/**
* \brief match the specified file extension
*
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param f *LOCKED* flow
* \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFileextData
*
* \retval 0 no match
* \retval 1 match
*/
static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
{
SCEnter();
int ret = 0;
DetectFileextData *fileext = (DetectFileextData *)m;
if (file->name == NULL)
SCReturnInt(0);
if (file->name_len <= fileext->len)
SCReturnInt(0);
int offset = file->name_len - fileext->len;
/* fileext->ext is already in lowercase, as SCMemcmpLowercase requires */
if (file->name[offset - 1] == '.' &&
SCMemcmpLowercase(fileext->ext, file->name + offset, fileext->len) == 0)
{
if (!(fileext->flags & DETECT_CONTENT_NEGATED)) {
ret = 1;
SCLogDebug("File ext found");
}
}
if (ret == 0 && (fileext->flags & DETECT_CONTENT_NEGATED)) {
SCLogDebug("negated match");
ret = 1;
}
SCReturnInt(ret);
}
static int MemcmpTest13 (void) {
uint8_t a[] = "abcdefgh";
uint8_t b[] = "AbCdEfGhIjK";
if (SCMemcmpLowercase(a, b, sizeof(a)-1) != 0)
return 0;
return 1;
}
static int MemcmpTest18 (void)
{
struct MemcmpTest18Tests *t = memcmp_tests18_tests;
while (t && t->a != NULL) {
if (SCMemcmpLowercase(t->a, t->b, strlen(t->a)-1) != t->result)
return 0;
SCLogInfo("ok");
t++;
}
return 1;
}
/**
* \brief This function is called to determine and set which command is being
* transfered to the ftp server
* \param ftp_state the ftp state structure for the parser
* \param input input line of the command
* \param len of the command
*
* \retval 1 when the command is parsed, 0 otherwise
*/
static int FTPParseRequestCommand(void *ftp_state, uint8_t *input,
uint32_t input_len) {
SCEnter();
FtpState *fstate = (FtpState *)ftp_state;
if (input_len >= 4) {
if (SCMemcmpLowercase("port", input, 4) == 0) {
fstate->command = FTP_COMMAND_PORT;
}
/* else {
* Add the ftp commands you need here
* }
*/
}
return 1;
}
static int MemcmpTest17 (void)
{
#ifdef PROFILING
uint64_t ticks_start = 0;
uint64_t ticks_end = 0;
char *a[] = { "0123456789012345", "abc", "abcdefghij", "suricata", "test", "xyz", "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr", "abcdefghijklmnopqrstuvwxyz", NULL };
char *b[] = { "1234567890123456", "abc", "abcdefghik", "suricatb", "test", "xyz", "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr", "abcdefghijklmnopqrstuvwxyz", NULL };
int t = 0;
int i, j;
int r4 = 0;
printf("\n");
ticks_start = UtilCpuGetTicks();
for (t = 0; t < TEST_RUNS; t++) {
for (i = 0; a[i] != NULL; i++) {
// printf("a[%d] = %s\n", i, a[i]);
size_t alen = strlen(a[i]) - 1;
for (j = 0; b[j] != NULL; j++) {
// printf("b[%d] = %s\n", j, b[j]);
size_t blen = strlen(b[j]) - 1;
r4 += SCMemcmpLowercase((uint8_t *)a[i], (uint8_t *)b[j], (alen < blen) ? alen : blen);
}
}
}
ticks_end = UtilCpuGetTicks();
printf("SCMemcmpLowercase(%d) \t\t%"PRIu64"\n", TEST_RUNS, ((uint64_t)(ticks_end - ticks_start))/TEST_RUNS);
SCLogInfo("ticks passed %"PRIu64, ticks_end - ticks_start);
printf("r4 %d\n", r4);
if (r4 != (51 * TEST_RUNS))
return 0;
#endif
return 1;
}
static void LogFilestoreMetaGetReferer(FILE *fp, Packet *p, File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 7 &&
SCMemcmpLowercase((uint8_t *)"referer", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}
}
fprintf(fp, "<unknown>");
}
/**
* \brief Figured out the FP and their respective content ids for all the
* sigs in the engine.
*
* \param de_ctx Detection engine context.
*
* \retval 0 On success.
* \retval -1 On failure.
*/
int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
{
uint32_t struct_total_size = 0;
uint32_t content_total_size = 0;
Signature *s = NULL;
/* Count the amount of memory needed to store all the structures
* and the content of those structures. This will over estimate the
* true size, since duplicates are removed below, but counted here.
*/
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
RetrieveFPForSig(s);
if (s->mpm_sm != NULL) {
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
struct_total_size += sizeof(DetectFPAndItsId);
content_total_size += cd->content_len;
}
}
/* array hash buffer - i've run out of ideas to name it */
uint8_t *ahb = SCMalloc(sizeof(uint8_t) * (struct_total_size + content_total_size));
if (unlikely(ahb == NULL))
return -1;
uint8_t *content = NULL;
uint8_t content_len = 0;
PatIntId max_id = 0;
DetectFPAndItsId *struct_offset = (DetectFPAndItsId *)ahb;
uint8_t *content_offset = ahb + struct_total_size;
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
if (s->mpm_sm != NULL) {
int sm_list = SigMatchListSMBelongsTo(s, s->mpm_sm);
BUG_ON(sm_list == -1);
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
DetectFPAndItsId *dup = (DetectFPAndItsId *)ahb;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
content = cd->content + cd->fp_chop_offset;
content_len = cd->fp_chop_len;
} else {
content = cd->content;
content_len = cd->content_len;
}
uint32_t flags = cd->flags & DETECT_CONTENT_NOCASE;
/* Check for content already found on the same list */
for (; dup != struct_offset; dup++) {
if (dup->content_len != content_len)
continue;
if (dup->sm_list != sm_list)
continue;
if (dup->flags != flags)
continue;
/* Check for pattern matching a duplicate. Use case insensitive matching
* for case insensitive patterns. */
if (flags & DETECT_CONTENT_NOCASE) {
if (SCMemcmpLowercase(dup->content, content, content_len) != 0)
continue;
} else {
/* Case sensitive matching */
if (SCMemcmp(dup->content, content, content_len) != 0)
continue;
}
/* Found a match with a previous pattern. */
break;
}
if (dup != struct_offset) {
/* Exited for-loop before the end, so found an existing match.
* Use its ID. */
cd->id = dup->id;
continue;
}
/* Not found, so new content. Give it a new ID and add it
* to the array. Copy the content at the end of the
* content array.
*/
struct_offset->id = max_id++;
cd->id = struct_offset->id;
struct_offset->content_len = content_len;
struct_offset->sm_list = sm_list;
struct_offset->content = content_offset;
struct_offset->flags = flags;
content_offset += content_len;
if (flags & DETECT_CONTENT_NOCASE) {
/* Need to store case-insensitive patterns as lower case
* because SCMemcmpLowercase() above assumes that all
* patterns are stored lower case so that it doesn't
* need to relower its first argument.
*/
memcpy_tolower(struct_offset->content, content, content_len);
} else {
memcpy(struct_offset->content, content, content_len);
}
struct_offset++;
} /* if (s->mpm_sm != NULL) */
} /* for */
de_ctx->max_fp_id = max_id;
SCFree(ahb);
return 0;
}
