1 /*
2  * VRT RULES
3  *
4  * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
5  * Copyright (C) 2005-2013 Sourcefire, Inc.
6  *
7  * This file is autogenerated via rules2c, by Brian Caswell <bmc@sourcefire.com>
8  */
9 
10 
11 #ifdef HAVE_CONFIG_H
12 #include "config.h"
13 #endif
14 
15 #include "sf_snort_plugin_api.h"
16 #include "sf_snort_packet.h"
17 
18 
19 /* declare detection functions */
20 int rule2313eval(void *p);
21 
22 /* declare rule data structures */
23 /* precompile the stuff that needs pre-compiled */
24 // content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|";
25 static ContentInfo rule2313content0 =
26 {
27     (u_int8_t *)("q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"), /* pattern (now in snort content format) */
28     0, /* depth */
29     0, /* offset */
30     CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
31     NULL, /* holder for boyer/moore PTR */
32     NULL, /* more holder info - byteform */
33     0, /* byteform length */
34     0, /* increment length*/
35     0,                      /* holder for fp offset */
36     0,                      /* holder for fp length */
37     0,                      /* holder for fp only */
38     NULL, // offset_refId
39     NULL, // depth_refId
40     NULL, // offset_location
41     NULL  // depth_location
42 };
43 
44 static RuleOption rule2313option0 =
45 {
46     OPTION_TYPE_CONTENT,
47     { &rule2313content0 }
48 };
49 
50 /* references for sid 2313 */
51 static RuleReference *rule2313refs[] =
52 {
53     NULL
54 };
55 RuleOption *rule2313options[] =
56 {
57     &rule2313option0,
58     NULL
59 };
60 
61 Rule rule2313 = {
62 
63    /* rule header, akin to => tcp any any -> any any               */{
64        IPPROTO_IP, /* proto */
65        "$EXTERNAL_NET", /* SRCIP     */
66        "$SHELLCODE_PORTS", /* SRCPORT   */
67        1, /* DIRECTION */
68        "$HOME_NET", /* DSTIP     */
69        "any", /* DSTPORT   */
70    },
71    /* metadata */
72    {
73        3,  /* genid (HARDCODED!!!) */
74        2313, /* sigid */
75        2, /* revision */
76 
77        "shellcode-detect", /* classification */
78        0,  /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */
79        "SHELLCODE x86 0x71FB7BAB NOOP unicode",     /* message */
80        rule2313refs, /* ptr to references */
81        NULL /* Meta data */
82    },
83    rule2313options, /* ptr to rule options */
84    NULL, // &rule2313eval, /* use the built in detection function */
85    0, /* am I initialized yet? */
86    0,                                  /* Rule option count, used internally */
87    0,                                  /* Flag with no alert, used internally */
88    NULL /* ptr to internal data... setup during rule registration */
89 };
90 
91 
92 /* detection functions */
rule2313eval(void * p)93 int rule2313eval(void *p) {
94     //const u_int8_t *cursor_uri = 0;
95     //const u_int8_t *cursor_raw = 0;
96     const u_int8_t *cursor_normal = 0;
97 
98 
99     // content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|";
100     if (contentMatch(p, rule2313options[0]->option_u.content, &cursor_normal) > 0) {
101         return RULE_MATCH;
102     }
103     return RULE_NOMATCH;
104 }
105 
106