diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index b6488b09f197..d419289c2244 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -2861,8 +2861,9 @@ Lua ~~~ Suricata 8.0 sandboxes Lua rules by default. The restrictions on the sandbox for Lua rules can be -modified in the ``security.lua`` section of the configuration file. Additionally, Lua rules -can be completely disabled the same as the Suricata 7.0 default: +modified in the ``security.lua`` section of the configuration file. This section also applies to +Lua transforms. Additionally, Lua rules can be completely disabled in the same way as for as the +Suricata 7.0 default: :: diff --git a/doc/userguide/lua/lua-functions.rst b/doc/userguide/lua/lua-functions.rst index 92473d52c35e..e37eb3c45a11 100644 --- a/doc/userguide/lua/lua-functions.rst +++ b/doc/userguide/lua/lua-functions.rst @@ -7,6 +7,7 @@ Differences between `output` and `detect`: ------------------------------------------ Currently, the ``needs`` key initialization varies, depending on what is the goal of the script: output or detection. +The Lua script for the ``luaxform`` transform **does not use ``needs``**. If the script is for detection, the ``needs`` initialization should be as seen in the example below (see :ref:`lua-detection` for a complete example of a detection script): @@ -812,7 +813,7 @@ Example: return 0 end end - + HasshServerGet ~~~~~~~~~~~~~~ @@ -828,7 +829,7 @@ Example: return 0 end end - + HasshServerGetString ~~~~~~~~~~~~~~~~~~~~ @@ -998,7 +999,7 @@ index so in our case we need to use 0. SCFlowintSet(0, a + 1) else SCFlowintSet(0, 1) - end + end SCFlowintGet ~~~~~~~~~~~~ @@ -1031,7 +1032,7 @@ SCFlowvarSet Set a Flowvar. First parameter is the index, second is the data and third is the length of data. -You can use it to set string +You can use it to set string :: @@ -1041,7 +1042,7 @@ You can use it to set string needs["flowvar"] = {"cnt"} return needs end - + function match(args) a = SCFlowvarGet(0); if a then @@ -1050,7 +1051,7 @@ You can use it to set string else a = tostring(1) SCFlowvarSet(0, a, #a) - end + end Misc ---- diff --git a/doc/userguide/lua/lua-usage.rst b/doc/userguide/lua/lua-usage.rst index 19946db5e54f..a6346f62dc57 100644 --- a/doc/userguide/lua/lua-usage.rst +++ b/doc/userguide/lua/lua-usage.rst @@ -1,20 +1,29 @@ Lua usage in Suricata ===================== -Lua scripting can be used in two components of Suricata. The first is in -output and the second one in rules in the detection engine. +Lua scripting can be used in two components of Suricata: + + * Output + * Detection: ``lua`` keyword and ``luaxform`` transform Both features are using a list of functions to access the data extracted by Suricata. You can get the list of functions in the :ref:`lua-functions` page. -.. note:: Currently, there is a difference in the ``needs`` key in the ``init`` function, depending on what is the usage: ``output`` or ``detection``. The list of available functions may also differ. +.. note:: Currently, there is a difference in the ``needs`` key in the ``init`` function, + depending on what is the usage: ``output`` or ``detection``. The list of available + functions may also differ. The ``luaxform`` doesn't use the ``needs`` key. Lua output ---------- -Lua can be used to write arbitrary output. See :ref:`lua-output` for more information. +Lua scripts can be used to write arbitrary output. See :ref:`lua-output` for more information. Lua detection ------------- -Lua script can be used as a filter condition in signatures. See :ref:`lua-detection` for more information. +Lua scripts can be used as a filter condition in signatures. See :ref:`lua-detection` for more information. + +Lua transform +------------- + +The ``luaxform`` transform can be used in signatures. See :ref:`lua-transform` for more information. diff --git a/doc/userguide/rules/lua-detection.rst b/doc/userguide/rules/lua-detection.rst index 0f2011987ec0..ed2d8113e8f1 100644 --- a/doc/userguide/rules/lua-detection.rst +++ b/doc/userguide/rules/lua-detection.rst @@ -3,10 +3,18 @@ Lua Scripting for Detection =========================== +There are 2 ways that Lua can be used with detection. These are + +* ``lua`` rule keyword. +* ``luaxform`` transform. + .. note:: Lua is disabled by default for use in rules, it must be enabled in the configuration file. See the ``security.lua`` section of ``suricata.yaml`` and enable ``allow-rules``. +Lua Rule Keyword +^^^^^^^^^^^^^^^^ + Syntax: :: @@ -103,8 +111,13 @@ Entire script: return 0 -Sandbox and Available functions -------------------------------- +Lua Transform: ``luaxform`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +More details in :ref:`lua-transform`. + +Lua Sandbox and Available functions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Lua rule scripts are run in a sandbox environment the applies the following restrictions: @@ -140,7 +153,7 @@ Of note, the following standard libraries are not available: This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config` -.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now. +.. note:: Suricata 8.0 has moved to Lua 5.4 and now has builtin support for bitwise and utf8 operations. A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however, work only for diff --git a/doc/userguide/rules/transforms.rst b/doc/userguide/rules/transforms.rst index e536757f29f7..76f147fea565 100644 --- a/doc/userguide/rules/transforms.rst +++ b/doc/userguide/rules/transforms.rst @@ -243,3 +243,103 @@ This example transforms `"Zm 9v Ym Fy"` to `"foobar"`:: content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; \ content:"foobar"; + +.. _lua-transform: + +luaxform +-------- + +This transform allows a Lua script to apply a transformation +to a buffer. + +Lua scripts that are used for transformations *must* contain a function +named ``transform``. + +Lua transforms can be passed optional arguments -- see the examples below -- but they +are not required to do so. Arguments are comma-separated. + +Note that the arguments and values are passed without validation +nor interpretation. There is a maximum of 10 arguments. + +Lua transform function receives parameters: + + * `input-length` The number of bytes in the buffer provided to the transform + * `input` The buffer provided to the transform + * `argument` The number of arguments provided in the following parameters. If there are + no arguments to the Lua transform, this value will be `0`. + * `arguments` The list of arguments. + +The return value from a transform +This example supplies the HTTP data to a Lua transform and the transform +results are checked with `content`. + +Example:: + + alert http any any -> any any (msg:"Lua Xform example"; flow:established; \ + file.data; luaxform:./lua/lua-transform.lua; content: "abc"; sid: 2;) + + +This example supplies the HTTP data to a Lua transform with with arguments +that specify the offset and byte count for the transform. The resulting +buffer is then checked with a `content` match. + +Example:: + + alert http any any -> any any (msg:"Lua Xform example"; flow:established; \ + file.data; luaxform:./lua/lua-transform.lua, bytes 12, offset 13; content: "abc"; sid: 1;) + + +The following Lua script shows a transform that handles arguments: `bytes` and `offset` and uses +those values (or defaults, if there are no arguments) for applying the uppercase transform to +the buffer. + +.. code-block:: lua + + function init (args) + local needs = {} + return needs + end + + local function get_value(item, key) + if string.find(item, key) then + local _, value = string.match(item, "(%a+)%s*(%d*)") + if value ~= "" then + return tonumber(value) + end + end + + return nil + end + + -- Arguments supported + local bytes_key = "bytes" + local offset_key = "offset" + function transform(input_len, input, argc, args) + local bytes = input_len + local offset = 0 + + -- Look for optional bytes and offset arguments + for i, item in ipairs(args) do + local value = get_value(item, bytes_key) + if value ~= nil then + bytes = value + else + local value = get_value(item, offset_key) + if value ~= nil then + offset = value + end + end + end + local str_len = #input + if offset < 0 or offset > str_len then + print("offset is out of bounds: " .. offset) + return nil + end + str_len = str_len - offset + if bytes < 0 or bytes > str_len then + print("invalid bytes " .. bytes .. " or bytes > length " .. bytes .. " length " .. str_len) + return nil + end + local sub = string.sub(input, offset + 1, offset + bytes) + return string.upper(sub) + end diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 63e2146280ab..7e99e1fefe29 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -79,6 +79,8 @@ Major changes - sip.content_length - Napatech support has been moved to a capture plugin. See :doc:`Napatech plugin `. +- New transform ``luaxform`` that uses a Lua script for sticky buffer transformation. + More details in :ref:`lua-transform`. Removals ~~~~~~~~ diff --git a/rust/src/detect/transforms/casechange.rs b/rust/src/detect/transforms/casechange.rs index 80b6b82a48ac..3688e8068052 100644 --- a/rust/src/detect/transforms/casechange.rs +++ b/rust/src/detect/transforms/casechange.rs @@ -41,7 +41,7 @@ fn tolower_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn tolower_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn tolower_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -106,7 +106,7 @@ fn toupper_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn toupper_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn toupper_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/compress_whitespace.rs b/rust/src/detect/transforms/compress_whitespace.rs index 5e96be1f10d0..8cec4951c419 100644 --- a/rust/src/detect/transforms/compress_whitespace.rs +++ b/rust/src/detect/transforms/compress_whitespace.rs @@ -56,7 +56,7 @@ fn compress_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn compress_whitespace_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn compress_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/dotprefix.rs b/rust/src/detect/transforms/dotprefix.rs index eef6d048bd08..616a61f2114f 100644 --- a/rust/src/detect/transforms/dotprefix.rs +++ b/rust/src/detect/transforms/dotprefix.rs @@ -39,7 +39,7 @@ fn dot_prefix_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn dot_prefix_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn dot_prefix_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/hash.rs b/rust/src/detect/transforms/hash.rs index 76922f678b91..b7a6f3b0e976 100644 --- a/rust/src/detect/transforms/hash.rs +++ b/rust/src/detect/transforms/hash.rs @@ -51,7 +51,7 @@ fn md5_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn md5_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn md5_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -107,7 +107,7 @@ fn sha1_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn sha1_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn sha1_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -163,7 +163,7 @@ fn sha256_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn sha256_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn sha256_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/http_headers.rs b/rust/src/detect/transforms/http_headers.rs index 939cbb3d338a..1c02c377fffb 100644 --- a/rust/src/detect/transforms/http_headers.rs +++ b/rust/src/detect/transforms/http_headers.rs @@ -54,7 +54,7 @@ fn header_lowertransform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn header_lowertransform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn header_lowertransform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -113,7 +113,7 @@ fn strip_pseudo_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn strip_pseudo_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn strip_pseudo_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/mod.rs b/rust/src/detect/transforms/mod.rs index 01603cabc116..e35d2930442f 100644 --- a/rust/src/detect/transforms/mod.rs +++ b/rust/src/detect/transforms/mod.rs @@ -37,7 +37,7 @@ pub struct SCTransformTableElmt { pub flags: u16, pub Setup: unsafe extern "C" fn(de: *mut c_void, s: *mut c_void, raw: *const c_char) -> c_int, pub Free: Option, - pub Transform: unsafe extern "C" fn(inspect_buf: *mut c_void, options: *mut c_void), + pub Transform: unsafe extern "C" fn(det: *mut c_void, inspect_buf: *mut c_void, options: *mut c_void), pub TransformValidate: Option bool>, } diff --git a/rust/src/detect/transforms/strip_whitespace.rs b/rust/src/detect/transforms/strip_whitespace.rs index 2fb8599a5365..443875682cfe 100644 --- a/rust/src/detect/transforms/strip_whitespace.rs +++ b/rust/src/detect/transforms/strip_whitespace.rs @@ -46,7 +46,7 @@ fn strip_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn strip_whitespace_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn strip_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/urldecode.rs b/rust/src/detect/transforms/urldecode.rs index 59620ad42d2d..681e72d69b21 100644 --- a/rust/src/detect/transforms/urldecode.rs +++ b/rust/src/detect/transforms/urldecode.rs @@ -88,7 +88,7 @@ fn url_decode_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn url_decode_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn url_decode_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/xor.rs b/rust/src/detect/transforms/xor.rs index cf801170d977..1a2da33484b6 100644 --- a/rust/src/detect/transforms/xor.rs +++ b/rust/src/detect/transforms/xor.rs @@ -78,7 +78,7 @@ fn xor_transform_do(input: &[u8], output: &mut [u8], ctx: &DetectTransformXorDat } #[no_mangle] -unsafe extern "C" fn xor_transform(buffer: *mut c_void, ctx: *mut c_void) { +unsafe extern "C" fn xor_transform(_det: *mut c_void, buffer: *mut c_void, ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/src/Makefile.am b/src/Makefile.am index b0f841cfd0c2..50e69db2f788 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -306,6 +306,7 @@ noinst_HEADERS = \ detect-tls-random.h \ detect-tos.h \ detect-transform-base64.h \ + detect-transform-luaxform.h \ detect-transform-pcrexform.h \ detect-ttl.h \ detect-udphdr.h \ @@ -867,6 +868,7 @@ libsuricata_c_a_SOURCES = \ detect-tls-random.c \ detect-tos.c \ detect-transform-base64.c \ + detect-transform-luaxform.c \ detect-transform-pcrexform.c \ detect-ttl.c \ detect-udphdr.c \ diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index b0ee04590583..e23cfb6a4e60 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -79,8 +79,8 @@ static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx, return NULL; SCLogDebug("have data!"); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -105,8 +105,8 @@ static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx, } else { buffer->flags |= DETECT_CI_FLAGS_DCE_BE; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index 807c189611d8..bba0798da8d8 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -166,8 +166,8 @@ static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx, } SCLogDebug("tx %p data %p data_len %u", tx, tx->buffer, tx->buffer_len); - InspectionBufferSetup(det_ctx, list_id, buffer, tx->buffer, tx->buffer_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, tx->buffer, tx->buffer_len, transforms); } return buffer; } diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c index dc1272d47510..8c7243e8ae76 100644 --- a/src/detect-dns-answer-name.c +++ b/src/detect-dns-answer-name.c @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-dns-query-name.c b/src/detect-dns-query-name.c index ca1cc79fa4bf..05eb0a8d7a15 100644 --- a/src/detect-dns-query-name.c +++ b/src/detect-dns-query-name.c @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index ef510f15287a..db25af166af5 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -85,7 +85,7 @@ static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-engine-frame.c b/src/detect-engine-frame.c index fd3163d59732..5b3f01281984 100644 --- a/src/detect-engine-frame.c +++ b/src/detect-engine-frame.c @@ -67,8 +67,8 @@ static bool SetupStreamCallbackData(struct FrameStreamData *dst, const TcpSessio static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset); -static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p, - const DetectEngineTransforms *transforms); +static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms); void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto) @@ -159,7 +159,7 @@ static void PrefilterMpmFrame(DetectEngineThreadCtx *det_ctx, const void *pectx, if (frame->offset >= p->payload_len) return; - BufferSetupUdp(buffer, frame, p, ctx->transforms); + BufferSetupUdp(det_ctx, buffer, frame, p, ctx->transforms); const uint32_t data_len = buffer->inspect_len; const uint8_t *data = buffer->inspect; @@ -251,8 +251,8 @@ bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, c return false; } -static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p, - const DetectEngineTransforms *transforms) +static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms) { uint8_t ci_flags = DETECT_CI_FLAGS_START; uint32_t frame_len; @@ -275,7 +275,7 @@ static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const P AppLayerParserGetFrameNameById(p->flow->proto, p->flow->alproto, frame->type), frame->offset, frame->type, frame->len); - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->inspect_offset = 0; buffer->flags = ci_flags; } @@ -301,7 +301,7 @@ static int DetectFrameInspectUdp(DetectEngineThreadCtx *det_ctx, return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; if (!buffer->initialized) - BufferSetupUdp(buffer, frame, p, transforms); + BufferSetupUdp(det_ctx, buffer, frame, p, transforms); DEBUG_VALIDATE_BUG_ON(!buffer->initialized); if (buffer->inspect == NULL) return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; @@ -387,7 +387,7 @@ static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, c } // PrintRawDataFp(stdout, data, data_len); SCLogDebug("fsd->transforms %p", fsd->transforms); - InspectionBufferSetupMulti(buffer, fsd->transforms, data, data_len); + InspectionBufferSetupMulti(fsd->det_ctx, buffer, fsd->transforms, data, data_len); SCLogDebug("inspect_offset %" PRIu64, fo_inspect_offset); buffer->inspect_offset = fo_inspect_offset; buffer->flags = ci_flags; diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index 07ffb8177057..94cfcfbab537 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -56,8 +56,7 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, if (!GetBuf(txv, flow_flags, &b, &b_len)) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -115,8 +114,8 @@ int DetectHelperKeywordRegister(const SCSigTableElmt *kw) (int (*)(DetectEngineThreadCtx * det_ctx, Flow * f, uint8_t flags, void *alstate, void *txv, const Signature *s, const SigMatchCtx *ctx)) kw->AppLayerTxMatch; sigmatch_table[DETECT_TBLSIZE_IDX].Setup = - (int (*)(DetectEngineCtx * de, Signature * s, const char *raw)) kw->Setup; - sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx * de, void *ptr)) kw->Free; + (int (*)(DetectEngineCtx *de, Signature *s, const char *raw))kw->Setup; + sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx *de, void *ptr))kw->Free; DETECT_TBLSIZE_IDX++; return DETECT_TBLSIZE_IDX - 1; } @@ -137,8 +136,8 @@ int DetectHelperTransformRegister(const SCTransformTableElmt *kw) sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc; sigmatch_table[DETECT_TBLSIZE_IDX].url = kw->url; sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags; - sigmatch_table[DETECT_TBLSIZE_IDX].Transform = - (void (*)(InspectionBuffer * buffer, void *options)) kw->Transform; + sigmatch_table[DETECT_TBLSIZE_IDX].Transform = (void (*)(struct DetectEngineThreadCtx_ *det_ctx, + InspectionBuffer *buffer, void *options))kw->Transform; sigmatch_table[DETECT_TBLSIZE_IDX].TransformValidate = (bool (*)( const uint8_t *content, uint16_t content_len, void *context))kw->TransformValidate; sigmatch_table[DETECT_TBLSIZE_IDX].Setup = @@ -167,7 +166,7 @@ InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ct InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index 10bdb86f5bcb..5110e0cad9fa 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -113,7 +113,6 @@ void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type); - int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id); diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 903cc158cf5f..538d05d97caa 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -217,6 +217,7 @@ #include "detect-transform-pcrexform.h" #include "detect-transform-base64.h" +#include "detect-transform-luaxform.h" #include "util-rule-vars.h" @@ -674,6 +675,7 @@ void SigTableSetup(void) DetectTransformToUpperRegister(); DetectTransformHeaderLowercaseRegister(); DetectTransformFromBase64DecodeRegister(); + DetectTransformLuaxformRegister(); DetectFileHandlerRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index db4cd957af9d..4daa971a2e95 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -315,6 +315,7 @@ enum DetectKeywordId { DETECT_TRANSFORM_TOUPPER, DETECT_TRANSFORM_HEADER_LOWERCASE, DETECT_TRANSFORM_FROM_BASE64, + DETECT_TRANSFORM_LUAXFORM, DETECT_AL_IKE_EXCH_TYPE, DETECT_AL_IKE_SPI_INITIATOR, diff --git a/src/detect-engine.c b/src/detect-engine.c index 77c25a1cf3a9..924eba6b1d69 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -105,6 +105,9 @@ static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p); static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p); +static inline void InspectionBufferApplyTransformsInternal( + DetectEngineThreadCtx *, InspectionBuffer *, const DetectEngineTransforms *); + static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL; static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL; static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL; @@ -957,14 +960,15 @@ static char DetectBufferTypeCompareIdFunc(void *data1, uint16_t len1, void *data return map1->id == map2->id; } -static void DetectBufferTypeFreeFunc(void *data) +static void DetectBufferTypeFreeFunc(void *ctx, void *data) { - DetectBufferType *map = (DetectBufferType *)data; - - if (map == NULL) { + if (data == NULL) { return; } + DetectBufferType *map = (DetectBufferType *)data; + DetectEngineCtx *de_ctx = (DetectEngineCtx *)ctx; + /* Release transformation option memory, if any */ for (int i = 0; i < map->transforms.cnt; i++) { if (map->transforms.transforms[i].options == NULL) @@ -974,7 +978,8 @@ static void DetectBufferTypeFreeFunc(void *data) sigmatch_table[map->transforms.transforms[i].transform].name); continue; } - sigmatch_table[map->transforms.transforms[i].transform].Free(NULL, map->transforms.transforms[i].options); + sigmatch_table[map->transforms.transforms[i].transform].Free( + de_ctx, map->transforms.transforms[i].options); } SCFree(map); @@ -983,7 +988,7 @@ static void DetectBufferTypeFreeFunc(void *data) static int DetectBufferTypeInit(void) { BUG_ON(g_buffer_type_hash); - g_buffer_type_hash = HashListTableInit(256, DetectBufferTypeHashNameFunc, + g_buffer_type_hash = HashListTableInitWithCtx(256, DetectBufferTypeHashNameFunc, DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc); if (g_buffer_type_hash == NULL) return -1; @@ -1554,6 +1559,27 @@ InspectionBuffer *InspectionBufferMultipleForListGet( return buffer; } +static inline void InspectionBufferApplyTransformsInternal(DetectEngineThreadCtx *det_ctx, + InspectionBuffer *buffer, const DetectEngineTransforms *transforms) +{ + if (transforms) { + for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { + const int id = transforms->transforms[i].transform; + if (id == 0) + break; + BUG_ON(sigmatch_table[id].Transform == NULL); + sigmatch_table[id].Transform(det_ctx, buffer, transforms->transforms[i].options); + SCLogDebug("applied transform %s", sigmatch_table[id].name); + } + } +} + +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms) +{ + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); +} + void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size) { memset(buffer, 0, sizeof(*buffer)); @@ -1577,8 +1603,8 @@ void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer) } /** \brief setup the buffer with our initial data */ -void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, - const uint8_t *data, const uint32_t data_len) +void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len) { #ifdef DEBUG_VALIDATION DEBUG_VALIDATE_BUG_ON(!buffer->multi); @@ -1588,11 +1614,10 @@ void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTran buffer->len = 0; buffer->initialized = true; - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); } -/** \brief setup the buffer with our initial data */ -void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, +static inline void InspectionBufferSetupInternal(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) { #ifdef DEBUG_VALIDATION @@ -1610,6 +1635,21 @@ void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, buffer->len = 0; buffer->initialized = true; } +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); +} + +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); +} void InspectionBufferFree(InspectionBuffer *buffer) { @@ -1708,27 +1748,12 @@ bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_lis return true; } -void InspectionBufferApplyTransforms(InspectionBuffer *buffer, - const DetectEngineTransforms *transforms) -{ - if (transforms) { - for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { - const int id = transforms->transforms[i].transform; - if (id == 0) - break; - BUG_ON(sigmatch_table[id].Transform == NULL); - sigmatch_table[id].Transform(buffer, transforms->transforms[i].options); - SCLogDebug("applied transform %s", sigmatch_table[id].name); - } - } -} - static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx) { const int size = g_buffer_type_id; BUG_ON(!(size > 0)); - de_ctx->buffer_type_hash_name = HashListTableInit(256, DetectBufferTypeHashNameFunc, + de_ctx->buffer_type_hash_name = HashListTableInitWithCtx(256, DetectBufferTypeHashNameFunc, DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc); BUG_ON(de_ctx->buffer_type_hash_name == NULL); de_ctx->buffer_type_hash_id = @@ -1770,7 +1795,7 @@ static void DetectBufferTypeFreeDetectEngine(DetectEngineCtx *de_ctx) { if (de_ctx) { if (de_ctx->buffer_type_hash_name) - HashListTableFree(de_ctx->buffer_type_hash_name); + HashListTableFreeWithCtx(de_ctx, de_ctx->buffer_type_hash_name); if (de_ctx->buffer_type_hash_id) HashListTableFree(de_ctx->buffer_type_hash_id); @@ -2585,6 +2610,9 @@ DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tena static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx) { HashListTableFree(de_ctx->keyword_hash); +#if UNITTESTS + de_ctx->keyword_hash = NULL; +#endif } static void DetectEngineCtxFreeFailedSigs(DetectEngineCtx *de_ctx) @@ -2657,7 +2685,6 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx); - DetectEngineCtxFreeThreadKeywordData(de_ctx); SRepDestroy(de_ctx); DetectEngineCtxFreeFailedSigs(de_ctx); @@ -2680,6 +2707,7 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) DetectPortCleanupList(de_ctx, de_ctx->udp_priorityports); DetectBufferTypeFreeDetectEngine(de_ctx); + DetectEngineCtxFreeThreadKeywordData(de_ctx); SCClassConfDeinit(de_ctx); SCReferenceConfDeinit(de_ctx); diff --git a/src/detect-engine.h b/src/detect-engine.h index b75d124f9cd4..4f754c0f6241 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -30,17 +30,20 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size); void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len); +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms); void InspectionBufferFree(InspectionBuffer *buffer); void *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len); void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len); -void InspectionBufferApplyTransforms(InspectionBuffer *buffer, +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms); void InspectionBufferClean(DetectEngineThreadCtx *det_ctx); InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id); void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer); -void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, - const uint8_t *data, const uint32_t data_len); +void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len); InspectionBuffer *InspectionBufferMultipleForListGet( DetectEngineThreadCtx *det_ctx, const int list_id, uint32_t local_id); diff --git a/src/detect-file-data.c b/src/detect-file-data.c index a721c08c7cf9..3dc132d8d076 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -192,7 +192,8 @@ static inline InspectionBuffer *FiledataWithXformsGetDataCallback(DetectEngineTh return buffer; } - InspectionBufferSetupMulti(buffer, transforms, base_buffer->inspect, base_buffer->inspect_len); + InspectionBufferSetupMulti( + det_ctx, buffer, transforms, base_buffer->inspect, base_buffer->inspect_len); buffer->inspect_offset = base_buffer->inspect_offset; SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len); SCReturnPtr(buffer, "InspectionBuffer"); @@ -351,7 +352,7 @@ static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx, SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected); } - InspectionBufferSetupMulti(buffer, NULL, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, NULL, data, data_len); SCLogDebug("[list %d] [before] buffer offset %" PRIu64 "; buffer len %" PRIu32 "; data_len %" PRIu32 "; file_size %" PRIu64, list_id, buffer->inspect_offset, buffer->inspect_len, data_len, file_size); diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index f23434d8666e..aa1e319ea11c 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -291,7 +291,7 @@ static InspectionBuffer *FilemagicGetDataCallback(DetectEngineThreadCtx *det_ctx const uint8_t *data = (const uint8_t *)cur_file->magic; uint32_t data_len = (uint32_t)strlen(cur_file->magic); - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-filename.c b/src/detect-filename.c index f75fdbd680fe..11e576071055 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -228,7 +228,7 @@ static InspectionBuffer *FilenameGetDataCallback(DetectEngineThreadCtx *det_ctx, const uint8_t *data = cur_file->name; uint32_t data_len = cur_file->name_len; - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 5e5604ea594d..192d71ff30da 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -202,7 +202,7 @@ static inline InspectionBuffer *HttpRequestBodyXformsGetDataCallback(DetectEngin InspectionBufferSetup(det_ctx, list_id, buffer, base_buffer->inspect, base_buffer->inspect_len); buffer->inspect_offset = base_buffer->inspect_offset; - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 5f4898285460..721e093b4e3d 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -190,8 +190,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -218,8 +218,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -239,8 +239,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -260,8 +259,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 66bc73d44c80..5ab116928e41 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -153,8 +153,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; @@ -174,8 +174,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 8839544a5f92..961da06dabb9 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -158,8 +158,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -192,8 +191,8 @@ static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx, goto end; } /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } const uint32_t data_len = buffer->inspect_len; @@ -253,8 +252,8 @@ static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *p return; /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, ctx->transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, ctx->transforms); } const uint32_t data_len = buffer->inspect_len; @@ -527,7 +526,7 @@ static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); @@ -605,8 +604,8 @@ static InspectionBuffer *GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx, // hdr_td->len is the number of header buffers if (local_id < hdr_td->len) { // we have one valid header buffer - InspectionBufferSetupMulti( - buffer, transforms, hdr_td->items[local_id].buffer, hdr_td->items[local_id].len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, hdr_td->items[local_id].buffer, + hdr_td->items[local_id].len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); } // else there are no more header buffer to get diff --git a/src/detect-http-headers-stub.h b/src/detect-http-headers-stub.h index 82d5f543d7a9..0e1a3f108f84 100644 --- a/src/detect-http-headers-stub.h +++ b/src/detect-http-headers-stub.h @@ -67,8 +67,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -90,8 +90,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -123,8 +122,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -146,8 +145,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-host.c b/src/detect-http-host.c index fe36a261e6cc..0663987c92e9 100644 --- a/src/detect-http-host.c +++ b/src/detect-http-host.c @@ -248,8 +248,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_hostname); const uint8_t *data = bstr_ptr(tx->request_hostname); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -269,8 +269,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -290,8 +289,7 @@ static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -361,8 +359,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, data_len = bstr_len(tx->parsed_uri->hostname); } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 8d08f0369e90..e1c6c48596bb 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -209,8 +209,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_method); const uint8_t *data = bstr_ptr(tx->request_method); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -230,8 +230,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index 6214c80513be..dcc9381e7e53 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -107,8 +107,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -120,9 +120,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup( - det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2")); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2"), transforms); } return buffer; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 0bb834b7726a..a641f7e79278 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -197,8 +197,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = ts ? tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -218,8 +218,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 886e643a3eda..954fef6ead1e 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -164,8 +163,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_line); const uint8_t *data = bstr_ptr(tx->request_line); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index 69ee8c2709ab..80c1b882f8a2 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -163,8 +162,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_line); const uint8_t *data = bstr_ptr(tx->response_line); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-start.c b/src/detect-http-start.c index e88ac3cdf68f..5e4b80d43fa1 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -158,8 +158,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index 37dfb2efbdcc..19ed9c0672e3 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -167,8 +167,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_status); const uint8_t *data = bstr_ptr(tx->response_status); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -190,8 +190,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index b1a485d7a933..f9baab4e347a 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -78,8 +78,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup(det_ctx, list_id, buffer, (const uint8_t *)"", 0); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"", 0, transforms); } return buffer; @@ -176,8 +176,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_message); const uint8_t *data = bstr_ptr(tx->response_message); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 8babd9adcb50..82439c846468 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -174,8 +174,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -197,8 +197,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 12c6f8788549..984b5ce27250 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -236,8 +236,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized); const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -259,8 +259,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -327,8 +326,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_uri); const uint8_t *data = bstr_ptr(tx->request_uri); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-icmpv4hdr.c b/src/detect-icmpv4hdr.c index dbda7c6f14d1..43a884991555 100644 --- a/src/detect-icmpv4hdr.c +++ b/src/detect-icmpv4hdr.c @@ -112,8 +112,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index 54f1cd35a04f..0bd9b2b4fc71 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -117,8 +117,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ike-key-exchange-payload.c b/src/detect-ike-key-exchange-payload.c index 9d83fba33dec..796af48f30d8 100644 --- a/src/detect-ike-key-exchange-payload.c +++ b/src/detect-ike-key-exchange-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetKeyExchangeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-nonce-payload.c b/src/detect-ike-nonce-payload.c index a2c4ac6f9a2a..ea7afdac48da 100644 --- a/src/detect-ike-nonce-payload.c +++ b/src/detect-ike-nonce-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetNonceData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-spi.c b/src/detect-ike-spi.c index 9f310b8f580a..f97ed03b679a 100644 --- a/src/detect-ike-spi.c +++ b/src/detect-ike-spi.c @@ -99,8 +99,7 @@ static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -120,8 +119,7 @@ static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-vendor.c b/src/detect-ike-vendor.c index e3c09e9a44c6..c1b2f6888b2d 100644 --- a/src/detect-ike-vendor.c +++ b/src/detect-ike-vendor.c @@ -58,7 +58,7 @@ static InspectionBuffer *IkeVendorGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ipaddr.c b/src/detect-ipaddr.c index aeac80f71d19..a3d2c6b4c872 100644 --- a/src/detect-ipaddr.c +++ b/src/detect-ipaddr.c @@ -128,7 +128,7 @@ static InspectionBuffer *GetDataSrc(DetectEngineThreadCtx *det_ctx, } else { return NULL; } - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -152,7 +152,7 @@ static InspectionBuffer *GetDataDst(DetectEngineThreadCtx *det_ctx, } else { return NULL; } - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index 78fe0062ea46..1db2bf0f28d6 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -113,8 +113,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index 2f5e79d33d4e..28a61023e21c 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -114,8 +114,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ja4-hash.c b/src/detect-ja4-hash.c index ebddc6b6d060..dfa9c80c0949 100644 --- a/src/detect-ja4-hash.c +++ b/src/detect-ja4-hash.c @@ -148,7 +148,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, data, 0); InspectionBufferCopy(buffer, data, JA4_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -170,7 +170,7 @@ static InspectionBuffer *Ja4DetectGetHash(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, NULL, 0); InspectionBufferCopy(buffer, (uint8_t *)b, JA4_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-krb5-cname.c b/src/detect-krb5-cname.c index 1411f7380806..9a71edce8a9d 100644 --- a/src/detect-krb5-cname.c +++ b/src/detect-krb5-cname.c @@ -73,7 +73,7 @@ static InspectionBuffer *GetKrb5CNameData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-krb5-sname.c b/src/detect-krb5-sname.c index 3cd6f0e222cc..9a59da3710d0 100644 --- a/src/detect-krb5-sname.c +++ b/src/detect-krb5-sname.c @@ -73,7 +73,7 @@ static InspectionBuffer *GetKrb5SNameData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-lua.c b/src/detect-lua.c index 36f045f50394..577af3154d58 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -57,6 +57,7 @@ #include "util-var-name.h" #include "util-lua.h" +#include "util-lua-common.h" #include "util-lua-sandbox.h" static int DetectLuaMatch (DetectEngineThreadCtx *, @@ -126,9 +127,6 @@ void DetectLuaRegister(void) #define FLAG_INSTRUCTION_LIMIT_LOGGED BIT_U32(25) #define FLAG_MEMORY_LIMIT_LOGGED BIT_U32(26) -#define DEFAULT_LUA_ALLOC_LIMIT 500000 -#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 - #if 0 /** \brief dump stack from lua state to screen */ void LuaDumpStack(lua_State *state) diff --git a/src/detect-quic-cyu-hash.c b/src/detect-quic-cyu-hash.c index 17836d1596b5..c0a13a5d9581 100644 --- a/src/detect-quic-cyu-hash.c +++ b/src/detect-quic-cyu-hash.c @@ -76,7 +76,7 @@ static InspectionBuffer *QuicHashGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-cyu-string.c b/src/detect-quic-cyu-string.c index c2460f11546c..0112b8c46889 100644 --- a/src/detect-quic-cyu-string.c +++ b/src/detect-quic-cyu-string.c @@ -72,7 +72,7 @@ static InspectionBuffer *QuicStringGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-sni.c b/src/detect-quic-sni.c index 0e4bf2d09101..fc568df37ae6 100644 --- a/src/detect-quic-sni.c +++ b/src/detect-quic-sni.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetSniData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-ua.c b/src/detect-quic-ua.c index 0e72770cb068..fc6c3103a109 100644 --- a/src/detect-quic-ua.c +++ b/src/detect-quic-ua.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-version.c b/src/detect-quic-version.c index 08bf80c0022c..33f355966edc 100644 --- a/src/detect-quic-version.c +++ b/src/detect-quic-version.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-sip-method.c b/src/detect-sip-method.c index ed22381d9ffc..62071254f809 100644 --- a/src/detect-sip-method.c +++ b/src/detect-sip-method.c @@ -117,8 +117,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-sip-uri.c b/src/detect-sip-uri.c index daf42235d8c5..f14021fb0755 100644 --- a/src/detect-sip-uri.c +++ b/src/detect-sip-uri.c @@ -96,8 +96,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-smb-ntlmssp.c b/src/detect-smb-ntlmssp.c index aa53269309cf..efcc6f111deb 100644 --- a/src/detect-smb-ntlmssp.c +++ b/src/detect-smb-ntlmssp.c @@ -68,8 +68,7 @@ static InspectionBuffer *GetNtlmsspUserData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -125,8 +124,7 @@ static InspectionBuffer *GetNtlmsspDomainData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-smb-share.c b/src/detect-smb-share.c index 018d8ceefd79..36bca26a166d 100644 --- a/src/detect-smb-share.c +++ b/src/detect-smb-share.c @@ -69,8 +69,7 @@ static InspectionBuffer *GetNamedPipeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -130,8 +129,7 @@ static InspectionBuffer *GetShareData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c index f62c72e79c79..92b733c10bab 100644 --- a/src/detect-ssh-hassh-server-string.c +++ b/src/detect-ssh-hassh-server-string.c @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c index 98f7d3dc2e2f..2410767d4ccb 100644 --- a/src/detect-ssh-hassh-server.c +++ b/src/detect-ssh-hassh-server.c @@ -77,8 +77,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hasshServer, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, hasshServer, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c index ad29b90ee764..2f9602af82a6 100644 --- a/src/detect-ssh-hassh-string.c +++ b/src/detect-ssh-hassh-string.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c index 377aa9d2c433..12aefcd5c541 100644 --- a/src/detect-ssh-hassh.c +++ b/src/detect-ssh-hassh.c @@ -61,7 +61,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -77,8 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 19807511e757..63b3b74d35c9 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, protocol, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, protocol, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index 0a8d5aab0d97..36e9cb2972e9 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, software, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, software, b_len, transforms); } return buffer; diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index fd7df2f687d7..920bdd798bed 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -115,8 +115,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)tcph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-alpn.c b/src/detect-tls-alpn.c index b4aa82f9c52a..ccee33b14b64 100644 --- a/src/detect-tls-alpn.c +++ b/src/detect-tls-alpn.c @@ -141,7 +141,7 @@ static InspectionBuffer *TlsAlpnGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, a->alpn, a->size); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, a->alpn, a->size); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index 9fec32151dd6..dacb27504c90 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -151,8 +151,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_fingerprint); const uint8_t *data = (uint8_t *)connp->cert0_fingerprint; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index 49bada4cdf6d..f6a6038a3d98 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -140,8 +140,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_issuerdn); const uint8_t *data = (uint8_t *)connp->cert0_issuerdn; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index 0ac7bfdd20cc..99bdadef2827 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -150,8 +150,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_serial); const uint8_t *data = (uint8_t *)connp->cert0_serial; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index e0dcde30a830..f79bf69d6470 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -142,8 +142,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_subject); const uint8_t *data = (uint8_t *)connp->cert0_subject; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-certs.c b/src/detect-tls-certs.c index f34c5e23bfb6..ef222b2f2c9e 100644 --- a/src/detect-tls-certs.c +++ b/src/detect-tls-certs.c @@ -101,7 +101,7 @@ static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, cert->cert_data, cert->cert_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, cert->cert_data, cert->cert_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index 57b0e55edeb5..9e12b487a1c6 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -171,8 +171,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 1ec289c6e9d1..bce623d955b6 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -161,8 +161,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index 6d3d42e5edf8..ba1dd5613470 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -169,8 +169,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index 0104560627d5..10d1d5468c66 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -161,8 +161,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 2dd5871aea0f..e6eab9920545 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -222,8 +222,8 @@ static InspectionBuffer *GetRandomTimeData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -249,8 +249,8 @@ static InspectionBuffer *GetRandomBytesData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random + DETECT_TLS_RANDOM_TIME_LEN; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -276,8 +276,8 @@ static InspectionBuffer *GetRandomData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index ce8a068a4717..ff6f2dcd01f7 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -122,8 +122,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.sni); const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-subjectaltname.c b/src/detect-tls-subjectaltname.c index 350db5d6f655..397a5e67cfaa 100644 --- a/src/detect-tls-subjectaltname.c +++ b/src/detect-tls-subjectaltname.c @@ -121,7 +121,7 @@ static InspectionBuffer *TlsSubjectAltNameGetData(DetectEngineThreadCtx *det_ctx return NULL; } - InspectionBufferSetupMulti(buffer, transforms, (const uint8_t *)connp->cert0_sans[idx], + InspectionBufferSetupMulti(det_ctx, buffer, transforms, (const uint8_t *)connp->cert0_sans[idx], strlen(connp->cert0_sans[idx])); buffer->flags = DETECT_CI_FLAGS_SINGLE; diff --git a/src/detect-transform-base64.c b/src/detect-transform-base64.c index e0fbdeeb44d6..8de44fb7a95a 100644 --- a/src/detect-transform-base64.c +++ b/src/detect-transform-base64.c @@ -42,7 +42,8 @@ static void DetectTransformFromBase64DecodeFree(DetectEngineCtx *, void *); #ifdef UNITTESTS static void DetectTransformFromBase64DecodeRegisterTests(void); #endif -static void TransformFromBase64Decode(InspectionBuffer *buffer, void *options); +static void TransformFromBase64Decode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); #define DETECT_TRANSFORM_FROM_BASE64_MODE_DEFAULT (uint8_t) Base64ModeRFC4648 @@ -113,7 +114,8 @@ static int DetectTransformFromBase64DecodeSetup( SCReturnInt(r); } -static void TransformFromBase64Decode(InspectionBuffer *buffer, void *options) +static void TransformFromBase64Decode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { SCDetectTransformFromBase64Data *b64d = options; const uint8_t *input = buffer->inspect; @@ -171,7 +173,7 @@ static int DetectTransformFromBase64DecodeTest01(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -192,7 +194,7 @@ static int DetectTransformFromBase64DecodeTest01a(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -212,7 +214,7 @@ static int DetectTransformFromBase64DecodeTest02(void) InspectionBufferSetup(NULL, -1, &buffer, input, input_len); buffer_orig = buffer; PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_offset == buffer_orig.inspect_offset); FAIL_IF_NOT(buffer.inspect_len == buffer_orig.inspect_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -234,7 +236,7 @@ static int DetectTransformFromBase64DecodeTest03(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(strncmp((const char *)input, (const char *)buffer.inspect, input_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); @@ -255,7 +257,7 @@ static int DetectTransformFromBase64DecodeTest04(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(strncmp((const char *)input, (const char *)buffer.inspect, input_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); @@ -279,7 +281,7 @@ static int DetectTransformFromBase64DecodeTest05(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -304,7 +306,7 @@ static int DetectTransformFromBase64DecodeTest06(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -328,7 +330,7 @@ static int DetectTransformFromBase64DecodeTest07(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -349,7 +351,7 @@ static int DetectTransformFromBase64DecodeTest08(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); // PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == 15); // PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); diff --git a/src/detect-transform-luaxform.c b/src/detect-transform-luaxform.c new file mode 100644 index 000000000000..cc1994721d42 --- /dev/null +++ b/src/detect-transform-luaxform.c @@ -0,0 +1,353 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Jeff Lucovsky + * + * Implements the luxaform transform keyword + */ + +#include "suricata-common.h" + +#include "detect.h" +#include "detect-engine.h" +#include "detect-parse.h" +#include "detect-lua.h" +#include "detect-transform-luaxform.h" +#include "detect-lua-extensions.h" + +#include "util-lua.h" +#include "util-lua-common.h" +#include "util-print.h" + +static int DetectTransformLuaxformSetup(DetectEngineCtx *, Signature *, const char *); +static void DetectTransformLuaxformFree(DetectEngineCtx *de_ctx, void *ptr); +static void TransformLuaxform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); + +void DetectTransformLuaxformRegister(void) +{ + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].name = "luaxform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].desc = + "pass inspection buffer to a Lua function along with " + "arguments supplied to the transform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].url = "/rules/transforms.html#luaxform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Transform = TransformLuaxform; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Free = DetectTransformLuaxformFree; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Setup = DetectTransformLuaxformSetup; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].flags |= SIGMATCH_QUOTES_OPTIONAL; +} + +static void DetectTransformLuaxformFree(DetectEngineCtx *de_ctx, void *ptr) +{ + if (ptr != NULL) { + DetectLuaxformData *lua = (DetectLuaxformData *)ptr; + + if (lua->filename) + SCFree(lua->filename); + + if (lua->copystr) + SCFree(lua->copystr); + + if (de_ctx) { + DetectUnregisterThreadCtxFuncs(de_ctx, lua, "luaxform"); + } + + SCFree(lua); + } +} + +static int DetectTransformLuaxformSetupPrime( + DetectEngineCtx *de_ctx, DetectLuaxformData *ld, const Signature *s) +{ + lua_State *luastate = SCLuaSbStateNew(ld->alloc_limit, ld->instruction_limit); + if (luastate == NULL) + return -1; + if (ld->allow_restricted_functions) { + luaL_openlibs(luastate); + } else { + SCLuaSbLoadLibs(luastate); + } + + int status = luaL_loadfile(luastate, ld->filename); + if (status) { + SCLogError("couldn't load file: %s", lua_tostring(luastate, -1)); + goto error; + } + + /* prime the script (or something) */ + if (lua_pcall(luastate, 0, 0, 0) != 0) { + SCLogError("couldn't prime file: %s", lua_tostring(luastate, -1)); + goto error; + } + + lua_getglobal(luastate, "transform"); + if (lua_type(luastate, -1) != LUA_TFUNCTION) { + SCLogError("no transform function in script"); + goto error; + } + lua_pop(luastate, 1); + + /* init -- optional entry point */ + lua_getglobal(luastate, "init"); + if (lua_type(luastate, -1) == LUA_TFUNCTION) { + lua_newtable(luastate); /* stack at -1 */ + if (lua_gettop(luastate) == 0 || lua_type(luastate, 2) != LUA_TTABLE) { + SCLogError("no table setup"); + goto error; + } + + lua_pushliteral(luastate, "script_api_ver"); /* stack at -2 */ + lua_pushnumber(luastate, 1); /* stack at -3 */ + lua_settable(luastate, -3); + + if (lua_pcall(luastate, 1, 1, 0) != 0) { + SCLogError("couldn't run script 'init' function: %s", lua_tostring(luastate, -1)); + goto error; + } + } + + LuaRegisterExtensions(luastate); + /* pop the table */ + lua_pop(luastate, 1); + + SCLuaSbStateClose(luastate); + return 0; + +error: + SCLuaSbStateClose(luastate); + return -1; +} + +static DetectLuaxformData *DetectLuaxformParse(DetectEngineCtx *de_ctx, const char *str) +{ + DetectLuaxformData *lua = NULL; + + /* We have a correct lua option */ + lua = SCCalloc(1, sizeof(DetectLuaxformData)); + if (unlikely(lua == NULL)) { + FatalError("unable to allocate memory for Lua transform: %s", str); + } + + lua->copystr = strdup(str); + + int count = 0; + char *saveptr = NULL; + char *token = strtok_r(lua->copystr, ",", &saveptr); + while (token != NULL && count < LUAXFORM_MAX_ARGS) { + lua->args[count++] = token; + token = strtok_r(NULL, ",", &saveptr); + } + + if (count == 0) { + SCLogError("Lua script name not supplied"); + goto error; + } + + lua->arg_count = count - 1; + + /* get full filename */ + lua->filename = DetectLoadCompleteSigPath(de_ctx, lua->args[0]); + if (lua->filename == NULL) { + goto error; + } + + return lua; + +error: + if (lua != NULL) + DetectTransformLuaxformFree(de_ctx, lua); + return NULL; +} + +static void *DetectLuaxformThreadInit(void *data) +{ + /* Note: This will always be non-null as alloc errors are checked before registering callback */ + DetectLuaxformData *lua = (DetectLuaxformData *)data; + + DetectLuaThreadData *t = SCCalloc(1, sizeof(DetectLuaThreadData)); + if (unlikely(t == NULL)) { + FatalError("unable to allocate luaxform context memory"); + } + + t->luastate = SCLuaSbStateNew(lua->alloc_limit, lua->instruction_limit); + if (t->luastate == NULL) { + SCLogError("luastate pool depleted"); + goto error; + } + + if (lua->allow_restricted_functions) { + luaL_openlibs(t->luastate); + } else { + SCLuaSbLoadLibs(t->luastate); + } + + LuaRegisterExtensions(t->luastate); + + int status = luaL_loadfile(t->luastate, lua->filename); + if (status) { + SCLogError("couldn't load file: %s", lua_tostring(t->luastate, -1)); + goto error; + } + + /* prime the script (or something) */ + if (lua_pcall(t->luastate, 0, 0, 0) != 0) { + SCLogError("couldn't prime file: %s", lua_tostring(t->luastate, -1)); + goto error; + } + + return (void *)t; + +error: + if (t->luastate != NULL) + SCLuaSbStateClose(t->luastate); + SCFree(t); + return NULL; +} + +static void DetectLuaxformThreadFree(void *ctx) +{ + if (ctx != NULL) { + DetectLuaxformThreadData *t = (DetectLuaxformThreadData *)ctx; + if (t->luastate != NULL) + SCLuaSbStateClose(t->luastate); + SCFree(t); + } +} + +/** + * \internal + * \brief Apply the luaxform keyword to the last pattern match + * \param de_ctx detection engine ctx + * \param s signature + * \param str lua filename and optional args + * \retval 0 ok + * \retval -1 failure + */ +static int DetectTransformLuaxformSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + SCEnter(); + + /* First check if Lua rules are enabled, by default Lua in rules + * is disabled. */ + int enabled = 0; + (void)ConfGetBool("security.lua.allow-rules", &enabled); + if (!enabled) { + SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules"); + SCReturnInt(-1); + } + + DetectLuaxformData *lua = DetectLuaxformParse(de_ctx, str); + if (lua == NULL) + goto error; + + /* Load lua sandbox configurations */ + intmax_t lua_alloc_limit = DEFAULT_LUA_ALLOC_LIMIT; + intmax_t lua_instruction_limit = DEFAULT_LUA_INSTRUCTION_LIMIT; + int allow_restricted_functions = 0; + (void)ConfGetInt("security.lua.max-bytes", &lua_alloc_limit); + (void)ConfGetInt("security.lua.max-instructions", &lua_instruction_limit); + (void)ConfGetBool("security.lua.allow-restricted-functions", &allow_restricted_functions); + + lua->alloc_limit = lua_alloc_limit; + lua->instruction_limit = lua_instruction_limit; + lua->allow_restricted_functions = allow_restricted_functions; + + if (DetectTransformLuaxformSetupPrime(de_ctx, lua, s) == -1) { + goto error; + } + + lua->thread_ctx_id = DetectRegisterThreadCtxFuncs( + de_ctx, "luaxform", DetectLuaxformThreadInit, (void *)lua, DetectLuaxformThreadFree, 0); + if (lua->thread_ctx_id == -1) + goto error; + + if (0 == DetectSignatureAddTransform(s, DETECT_TRANSFORM_LUAXFORM, lua)) + SCReturnInt(0); + +error: + + if (lua != NULL) + DetectTransformLuaxformFree(de_ctx, lua); + SCReturnInt(-1); +} + +static void TransformLuaxform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) +{ + if (buffer->inspect_len == 0) { + return; + } + + DetectLuaxformData *lua = options; + DetectLuaThreadData *tlua = + (DetectLuaThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, lua->thread_ctx_id); + if (tlua == NULL) { + return; + } + + lua_getglobal(tlua->luastate, "transform"); + + const uint8_t *input = buffer->inspect; + const uint32_t input_len = buffer->inspect_len; + /* Lua script args are: buffer length, buffer, arg count, args */ + LuaPushInteger(tlua->luastate, (lua_Integer)input_len); + LuaPushStringBuffer(tlua->luastate, input, (size_t)input_len); + LuaPushInteger(tlua->luastate, (lua_Integer)lua->arg_count); + + /* + * Add provided arguments for lua script (these are optionally + * provided by the rule writer). + * + * Start at offset 1 (arg[0] is the lua script filename) + */ + lua_newtable(tlua->luastate); + for (int i = 1; i < lua->arg_count + 1; i++) { + LuaPushInteger(tlua->luastate, i); + lua_pushstring(tlua->luastate, lua->args[i]); + lua_settable(tlua->luastate, -3); + } + + SCLuaSbResetInstructionCounter(tlua->luastate); + + if (LUA_OK != lua_pcall(tlua->luastate, 4, 2, 0)) { + SCLogDebug("error calling lua script: %s", lua_tostring(tlua->luastate, -1)); + } else { + /* Lua transform functions must return 2 values: buffer and length */ + int return_value_count = lua_gettop(tlua->luastate); + if (return_value_count != 2) { + SCLogDebug("Error: expected 2 return values but got %d", return_value_count); + lua_pop(tlua->luastate, return_value_count); + return; + } + if (lua_isstring(tlua->luastate, -2)) { + const char *transformed_buffer = lua_tostring(tlua->luastate, -2); + int transformed_buffer_byte_count = lua_tointeger(tlua->luastate, -1); + if (transformed_buffer != NULL && transformed_buffer_byte_count > 0) + InspectionBufferCopy( + buffer, (uint8_t *)transformed_buffer, transformed_buffer_byte_count); + SCLogDebug("transform returns [nbytes %d] \"%p\"", transformed_buffer_byte_count, + transformed_buffer); + // PrintRawDataFp(stdout, (const uint8_t *)transformed_buffer, + // transformed_buffer_byte_count); + } + } + + lua_pop(tlua->luastate, 2); // Pop the result string/length +} diff --git a/src/detect-transform-luaxform.h b/src/detect-transform-luaxform.h new file mode 100644 index 000000000000..9a5cb8700f63 --- /dev/null +++ b/src/detect-transform-luaxform.h @@ -0,0 +1,47 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Jeff Lucovsky + */ + +#ifndef SURICATA_DETECT_TRANSFORM_LUAXFORM_H +#define SURICATA_DETECT_TRANSFORM_LUAXFORM_H + +/* prototypes */ +void DetectTransformLuaxformRegister(void); + +#define LUAXFORM_MAX_ARGS 10 + +typedef struct DetectLuaxformData { + int thread_ctx_id; + int allow_restricted_functions; + int arg_count; + uint64_t alloc_limit; + uint64_t instruction_limit; + char *filename; + char *copystr; + char *args[LUAXFORM_MAX_ARGS]; +} DetectLuaxformData; + +typedef struct DetectLuaxformThreadData { + lua_State *luastate; +} DetectLuaxformThreadData; + +#endif /* SURICATA_DETECT_TRANSFORM_LUAXFORM_H */ diff --git a/src/detect-transform-pcrexform.c b/src/detect-transform-pcrexform.c index c517175b8722..b24ad64f80d2 100644 --- a/src/detect-transform-pcrexform.c +++ b/src/detect-transform-pcrexform.c @@ -38,7 +38,8 @@ typedef struct DetectTransformPcrexformData { static int DetectTransformPcrexformSetup (DetectEngineCtx *, Signature *, const char *); static void DetectTransformPcrexformFree(DetectEngineCtx *, void *); -static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options); +static void DetectTransformPcrexform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); #ifdef UNITTESTS void DetectTransformPcrexformRegisterTests (void); #endif @@ -132,7 +133,8 @@ static int DetectTransformPcrexformSetup (DetectEngineCtx *de_ctx, Signature *s, SCReturnInt(r); } -static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options) +static void DetectTransformPcrexform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const char *input = (const char *)buffer->inspect; const uint32_t input_len = buffer->inspect_len; diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index 9f6d16ebf0b0..0e604104a8b5 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -111,8 +111,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = UDP_HEADER_LEN; const uint8_t *data = (const uint8_t *)udph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect.h b/src/detect.h index fe755b7f0d14..1f96223c8ebf 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1282,7 +1282,7 @@ typedef struct SigTableElmt_ { uint8_t flags, File *, const Signature *, const SigMatchCtx *); /** InspectionBuffer transformation callback */ - void (*Transform)(InspectionBuffer *, void *context); + void (*Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context); bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context); /** keyword setup function pointer */ diff --git a/src/util-hashlist.c b/src/util-hashlist.c index 085a988afe76..b082f164380f 100644 --- a/src/util-hashlist.c +++ b/src/util-hashlist.c @@ -32,6 +32,58 @@ #include "util-debug.h" #include "util-memcmp.h" +HashListTable *HashListTableInitWithCtx(uint32_t size, + uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), + char (*Compare)(void *, uint16_t, void *, uint16_t), void (*FreeWithCtx)(void *, void *)) +{ + sc_errno = SC_OK; + HashListTable *ht = NULL; + + if (size == 0) { + sc_errno = SC_EINVAL; + goto error; + } + + if (Hash == NULL) { + sc_errno = SC_EINVAL; + goto error; + } + + /* setup the filter */ + ht = SCCalloc(1, sizeof(HashListTable)); + if (unlikely(ht == NULL)) { + sc_errno = SC_ENOMEM; + goto error; + } + ht->array_size = size; + ht->Hash = Hash; + ht->FreeWithCtx = FreeWithCtx; + + if (Compare != NULL) + ht->Compare = Compare; + else + ht->Compare = HashListTableDefaultCompare; + + /* setup the bitarray */ + ht->array = SCCalloc(ht->array_size, sizeof(HashListTableBucket *)); + if (ht->array == NULL) { + sc_errno = SC_ENOMEM; + goto error; + } + + ht->listhead = NULL; + ht->listtail = NULL; + return ht; + +error: + if (ht != NULL) { + if (ht->array != NULL) + SCFree(ht->array); + + SCFree(ht); + } + return NULL; +} HashListTable *HashListTableInit(uint32_t size, uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), char (*Compare)(void *, uint16_t, void *, uint16_t), void (*Free)(void *)) @@ -85,6 +137,32 @@ HashListTable *HashListTableInit(uint32_t size, return NULL; } +void HashListTableFreeWithCtx(void *ctx, HashListTable *ht) +{ + uint32_t i = 0; + + if (ht == NULL) + return; + + /* free the buckets */ + for (i = 0; i < ht->array_size; i++) { + HashListTableBucket *hashbucket = ht->array[i]; + while (hashbucket != NULL) { + HashListTableBucket *next_hashbucket = hashbucket->bucknext; + if (ht->FreeWithCtx != NULL) + ht->FreeWithCtx(ctx, hashbucket->data); + SCFree(hashbucket); + hashbucket = next_hashbucket; + } + } + + /* free the array */ + if (ht->array != NULL) + SCFree(ht->array); + + SCFree(ht); +} + void HashListTableFree(HashListTable *ht) { uint32_t i = 0; diff --git a/src/util-hashlist.h b/src/util-hashlist.h index 15bd578e5319..6ae320098ae0 100644 --- a/src/util-hashlist.h +++ b/src/util-hashlist.h @@ -42,10 +42,16 @@ typedef struct HashListTable_ { uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t); char (*Compare)(void *, uint16_t, void *, uint16_t); void (*Free)(void *); + void (*FreeWithCtx)(void *, void *); } HashListTable; /* prototypes */ HashListTable* HashListTableInit(uint32_t, uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), char (*Compare)(void *, uint16_t, void *, uint16_t), void (*Free)(void *)); +HashListTable *HashListTableInitWithCtx(uint32_t, + uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), + char (*Compare)(void *, uint16_t, void *, uint16_t), void (*FreeWithCtx)(void *, void *)); + +void HashListTableFreeWithCtx(void *, HashListTable *); void HashListTableFree(HashListTable *); int HashListTableAdd(HashListTable *, void *, uint16_t); int HashListTableRemove(HashListTable *, void *, uint16_t); diff --git a/src/util-ja3.c b/src/util-ja3.c index b89a62e0d0bf..af2cbbb2b3e6 100644 --- a/src/util-ja3.c +++ b/src/util-ja3.c @@ -278,7 +278,7 @@ InspectionBuffer *Ja3DetectGetHash(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, NULL, 0); InspectionBufferCopy(buffer, ja3_hash, SC_MD5_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -297,8 +297,7 @@ InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/util-lua-common.h b/src/util-lua-common.h index 5d6ea41f4be4..4834f4fa7af9 100644 --- a/src/util-lua-common.h +++ b/src/util-lua-common.h @@ -24,6 +24,9 @@ #ifndef SURICATA_UTIL_LUA_COMMON_H #define SURICATA_UTIL_LUA_COMMON_H +#define DEFAULT_LUA_ALLOC_LIMIT 500000 +#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 + int LuaCallbackError(lua_State *luastate, const char *msg); const char *LuaGetStringArgument(lua_State *luastate, int argc);