/src/suricata7/src/detect-rawbytes.c

Source (jump to first uncovered line)
/* Copyright (C) 2007-2018 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 *
 * Implements rawbytes keyword support
 *
 * \todo Provide un-normalized telnet dce/rpc buffers to match on
 */

#include "suricata-common.h"

#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-rawbytes.h"
#include "detect-engine.h"

#include "detect-content.h"
#include "detect-pcre.h"

#include "util-debug.h"

static int DetectRawbytesSetup(DetectEngineCtx *, Signature *, const char *);

void DetectRawbytesRegister(void)
{
    sigmatch_table[DETECT_RAWBYTES].name = "rawbytes";
    sigmatch_table[DETECT_RAWBYTES].desc =
            "dummy keyword to be compatible with snort signatures without effect";
    sigmatch_table[DETECT_RAWBYTES].url = "/rules/payload-keywords.html#rawbytes";
    sigmatch_table[DETECT_RAWBYTES].Setup = DetectRawbytesSetup;
    sigmatch_table[DETECT_RAWBYTES].flags |= SIGMATCH_NOOPT;
}

static int DetectRawbytesSetup(DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
{
    SCEnter();

    if (nullstr != NULL) {
        SCLogError("rawbytes has no value");
        SCReturnInt(-1);
    }

    if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
        SCLogError("\"rawbytes\" cannot be combined "
                   "with the \"%s\" sticky buffer",
                DetectEngineBufferTypeGetNameById(de_ctx, s->init_data->list));
        SCReturnInt(-1);
    }

    SigMatch *pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH, DETECT_CONTENT, -1);
    if (pm == NULL) {
        SCLogError("\"rawbytes\" needs a preceding content option");
        SCReturnInt(-1);
    }

    switch (pm->type) {
        case DETECT_CONTENT: {
            DetectContentData *cd = (DetectContentData *)pm->ctx;
            if (cd->flags & DETECT_CONTENT_RAWBYTES) {
                SCLogError("can't use multiple rawbytes modifiers for the same content. ");
                SCReturnInt(-1);
            }
            cd->flags |= DETECT_CONTENT_RAWBYTES;
            break;
        }
        default:
            SCLogError("\"rawbytes\" needs a preceding content option");
            SCReturnInt(-1);
    }

    SCReturnInt(0);
}

Line	Count	Source (jump to first uncovered line)
1		/* Copyright (C) 2007-2018 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		/**
19		* \file
20		*
21		* \author Victor Julien <victor@inliniac.net>
22		*
23		* Implements rawbytes keyword support
24		*
25		* \todo Provide un-normalized telnet dce/rpc buffers to match on
26		*/
27
28		#include "suricata-common.h"
29
30		#include "decode.h"
31		#include "detect.h"
32		#include "detect-parse.h"
33		#include "detect-rawbytes.h"
34		#include "detect-engine.h"
35
36		#include "detect-content.h"
37		#include "detect-pcre.h"
38
39		#include "util-debug.h"
40
41		static int DetectRawbytesSetup(DetectEngineCtx , Signature , const char *);
42
43		void DetectRawbytesRegister(void)
44	73	{
45	73	sigmatch_table[DETECT_RAWBYTES].name = "rawbytes";
46	73	sigmatch_table[DETECT_RAWBYTES].desc =
47	73	"dummy keyword to be compatible with snort signatures without effect";
48	73	sigmatch_table[DETECT_RAWBYTES].url = "/rules/payload-keywords.html#rawbytes";
49	73	sigmatch_table[DETECT_RAWBYTES].Setup = DetectRawbytesSetup;
50	73	sigmatch_table[DETECT_RAWBYTES].flags \|= SIGMATCH_NOOPT;
51	73	}
52
53		static int DetectRawbytesSetup(DetectEngineCtx de_ctx, Signature s, const char *nullstr)
54	6.20k	{
55	6.20k	SCEnter();
56
57	6.20k	if (nullstr != NULL) {
58	0	SCLogError("rawbytes has no value");
59	0	SCReturnInt(-1);
60	0	}
61
62	6.20k	if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
63	162	SCLogError("\"rawbytes\" cannot be combined "
64	162	"with the \"%s\" sticky buffer",
65	162	DetectEngineBufferTypeGetNameById(de_ctx, s->init_data->list));
66	162	SCReturnInt(-1);
67	162	}
68
69	6.03k	SigMatch *pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH, DETECT_CONTENT, -1);
70	6.03k	if (pm == NULL) {
71	1.65k	SCLogError("\"rawbytes\" needs a preceding content option");
72	1.65k	SCReturnInt(-1);
73	1.65k	}
74
75	4.38k	switch (pm->type) {
76	4.38k	case DETECT_CONTENT: {
77	4.38k	DetectContentData cd = (DetectContentData )pm->ctx;
78	4.38k	if (cd->flags & DETECT_CONTENT_RAWBYTES) {
79	5	SCLogError("can't use multiple rawbytes modifiers for the same content. ");
80	5	SCReturnInt(-1);
81	5	}
82	4.37k	cd->flags \|= DETECT_CONTENT_RAWBYTES;
83	4.37k	break;
84	4.38k	}
85	0	default:
86	0	SCLogError("\"rawbytes\" needs a preceding content option");
87	0	SCReturnInt(-1);
88	4.38k	}
89
90	4.37k	SCReturnInt(0);
91	4.38k	}

Coverage Report

Created: 2025-07-23 07:29