/** * \brief SMTP Filedata match -- searches for one pattern per signature. * * \param det_ctx Detection engine thread ctx. * \param buffer Buffer to inspect. * \param buffer_len buffer length. * \param flags Flags * * \retval ret Number of matches. */ static inline uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, const uint8_t *buffer, const uint32_t buffer_len, const uint8_t flags) { SCEnter(); uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL); if (buffer_len >= det_ctx->sgh->mpm_smtp_filedata_ctx_ts->minlen) { ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type]. Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); } SCReturnUInt(ret); }
/** \brief Turn byte array into string. * * All non-printables are copied over, except for '\0', which is * turned into literal \0 in the string. * * \param bytes byte array * \param nbytes number of bytes * \param outstr[out] buffer to fill * \param outlen size of outstr. Must be at least 2 * nbytes + 1 in size */ void BytesToStringBuffer(const uint8_t *bytes, size_t nbytes, char *outstr, size_t outlen) { DEBUG_VALIDATE_BUG_ON(outlen < (nbytes * 2 + 1)); size_t n = nbytes + 1; size_t nulls = 0; size_t u; for (u = 0; u < nbytes; u++) { if (bytes[u] == '\0') nulls++; } n += nulls; char string[n]; if (nulls == 0) { /* no nulls */ memcpy(string, bytes, nbytes); string[nbytes] = '\0'; } else { /* nulls present */ char *dst = string; for (u = 0; u < nbytes; u++) { if (bytes[u] == '\0') { *dst++ = '\\'; *dst++ = '0'; } else { *dst++ = bytes[u]; } } *dst = '\0'; } strlcpy(outstr, string, outlen); }
/** * \brief Add five tuple from packet to JSON object * * \param p Packet * \param dir log direction (packet or flow) * \param js JSON object */ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js) { char srcip[46] = {0}, dstip[46] = {0}; Port sp, dp; char proto[16]; switch (dir) { case LOG_DIR_PACKET: if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); } else { /* Not an IP packet so don't do anything */ return; } sp = p->sp; dp = p->dp; break; case LOG_DIR_FLOW: case LOG_DIR_FLOW_TOSERVER: if ((PKT_IS_TOSERVER(p))) { if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); } sp = p->sp; dp = p->dp; } else { if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip)); } sp = p->dp; dp = p->sp; } break; case LOG_DIR_FLOW_TOCLIENT: if ((PKT_IS_TOCLIENT(p))) { if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); } sp = p->sp; dp = p->dp; } else { if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip)); } sp = p->dp; dp = p->sp; } break; default: DEBUG_VALIDATE_BUG_ON(1); return; } if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) { strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto)); } else { snprintf(proto, sizeof(proto), "%03" PRIu32, IP_GET_IPPROTO(p)); } json_object_set_new(js, "src_ip", json_string(srcip)); switch(p->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: json_object_set_new(js, "src_port", json_integer(sp)); break; } json_object_set_new(js, "dest_ip", json_string(dstip)); switch(p->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: json_object_set_new(js, "dest_port", json_integer(dp)); break; } json_object_set_new(js, "proto", json_string(proto)); }