */
static void FlowVarUpdateStr(FlowVar *fv, uint8_t *value, uint16_t size)
{
if (fv->data.fv_str.value)
SCFree(fv->data.fv_str.value);
fv->data.fv_str.value = value;
fv->data.fv_str.value_len = size;
}
/* puts a new value into a flowvar */
static void FlowVarUpdateInt(FlowVar *fv, uint32_t value)
{
fv->data.fv_int.value = value;
}
/** \brief get the flowvar with index 'idx' from the flow
* \note flow is not locked by this function, caller is
* responsible
*/
FlowVar *FlowVarGetByKey(Flow *f, const uint8_t *key, uint16_t keylen)
{
if (f == NULL)
return NULL;
GenericVar *gv = f->flowvar;
for ( ; gv != NULL; gv = gv->next) {
if (gv->type == DETECT_FLOWVAR && gv->idx == 0) {
FlowVar *fv = (FlowVar *)gv;
if (fv->keylen == keylen && memcmp(key, fv->key, keylen) == 0) {
return fv;
}
}
}
return NULL;
}
/** \brief get the flowvar with index 'idx' from the flow
* \note flow is not locked by this function, caller is
* responsible
*/
FlowVar *FlowVarGet(Flow *f, uint32_t idx)
{
if (f == NULL)
return NULL;
GenericVar *gv = f->flowvar;
for ( ; gv != NULL; gv = gv->next) {
if (gv->type == DETECT_FLOWVAR && gv->idx == idx)
return (FlowVar *)gv;
}
return NULL;
}
/* add a flowvar to the flow, or update it */
void FlowVarAddKeyValue(Flow *f, uint8_t *key, uint16_t keysize, uint8_t *value, uint16_t size)
{
FlowVar *fv = SCCalloc(1, sizeof(FlowVar));
if (unlikely(fv == NULL))
return;
fv->type = DETECT_FLOWVAR;
fv->datatype = FLOWVAR_TYPE_STR;
fv->idx = 0;
fv->data.fv_str.value = value;
fv->data.fv_str.value_len = size;
fv->key = key;
fv->keylen = keysize;
fv->next = NULL;
GenericVarAppend(&f->flowvar, (GenericVar *)fv);
}
/* add a flowvar to the flow, or update it */
void FlowVarAddIdValue(Flow *f, uint32_t idx, uint8_t *value, uint16_t size)
{
FlowVar *fv = FlowVarGet(f, idx);
if (fv == NULL) {
fv = SCCalloc(1, sizeof(FlowVar));
if (unlikely(fv == NULL))
return;
fv->type = DETECT_FLOWVAR;
fv->datatype = FLOWVAR_TYPE_STR;
fv->idx = idx;
fv->data.fv_str.value = value;
fv->data.fv_str.value_len = size;
fv->next = NULL;
GenericVarAppend(&f->flowvar, (GenericVar *)fv);
} else {
FlowVarUpdateStr(fv, value, size);
}
}
/* add a flowvar to the flow, or update it */
void FlowVarAddIntNoLock(Flow *f, uint32_t idx, uint32_t value)
{
FlowVar *fv = FlowVarGet(f, idx);
if (fv == NULL) {
fv = SCMalloc(sizeof(FlowVar));
if (unlikely(fv == NULL))
return;
fv->type = DETECT_FLOWVAR;
fv->datatype = FLOWVAR_TYPE_INT;
fv->idx = idx;
fv->data.fv_int.value= value;
fv->next = NULL;
GenericVarAppend(&f->flowvar, (GenericVar *)fv);
} else {
FlowVarUpdateInt(fv, value);
}
}
/* add a flowvar to the flow, or update it */
void FlowVarAddInt(Flow *f, uint32_t idx, uint32_t value)
{
FlowVarAddIntNoLock(f, idx, value);
}
void FlowVarFree(FlowVar *fv)
{
if (fv == NULL)
return;
if (fv->datatype == FLOWVAR_TYPE_STR) {
if (fv->data.fv_str.value != NULL)
SCFree(fv->data.fv_str.value);
}
SCFree(fv);
}
void FlowVarPrint(GenericVar *gv)
{
uint16_t u;
if (!SCLogDebugEnabled())
return;
if (gv == NULL)
return;
if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
FlowVar *fv = (FlowVar *)gv;
if (fv->datatype == FLOWVAR_TYPE_STR) {
SCLogDebug("Name idx \"%" PRIu32 "\", Value \"", fv->idx);
for (u = 0; u < fv->data.fv_str.value_len; u++) {
if (isprint(fv->data.fv_str.value[u]))
SCLogDebug("%c", fv->data.fv_str.value[u]);
else
SCLogDebug("\\%02X", fv->data.fv_str.value[u]);
}
SCLogDebug("\", Len \"%" PRIu16 "\"\n", fv->data.fv_str.value_len);
} else if (fv->datatype == FLOWVAR_TYPE_INT) {
SCLogDebug("Name idx \"%" PRIu32 "\", Value \"%" PRIu32 "\"", fv->idx,
fv->data.fv_int.value);
} else {
SCLogDebug("Unknown data type at flowvars\n");
}
}
FlowVarPrint(gv->next);
}
Reference in New Issue View Git Blame Copy Permalink