1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_CONTENT_H__
25 #define __DETECT_CONTENT_H__
26 
27 /* Flags affecting this content */
28 
29 #define DETECT_CONTENT_NOCASE            BIT_U32(0)
30 #define DETECT_CONTENT_DISTANCE          BIT_U32(1)
31 #define DETECT_CONTENT_WITHIN            BIT_U32(2)
32 #define DETECT_CONTENT_OFFSET            BIT_U32(3)
33 #define DETECT_CONTENT_DEPTH             BIT_U32(4)
34 #define DETECT_CONTENT_FAST_PATTERN      BIT_U32(5)
35 #define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6)
36 #define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7)
37 /** content applies to a "raw"/undecoded field if applicable */
38 #define DETECT_CONTENT_RAWBYTES          BIT_U32(8)
39 /** content is negated */
40 #define DETECT_CONTENT_NEGATED           BIT_U32(9)
41 
42 #define DETECT_CONTENT_ENDS_WITH         BIT_U32(10)
43 
44 /* BE - byte extract */
45 #define DETECT_CONTENT_OFFSET_VAR        BIT_U32(11)
46 #define DETECT_CONTENT_DEPTH_VAR         BIT_U32(12)
47 #define DETECT_CONTENT_DISTANCE_VAR      BIT_U32(13)
48 #define DETECT_CONTENT_WITHIN_VAR        BIT_U32(14)
49 
50 /* replace data */
51 #define DETECT_CONTENT_REPLACE           BIT_U32(15)
52 /* this flag is set during the staging phase.  It indicates that a content
53  * has been added to the mpm phase and requires no further inspection inside
54  * the inspection phase */
55 #define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16)
56 
57 #define DETECT_CONTENT_WITHIN_NEXT      BIT_U32(17)
58 #define DETECT_CONTENT_DISTANCE_NEXT    BIT_U32(18)
59 #define DETECT_CONTENT_STARTS_WITH      BIT_U32(19)
60 /** MPM pattern selected by the engine or forced by fast_pattern keyword */
61 #define DETECT_CONTENT_MPM              BIT_U32(20)
62 
63 /** a relative match to this content is next, used in matching phase */
64 #define DETECT_CONTENT_RELATIVE_NEXT    (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)
65 
66 #define DETECT_CONTENT_IS_SINGLE(c) (!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
67                                         ((c)->flags & DETECT_CONTENT_WITHIN) || \
68                                         ((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) || \
69                                         ((c)->flags & DETECT_CONTENT_DEPTH) || \
70                                         ((c)->flags & DETECT_CONTENT_OFFSET) ))
71 
72 /* if a pattern has no depth/offset limits, no relative specifiers and isn't
73  * chopped for the mpm, we can take the mpm and consider this pattern a match
74  * w/o further inspection. Warning: this may still mean other patterns depend
75  * on this pattern that force match validation anyway. */
76 #define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c) \
77                                     !( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
78                                        ((c)->flags & DETECT_CONTENT_WITHIN)   || \
79                                        ((c)->flags & DETECT_CONTENT_DEPTH)    || \
80                                        ((c)->flags & DETECT_CONTENT_OFFSET)   || \
81                                        ((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))
82 
83 
84 #include "util-spm.h"
85 
86 typedef struct DetectContentData_ {
87     uint8_t *content;
88     uint16_t content_len;
89     uint16_t replace_len;
90     /* for chopped fast pattern, the length */
91     uint16_t fp_chop_len;
92     /* for chopped fast pattern, the offset */
93     uint16_t fp_chop_offset;
94     /* would want to move PatIntId here and flags down to remove the padding
95      * gap, but I think the first four members was used as a template for
96      * casting.  \todo check this and fix it if possible */
97     uint32_t flags;
98     PatIntId id;
99     uint16_t depth;
100     uint16_t offset;
101     int32_t distance;
102     int32_t within;
103     /* SPM search context. */
104     SpmCtx *spm_ctx;
105     /* pointer to replacement data */
106     uint8_t *replace;
107 } DetectContentData;
108 
109 /* prototypes */
110 void DetectContentRegister (void);
111 uint32_t DetectContentMaxId(DetectEngineCtx *);
112 DetectContentData *DetectContentParse(SpmGlobalThreadCtx *spm_global_thread_ctx,
113                                       const char *contentstr);
114 int DetectContentDataParse(const char *keyword, const char *contentstr,
115     uint8_t **pstr, uint16_t *plen);
116 DetectContentData *DetectContentParseEncloseQuotes(SpmGlobalThreadCtx *spm_global_thread_ctx,
117         const char *contentstr);
118 
119 int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr);
120 void DetectContentPrint(DetectContentData *);
121 
122 void DetectContentFree(DetectEngineCtx *, void *);
123 bool DetectContentPMATCHValidateCallback(const Signature *s);
124 void DetectContentPropagateLimits(Signature *s);
125 
126 #endif /* __DETECT_CONTENT_H__ */
127