/** * \internal * \brief Apply the nocase keyword to the last pattern match, either content or uricontent * \param det_ctx detection engine ctx * \param s signature * \param nullstr should be null * \retval 0 ok * \retval -1 failure */ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nullstr) { SCEnter(); SigMatch *pm = NULL; int ret = -1; if (nullstr != NULL) { SCLogError(SC_ERR_INVALID_VALUE, "nocase has value"); goto end; } /* retrive the sm to apply the depth against */ if (s->list != DETECT_SM_LIST_NOTSET) { pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]); } else { pm = SigMatchGetLastSMFromLists(s, 28, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); } if (pm == NULL) { SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "nocase needs " "preceding content, uricontent option, http_client_body, " "http_server_body, http_header option, http_raw_header option, " "http_method option, http_cookie, http_raw_uri, " "http_stat_msg, http_stat_code, http_user_agent or " "file_data/dce_stub_data sticky buffer options"); goto end; } /* verify other conditions. */ DetectContentData *cd = (DetectContentData *)pm->ctx;; if (cd->flags & DETECT_CONTENT_NOCASE) { SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple nocase modifiers with the same content"); goto end; } cd->flags |= DETECT_CONTENT_NOCASE; /* Recreate the context with nocase chars */ BoyerMooreCtxToNocase(cd->bm_ctx, cd->content, cd->content_len); ret = 0; end: SCReturnInt(ret); }
/** * \brief Parse the filename keyword * * \param idstr Pointer to the user provided option * * \retval filename pointer to DetectFilenameData on success * \retval NULL on failure */ static DetectFilenameData *DetectFilenameParse (char *str) { DetectFilenameData *filename = NULL; /* We have a correct filename option */ filename = SCMalloc(sizeof(DetectFilenameData)); if (unlikely(filename == NULL)) goto error; memset(filename, 0x00, sizeof(DetectFilenameData)); if (DetectParseContentString (str, &filename->name, &filename->len, &filename->flags) == -1) { goto error; } filename->bm_ctx = BoyerMooreCtxInit(filename->name, filename->len); if (filename->bm_ctx == NULL) { goto error; } SCLogDebug("flags %02X", filename->flags); if (filename->flags & DETECT_CONTENT_NEGATED) { SCLogDebug("negated filename"); } BoyerMooreCtxToNocase(filename->bm_ctx, filename->name, filename->len); #ifdef DEBUG if (SCLogDebugEnabled()) { char *name = SCMalloc(filename->len + 1); if (name != NULL) { memcpy(name, filename->name, filename->len); name[filename->len] = '\0'; SCLogDebug("will look for filename %s", name); } } #endif return filename; error: if (filename != NULL) DetectFilenameFree(filename); return NULL; }