/** * \brief match the specified file extension * * \param t thread local vars * \param det_ctx pattern matcher thread local data * \param f *LOCKED* flow * \param flags direction flags * \param file file being inspected * \param s signature being inspected * \param m sigmatch that we will cast into DetectFileextData * * \retval 0 no match * \retval 1 match */ static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m) { SCEnter(); int ret = 0; DetectFileextData *fileext = (DetectFileextData *)m; if (file->name == NULL) SCReturnInt(0); if (file->name_len <= fileext->len) SCReturnInt(0); int offset = file->name_len - fileext->len; /* fileext->ext is already in lowercase, as SCMemcmpLowercase requires */ if (file->name[offset - 1] == '.' && SCMemcmpLowercase(fileext->ext, file->name + offset, fileext->len) == 0) { if (!(fileext->flags & DETECT_CONTENT_NEGATED)) { ret = 1; SCLogDebug("File ext found"); } } if (ret == 0 && (fileext->flags & DETECT_CONTENT_NEGATED)) { SCLogDebug("negated match"); ret = 1; } SCReturnInt(ret); }
static int MemcmpTest13 (void) { uint8_t a[] = "abcdefgh"; uint8_t b[] = "AbCdEfGhIjK"; if (SCMemcmpLowercase(a, b, sizeof(a)-1) != 0) return 0; return 1; }
static int MemcmpTest18 (void) { struct MemcmpTest18Tests *t = memcmp_tests18_tests; while (t && t->a != NULL) { if (SCMemcmpLowercase(t->a, t->b, strlen(t->a)-1) != t->result) return 0; SCLogInfo("ok"); t++; } return 1; }
/** * \brief This function is called to determine and set which command is being * transfered to the ftp server * \param ftp_state the ftp state structure for the parser * \param input input line of the command * \param len of the command * * \retval 1 when the command is parsed, 0 otherwise */ static int FTPParseRequestCommand(void *ftp_state, uint8_t *input, uint32_t input_len) { SCEnter(); FtpState *fstate = (FtpState *)ftp_state; if (input_len >= 4) { if (SCMemcmpLowercase("port", input, 4) == 0) { fstate->command = FTP_COMMAND_PORT; } /* else { * Add the ftp commands you need here * } */ } return 1; }
static int MemcmpTest17 (void) { #ifdef PROFILING uint64_t ticks_start = 0; uint64_t ticks_end = 0; char *a[] = { "0123456789012345", "abc", "abcdefghij", "suricata", "test", "xyz", "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr", "abcdefghijklmnopqrstuvwxyz", NULL }; char *b[] = { "1234567890123456", "abc", "abcdefghik", "suricatb", "test", "xyz", "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr", "abcdefghijklmnopqrstuvwxyz", NULL }; int t = 0; int i, j; int r4 = 0; printf("\n"); ticks_start = UtilCpuGetTicks(); for (t = 0; t < TEST_RUNS; t++) { for (i = 0; a[i] != NULL; i++) { // printf("a[%d] = %s\n", i, a[i]); size_t alen = strlen(a[i]) - 1; for (j = 0; b[j] != NULL; j++) { // printf("b[%d] = %s\n", j, b[j]); size_t blen = strlen(b[j]) - 1; r4 += SCMemcmpLowercase((uint8_t *)a[i], (uint8_t *)b[j], (alen < blen) ? alen : blen); } } } ticks_end = UtilCpuGetTicks(); printf("SCMemcmpLowercase(%d) \t\t%"PRIu64"\n", TEST_RUNS, ((uint64_t)(ticks_end - ticks_start))/TEST_RUNS); SCLogInfo("ticks passed %"PRIu64, ticks_end - ticks_start); printf("r4 %d\n", r4); if (r4 != (51 * TEST_RUNS)) return 0; #endif return 1; }
static void LogFilestoreMetaGetReferer(FILE *fp, Packet *p, File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; if (htp_state != NULL) { htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, ff->txid); if (tx != NULL) { table_t *headers; headers = tx->request_headers; htp_header_t *h = NULL; table_iterator_reset(headers); while (table_iterator_next(headers, (void **)&h) != NULL) { if (bstr_len(h->name) >= 7 && SCMemcmpLowercase((uint8_t *)"referer", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) { PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value)); return; } } } } fprintf(fp, "<unknown>"); }
/** * \brief Figured out the FP and their respective content ids for all the * sigs in the engine. * * \param de_ctx Detection engine context. * * \retval 0 On success. * \retval -1 On failure. */ int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx) { uint32_t struct_total_size = 0; uint32_t content_total_size = 0; Signature *s = NULL; /* Count the amount of memory needed to store all the structures * and the content of those structures. This will over estimate the * true size, since duplicates are removed below, but counted here. */ for (s = de_ctx->sig_list; s != NULL; s = s->next) { RetrieveFPForSig(s); if (s->mpm_sm != NULL) { DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx; struct_total_size += sizeof(DetectFPAndItsId); content_total_size += cd->content_len; } } /* array hash buffer - i've run out of ideas to name it */ uint8_t *ahb = SCMalloc(sizeof(uint8_t) * (struct_total_size + content_total_size)); if (unlikely(ahb == NULL)) return -1; uint8_t *content = NULL; uint8_t content_len = 0; PatIntId max_id = 0; DetectFPAndItsId *struct_offset = (DetectFPAndItsId *)ahb; uint8_t *content_offset = ahb + struct_total_size; for (s = de_ctx->sig_list; s != NULL; s = s->next) { if (s->mpm_sm != NULL) { int sm_list = SigMatchListSMBelongsTo(s, s->mpm_sm); BUG_ON(sm_list == -1); DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx; DetectFPAndItsId *dup = (DetectFPAndItsId *)ahb; if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { content = cd->content + cd->fp_chop_offset; content_len = cd->fp_chop_len; } else { content = cd->content; content_len = cd->content_len; } uint32_t flags = cd->flags & DETECT_CONTENT_NOCASE; /* Check for content already found on the same list */ for (; dup != struct_offset; dup++) { if (dup->content_len != content_len) continue; if (dup->sm_list != sm_list) continue; if (dup->flags != flags) continue; /* Check for pattern matching a duplicate. Use case insensitive matching * for case insensitive patterns. */ if (flags & DETECT_CONTENT_NOCASE) { if (SCMemcmpLowercase(dup->content, content, content_len) != 0) continue; } else { /* Case sensitive matching */ if (SCMemcmp(dup->content, content, content_len) != 0) continue; } /* Found a match with a previous pattern. */ break; } if (dup != struct_offset) { /* Exited for-loop before the end, so found an existing match. * Use its ID. */ cd->id = dup->id; continue; } /* Not found, so new content. Give it a new ID and add it * to the array. Copy the content at the end of the * content array. */ struct_offset->id = max_id++; cd->id = struct_offset->id; struct_offset->content_len = content_len; struct_offset->sm_list = sm_list; struct_offset->content = content_offset; struct_offset->flags = flags; content_offset += content_len; if (flags & DETECT_CONTENT_NOCASE) { /* Need to store case-insensitive patterns as lower case * because SCMemcmpLowercase() above assumes that all * patterns are stored lower case so that it doesn't * need to relower its first argument. */ memcpy_tolower(struct_offset->content, content, content_len); } else { memcpy(struct_offset->content, content, content_len); } struct_offset++; } /* if (s->mpm_sm != NULL) */ } /* for */ de_ctx->max_fp_id = max_id; SCFree(ahb); return 0; }