From 61fac5a4cad4b83056d7260671e2156d33b80ae3 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 12 Sep 2024 10:44:05 -0400 Subject: [PATCH 1/7] transforms: Make ctx available This commit makes the detection engine thread context available for transforms to use. The Lua transform requires this value. Issue: 2290 --- rust/src/detect/transforms/casechange.rs | 4 ++-- .../detect/transforms/compress_whitespace.rs | 2 +- rust/src/detect/transforms/dotprefix.rs | 2 +- rust/src/detect/transforms/hash.rs | 6 ++--- rust/src/detect/transforms/http_headers.rs | 4 ++-- rust/src/detect/transforms/mod.rs | 2 +- .../src/detect/transforms/strip_whitespace.rs | 2 +- rust/src/detect/transforms/urldecode.rs | 2 +- rust/src/detect/transforms/xor.rs | 2 +- src/detect-dce-stub-data.c | 4 ++-- src/detect-dnp3.c | 2 +- src/detect-dns-answer-name.c | 2 +- src/detect-dns-query-name.c | 2 +- src/detect-dns-query.c | 2 +- src/detect-engine-frame.c | 16 ++++++------- src/detect-engine-helper.c | 12 +++++----- src/detect-engine.c | 10 ++++---- src/detect-engine.h | 6 ++--- src/detect-file-data.c | 5 ++-- src/detect-filemagic.c | 2 +- src/detect-filename.c | 2 +- src/detect-http-client-body.c | 2 +- src/detect-http-cookie.c | 8 +++---- src/detect-http-header-names.c | 4 ++-- src/detect-http-header.c | 12 +++++----- src/detect-http-headers-stub.h | 8 +++---- src/detect-http-host.c | 8 +++---- src/detect-http-method.c | 4 ++-- src/detect-http-protocol.c | 4 ++-- src/detect-http-raw-header.c | 4 ++-- src/detect-http-request-line.c | 4 ++-- src/detect-http-response-line.c | 4 ++-- src/detect-http-start.c | 2 +- src/detect-http-stat-code.c | 4 ++-- src/detect-http-stat-msg.c | 4 ++-- src/detect-http-ua.c | 4 ++-- src/detect-http-uri.c | 6 ++--- src/detect-icmpv4hdr.c | 2 +- src/detect-icmpv6hdr.c | 2 +- src/detect-ike-key-exchange-payload.c | 2 +- src/detect-ike-nonce-payload.c | 2 +- src/detect-ike-spi.c | 4 ++-- src/detect-ike-vendor.c | 2 +- src/detect-ipaddr.c | 4 ++-- src/detect-ipv4hdr.c | 2 +- src/detect-ipv6hdr.c | 2 +- src/detect-ja4-hash.c | 4 ++-- src/detect-krb5-cname.c | 2 +- src/detect-krb5-sname.c | 2 +- src/detect-quic-cyu-hash.c | 2 +- src/detect-quic-cyu-string.c | 2 +- src/detect-quic-sni.c | 2 +- src/detect-quic-ua.c | 2 +- src/detect-quic-version.c | 2 +- src/detect-sip-method.c | 2 +- src/detect-sip-uri.c | 2 +- src/detect-smb-ntlmssp.c | 4 ++-- src/detect-smb-share.c | 4 ++-- src/detect-ssh-hassh-server-string.c | 2 +- src/detect-ssh-hassh-server.c | 2 +- src/detect-ssh-hassh-string.c | 2 +- src/detect-ssh-hassh.c | 2 +- src/detect-ssh-proto.c | 2 +- src/detect-ssh-software.c | 2 +- src/detect-tcphdr.c | 2 +- src/detect-tls-alpn.c | 2 +- src/detect-tls-cert-fingerprint.c | 2 +- src/detect-tls-cert-issuer.c | 2 +- src/detect-tls-cert-serial.c | 2 +- src/detect-tls-cert-subject.c | 2 +- src/detect-tls-certs.c | 2 +- src/detect-tls-ja3-hash.c | 2 +- src/detect-tls-ja3-string.c | 2 +- src/detect-tls-ja3s-hash.c | 2 +- src/detect-tls-ja3s-string.c | 2 +- src/detect-tls-random.c | 6 ++--- src/detect-tls-sni.c | 2 +- src/detect-tls-subjectaltname.c | 2 +- src/detect-transform-base64.c | 24 ++++++++++--------- src/detect-transform-pcrexform.c | 6 +++-- src/detect-udphdr.c | 2 +- src/detect.h | 2 +- src/util-ja3.c | 4 ++-- 83 files changed, 156 insertions(+), 151 deletions(-) diff --git a/rust/src/detect/transforms/casechange.rs b/rust/src/detect/transforms/casechange.rs index 80b6b82a48ac..3688e8068052 100644 --- a/rust/src/detect/transforms/casechange.rs +++ b/rust/src/detect/transforms/casechange.rs @@ -41,7 +41,7 @@ fn tolower_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn tolower_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn tolower_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -106,7 +106,7 @@ fn toupper_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn toupper_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn toupper_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/compress_whitespace.rs b/rust/src/detect/transforms/compress_whitespace.rs index 5e96be1f10d0..8cec4951c419 100644 --- a/rust/src/detect/transforms/compress_whitespace.rs +++ b/rust/src/detect/transforms/compress_whitespace.rs @@ -56,7 +56,7 @@ fn compress_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn compress_whitespace_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn compress_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/dotprefix.rs b/rust/src/detect/transforms/dotprefix.rs index eef6d048bd08..616a61f2114f 100644 --- a/rust/src/detect/transforms/dotprefix.rs +++ b/rust/src/detect/transforms/dotprefix.rs @@ -39,7 +39,7 @@ fn dot_prefix_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn dot_prefix_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn dot_prefix_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/hash.rs b/rust/src/detect/transforms/hash.rs index 76922f678b91..b7a6f3b0e976 100644 --- a/rust/src/detect/transforms/hash.rs +++ b/rust/src/detect/transforms/hash.rs @@ -51,7 +51,7 @@ fn md5_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn md5_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn md5_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -107,7 +107,7 @@ fn sha1_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn sha1_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn sha1_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -163,7 +163,7 @@ fn sha256_transform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn sha256_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn sha256_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/http_headers.rs b/rust/src/detect/transforms/http_headers.rs index 939cbb3d338a..1c02c377fffb 100644 --- a/rust/src/detect/transforms/http_headers.rs +++ b/rust/src/detect/transforms/http_headers.rs @@ -54,7 +54,7 @@ fn header_lowertransform_do(input: &[u8], output: &mut [u8]) { } #[no_mangle] -unsafe extern "C" fn header_lowertransform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn header_lowertransform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { @@ -113,7 +113,7 @@ fn strip_pseudo_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn strip_pseudo_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn strip_pseudo_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/mod.rs b/rust/src/detect/transforms/mod.rs index 01603cabc116..e35d2930442f 100644 --- a/rust/src/detect/transforms/mod.rs +++ b/rust/src/detect/transforms/mod.rs @@ -37,7 +37,7 @@ pub struct SCTransformTableElmt { pub flags: u16, pub Setup: unsafe extern "C" fn(de: *mut c_void, s: *mut c_void, raw: *const c_char) -> c_int, pub Free: Option, - pub Transform: unsafe extern "C" fn(inspect_buf: *mut c_void, options: *mut c_void), + pub Transform: unsafe extern "C" fn(det: *mut c_void, inspect_buf: *mut c_void, options: *mut c_void), pub TransformValidate: Option bool>, } diff --git a/rust/src/detect/transforms/strip_whitespace.rs b/rust/src/detect/transforms/strip_whitespace.rs index 2fb8599a5365..443875682cfe 100644 --- a/rust/src/detect/transforms/strip_whitespace.rs +++ b/rust/src/detect/transforms/strip_whitespace.rs @@ -46,7 +46,7 @@ fn strip_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn strip_whitespace_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn strip_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/urldecode.rs b/rust/src/detect/transforms/urldecode.rs index 59620ad42d2d..681e72d69b21 100644 --- a/rust/src/detect/transforms/urldecode.rs +++ b/rust/src/detect/transforms/urldecode.rs @@ -88,7 +88,7 @@ fn url_decode_transform_do(input: &[u8], output: &mut [u8]) -> u32 { } #[no_mangle] -unsafe extern "C" fn url_decode_transform(buffer: *mut c_void, _ctx: *mut c_void) { +unsafe extern "C" fn url_decode_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/rust/src/detect/transforms/xor.rs b/rust/src/detect/transforms/xor.rs index cf801170d977..1a2da33484b6 100644 --- a/rust/src/detect/transforms/xor.rs +++ b/rust/src/detect/transforms/xor.rs @@ -78,7 +78,7 @@ fn xor_transform_do(input: &[u8], output: &mut [u8], ctx: &DetectTransformXorDat } #[no_mangle] -unsafe extern "C" fn xor_transform(buffer: *mut c_void, ctx: *mut c_void) { +unsafe extern "C" fn xor_transform(_det: *mut c_void, buffer: *mut c_void, ctx: *mut c_void) { let input = InspectionBufferPtr(buffer); let input_len = InspectionBufferLength(buffer); if input.is_null() || input_len == 0 { diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index b0ee04590583..9642cabfdf83 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -80,7 +80,7 @@ static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx, SCLogDebug("have data!"); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -106,7 +106,7 @@ static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx, buffer->flags |= DETECT_CI_FLAGS_DCE_BE; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index 807c189611d8..0f1b252f05b4 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -167,7 +167,7 @@ static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx, SCLogDebug("tx %p data %p data_len %u", tx, tx->buffer, tx->buffer_len); InspectionBufferSetup(det_ctx, list_id, buffer, tx->buffer, tx->buffer_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c index dc1272d47510..8c7243e8ae76 100644 --- a/src/detect-dns-answer-name.c +++ b/src/detect-dns-answer-name.c @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-dns-query-name.c b/src/detect-dns-query-name.c index ca1cc79fa4bf..05eb0a8d7a15 100644 --- a/src/detect-dns-query-name.c +++ b/src/detect-dns-query-name.c @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index ef510f15287a..db25af166af5 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -85,7 +85,7 @@ static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-engine-frame.c b/src/detect-engine-frame.c index fd3163d59732..5b3f01281984 100644 --- a/src/detect-engine-frame.c +++ b/src/detect-engine-frame.c @@ -67,8 +67,8 @@ static bool SetupStreamCallbackData(struct FrameStreamData *dst, const TcpSessio static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset); -static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p, - const DetectEngineTransforms *transforms); +static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms); void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto) @@ -159,7 +159,7 @@ static void PrefilterMpmFrame(DetectEngineThreadCtx *det_ctx, const void *pectx, if (frame->offset >= p->payload_len) return; - BufferSetupUdp(buffer, frame, p, ctx->transforms); + BufferSetupUdp(det_ctx, buffer, frame, p, ctx->transforms); const uint32_t data_len = buffer->inspect_len; const uint8_t *data = buffer->inspect; @@ -251,8 +251,8 @@ bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, c return false; } -static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p, - const DetectEngineTransforms *transforms) +static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms) { uint8_t ci_flags = DETECT_CI_FLAGS_START; uint32_t frame_len; @@ -275,7 +275,7 @@ static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const P AppLayerParserGetFrameNameById(p->flow->proto, p->flow->alproto, frame->type), frame->offset, frame->type, frame->len); - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->inspect_offset = 0; buffer->flags = ci_flags; } @@ -301,7 +301,7 @@ static int DetectFrameInspectUdp(DetectEngineThreadCtx *det_ctx, return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; if (!buffer->initialized) - BufferSetupUdp(buffer, frame, p, transforms); + BufferSetupUdp(det_ctx, buffer, frame, p, transforms); DEBUG_VALIDATE_BUG_ON(!buffer->initialized); if (buffer->inspect == NULL) return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; @@ -387,7 +387,7 @@ static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, c } // PrintRawDataFp(stdout, data, data_len); SCLogDebug("fsd->transforms %p", fsd->transforms); - InspectionBufferSetupMulti(buffer, fsd->transforms, data, data_len); + InspectionBufferSetupMulti(fsd->det_ctx, buffer, fsd->transforms, data, data_len); SCLogDebug("inspect_offset %" PRIu64, fo_inspect_offset); buffer->inspect_offset = fo_inspect_offset; buffer->flags = ci_flags; diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index 07ffb8177057..d47e7b72bebe 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -57,7 +57,7 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -115,8 +115,8 @@ int DetectHelperKeywordRegister(const SCSigTableElmt *kw) (int (*)(DetectEngineThreadCtx * det_ctx, Flow * f, uint8_t flags, void *alstate, void *txv, const Signature *s, const SigMatchCtx *ctx)) kw->AppLayerTxMatch; sigmatch_table[DETECT_TBLSIZE_IDX].Setup = - (int (*)(DetectEngineCtx * de, Signature * s, const char *raw)) kw->Setup; - sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx * de, void *ptr)) kw->Free; + (int (*)(DetectEngineCtx *de, Signature *s, const char *raw)) kw->Setup; + sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx *de, void *ptr)) kw->Free; DETECT_TBLSIZE_IDX++; return DETECT_TBLSIZE_IDX - 1; } @@ -137,8 +137,8 @@ int DetectHelperTransformRegister(const SCTransformTableElmt *kw) sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc; sigmatch_table[DETECT_TBLSIZE_IDX].url = kw->url; sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags; - sigmatch_table[DETECT_TBLSIZE_IDX].Transform = - (void (*)(InspectionBuffer * buffer, void *options)) kw->Transform; + sigmatch_table[DETECT_TBLSIZE_IDX].Transform = (void (*)(struct DetectEngineThreadCtx_ *det_ctx, + InspectionBuffer *buffer, void *options))kw->Transform; sigmatch_table[DETECT_TBLSIZE_IDX].TransformValidate = (bool (*)( const uint8_t *content, uint16_t content_len, void *context))kw->TransformValidate; sigmatch_table[DETECT_TBLSIZE_IDX].Setup = @@ -167,7 +167,7 @@ InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ct InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-engine.c b/src/detect-engine.c index 77c25a1cf3a9..f93d5ef7a056 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -1577,8 +1577,8 @@ void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer) } /** \brief setup the buffer with our initial data */ -void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, - const uint8_t *data, const uint32_t data_len) +void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len) { #ifdef DEBUG_VALIDATION DEBUG_VALIDATE_BUG_ON(!buffer->multi); @@ -1588,7 +1588,7 @@ void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTran buffer->len = 0; buffer->initialized = true; - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } /** \brief setup the buffer with our initial data */ @@ -1708,7 +1708,7 @@ bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_lis return true; } -void InspectionBufferApplyTransforms(InspectionBuffer *buffer, +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms) { if (transforms) { @@ -1717,7 +1717,7 @@ void InspectionBufferApplyTransforms(InspectionBuffer *buffer, if (id == 0) break; BUG_ON(sigmatch_table[id].Transform == NULL); - sigmatch_table[id].Transform(buffer, transforms->transforms[i].options); + sigmatch_table[id].Transform(det_ctx, buffer, transforms->transforms[i].options); SCLogDebug("applied transform %s", sigmatch_table[id].name); } } diff --git a/src/detect-engine.h b/src/detect-engine.h index b75d124f9cd4..866ffc8d718e 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -34,13 +34,13 @@ void InspectionBufferFree(InspectionBuffer *buffer); void *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len); void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len); -void InspectionBufferApplyTransforms(InspectionBuffer *buffer, +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms); void InspectionBufferClean(DetectEngineThreadCtx *det_ctx); InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id); void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer); -void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, - const uint8_t *data, const uint32_t data_len); +void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len); InspectionBuffer *InspectionBufferMultipleForListGet( DetectEngineThreadCtx *det_ctx, const int list_id, uint32_t local_id); diff --git a/src/detect-file-data.c b/src/detect-file-data.c index a721c08c7cf9..3dc132d8d076 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -192,7 +192,8 @@ static inline InspectionBuffer *FiledataWithXformsGetDataCallback(DetectEngineTh return buffer; } - InspectionBufferSetupMulti(buffer, transforms, base_buffer->inspect, base_buffer->inspect_len); + InspectionBufferSetupMulti( + det_ctx, buffer, transforms, base_buffer->inspect, base_buffer->inspect_len); buffer->inspect_offset = base_buffer->inspect_offset; SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len); SCReturnPtr(buffer, "InspectionBuffer"); @@ -351,7 +352,7 @@ static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx, SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected); } - InspectionBufferSetupMulti(buffer, NULL, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, NULL, data, data_len); SCLogDebug("[list %d] [before] buffer offset %" PRIu64 "; buffer len %" PRIu32 "; data_len %" PRIu32 "; file_size %" PRIu64, list_id, buffer->inspect_offset, buffer->inspect_len, data_len, file_size); diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index f23434d8666e..aa1e319ea11c 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -291,7 +291,7 @@ static InspectionBuffer *FilemagicGetDataCallback(DetectEngineThreadCtx *det_ctx const uint8_t *data = (const uint8_t *)cur_file->magic; uint32_t data_len = (uint32_t)strlen(cur_file->magic); - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-filename.c b/src/detect-filename.c index f75fdbd680fe..11e576071055 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -228,7 +228,7 @@ static InspectionBuffer *FilenameGetDataCallback(DetectEngineThreadCtx *det_ctx, const uint8_t *data = cur_file->name; uint32_t data_len = cur_file->name_len; - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 5e5604ea594d..192d71ff30da 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -202,7 +202,7 @@ static inline InspectionBuffer *HttpRequestBodyXformsGetDataCallback(DetectEngin InspectionBufferSetup(det_ctx, list_id, buffer, base_buffer->inspect, base_buffer->inspect_len); buffer->inspect_offset = base_buffer->inspect_offset; - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 5f4898285460..bd92682832ff 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -191,7 +191,7 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -219,7 +219,7 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -240,7 +240,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -261,7 +261,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 66bc73d44c80..8a673cf62404 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -154,7 +154,7 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -175,7 +175,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 8839544a5f92..5283549918d7 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -159,7 +159,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -193,7 +193,7 @@ static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx, } /* setup buffer and apply transforms */ InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } const uint32_t data_len = buffer->inspect_len; @@ -254,7 +254,7 @@ static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *p /* setup buffer and apply transforms */ InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, ctx->transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, ctx->transforms); } const uint32_t data_len = buffer->inspect_len; @@ -527,7 +527,7 @@ static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); @@ -605,8 +605,8 @@ static InspectionBuffer *GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx, // hdr_td->len is the number of header buffers if (local_id < hdr_td->len) { // we have one valid header buffer - InspectionBufferSetupMulti( - buffer, transforms, hdr_td->items[local_id].buffer, hdr_td->items[local_id].len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, hdr_td->items[local_id].buffer, + hdr_td->items[local_id].len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); } // else there are no more header buffer to get diff --git a/src/detect-http-headers-stub.h b/src/detect-http-headers-stub.h index 82d5f543d7a9..4af6e4f4cfa5 100644 --- a/src/detect-http-headers-stub.h +++ b/src/detect-http-headers-stub.h @@ -68,7 +68,7 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -91,7 +91,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -124,7 +124,7 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -147,7 +147,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-host.c b/src/detect-http-host.c index fe36a261e6cc..e8be92cf2fea 100644 --- a/src/detect-http-host.c +++ b/src/detect-http-host.c @@ -249,7 +249,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_hostname); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -270,7 +270,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -291,7 +291,7 @@ static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -362,7 +362,7 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 8d08f0369e90..e13491cb7515 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -210,7 +210,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_method); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -231,7 +231,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index 6214c80513be..caf3a4b6397e 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -108,7 +108,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -122,7 +122,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (buffer->inspect == NULL) { InspectionBufferSetup( det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2")); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 0bb834b7726a..c3050c17d9fe 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -198,7 +198,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -219,7 +219,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 886e643a3eda..915a88c2b6c8 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -87,7 +87,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -165,7 +165,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_line); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index 69ee8c2709ab..b8fe10fd949c 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -87,7 +87,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -164,7 +164,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->response_line); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-http-start.c b/src/detect-http-start.c index e88ac3cdf68f..3ee38d378c41 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -159,7 +159,7 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index 37dfb2efbdcc..dbca81985a89 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -168,7 +168,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->response_status); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -191,7 +191,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index b1a485d7a933..06b6bb3148ba 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -79,7 +79,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { InspectionBufferSetup(det_ctx, list_id, buffer, (const uint8_t *)"", 0); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -177,7 +177,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->response_message); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 8babd9adcb50..238cac96424a 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -175,7 +175,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -198,7 +198,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 12c6f8788549..29805b7b9ae4 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -237,7 +237,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -260,7 +260,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -328,7 +328,7 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_uri); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-icmpv4hdr.c b/src/detect-icmpv4hdr.c index dbda7c6f14d1..a63b2abf8e54 100644 --- a/src/detect-icmpv4hdr.c +++ b/src/detect-icmpv4hdr.c @@ -113,7 +113,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)icmpv4h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index 54f1cd35a04f..214a9e3dba5c 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -118,7 +118,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)icmpv6h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ike-key-exchange-payload.c b/src/detect-ike-key-exchange-payload.c index 9d83fba33dec..bca8e2dfe0fe 100644 --- a/src/detect-ike-key-exchange-payload.c +++ b/src/detect-ike-key-exchange-payload.c @@ -83,7 +83,7 @@ static InspectionBuffer *GetKeyExchangeData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ike-nonce-payload.c b/src/detect-ike-nonce-payload.c index a2c4ac6f9a2a..9c90bb92abe0 100644 --- a/src/detect-ike-nonce-payload.c +++ b/src/detect-ike-nonce-payload.c @@ -83,7 +83,7 @@ static InspectionBuffer *GetNonceData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ike-spi.c b/src/detect-ike-spi.c index 9f310b8f580a..86ed0aadb83e 100644 --- a/src/detect-ike-spi.c +++ b/src/detect-ike-spi.c @@ -100,7 +100,7 @@ static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -121,7 +121,7 @@ static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ike-vendor.c b/src/detect-ike-vendor.c index e3c09e9a44c6..c1b2f6888b2d 100644 --- a/src/detect-ike-vendor.c +++ b/src/detect-ike-vendor.c @@ -58,7 +58,7 @@ static InspectionBuffer *IkeVendorGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ipaddr.c b/src/detect-ipaddr.c index aeac80f71d19..a3d2c6b4c872 100644 --- a/src/detect-ipaddr.c +++ b/src/detect-ipaddr.c @@ -128,7 +128,7 @@ static InspectionBuffer *GetDataSrc(DetectEngineThreadCtx *det_ctx, } else { return NULL; } - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -152,7 +152,7 @@ static InspectionBuffer *GetDataDst(DetectEngineThreadCtx *det_ctx, } else { return NULL; } - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index 78fe0062ea46..196bccb4b69c 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -114,7 +114,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)ip4h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index 2f5e79d33d4e..cc678b082110 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -115,7 +115,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)ip6h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ja4-hash.c b/src/detect-ja4-hash.c index ebddc6b6d060..dfa9c80c0949 100644 --- a/src/detect-ja4-hash.c +++ b/src/detect-ja4-hash.c @@ -148,7 +148,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, data, 0); InspectionBufferCopy(buffer, data, JA4_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -170,7 +170,7 @@ static InspectionBuffer *Ja4DetectGetHash(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, NULL, 0); InspectionBufferCopy(buffer, (uint8_t *)b, JA4_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-krb5-cname.c b/src/detect-krb5-cname.c index 1411f7380806..9a71edce8a9d 100644 --- a/src/detect-krb5-cname.c +++ b/src/detect-krb5-cname.c @@ -73,7 +73,7 @@ static InspectionBuffer *GetKrb5CNameData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-krb5-sname.c b/src/detect-krb5-sname.c index 3cd6f0e222cc..9a59da3710d0 100644 --- a/src/detect-krb5-sname.c +++ b/src/detect-krb5-sname.c @@ -73,7 +73,7 @@ static InspectionBuffer *GetKrb5SNameData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-cyu-hash.c b/src/detect-quic-cyu-hash.c index 17836d1596b5..c0a13a5d9581 100644 --- a/src/detect-quic-cyu-hash.c +++ b/src/detect-quic-cyu-hash.c @@ -76,7 +76,7 @@ static InspectionBuffer *QuicHashGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-cyu-string.c b/src/detect-quic-cyu-string.c index c2460f11546c..0112b8c46889 100644 --- a/src/detect-quic-cyu-string.c +++ b/src/detect-quic-cyu-string.c @@ -72,7 +72,7 @@ static InspectionBuffer *QuicStringGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-sni.c b/src/detect-quic-sni.c index 0e4bf2d09101..b3eb08b169b4 100644 --- a/src/detect-quic-sni.c +++ b/src/detect-quic-sni.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetSniData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-quic-ua.c b/src/detect-quic-ua.c index 0e72770cb068..8c81b9da0c80 100644 --- a/src/detect-quic-ua.c +++ b/src/detect-quic-ua.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-quic-version.c b/src/detect-quic-version.c index 08bf80c0022c..7f69d0d041b1 100644 --- a/src/detect-quic-version.c +++ b/src/detect-quic-version.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-sip-method.c b/src/detect-sip-method.c index ed22381d9ffc..5ade9f25563a 100644 --- a/src/detect-sip-method.c +++ b/src/detect-sip-method.c @@ -118,7 +118,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-sip-uri.c b/src/detect-sip-uri.c index daf42235d8c5..0013902bef0e 100644 --- a/src/detect-sip-uri.c +++ b/src/detect-sip-uri.c @@ -97,7 +97,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-smb-ntlmssp.c b/src/detect-smb-ntlmssp.c index aa53269309cf..c8db458e5ab5 100644 --- a/src/detect-smb-ntlmssp.c +++ b/src/detect-smb-ntlmssp.c @@ -69,7 +69,7 @@ static InspectionBuffer *GetNtlmsspUserData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -126,7 +126,7 @@ static InspectionBuffer *GetNtlmsspDomainData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-smb-share.c b/src/detect-smb-share.c index 018d8ceefd79..934ae239533d 100644 --- a/src/detect-smb-share.c +++ b/src/detect-smb-share.c @@ -70,7 +70,7 @@ static InspectionBuffer *GetNamedPipeData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -131,7 +131,7 @@ static InspectionBuffer *GetShareData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c index f62c72e79c79..bb8443899f1e 100644 --- a/src/detect-ssh-hassh-server-string.c +++ b/src/detect-ssh-hassh-server-string.c @@ -77,7 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c index 98f7d3dc2e2f..a9f62e8e0e0e 100644 --- a/src/detect-ssh-hassh-server.c +++ b/src/detect-ssh-hassh-server.c @@ -78,7 +78,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hasshServer, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c index ad29b90ee764..b64c05321cc4 100644 --- a/src/detect-ssh-hassh-string.c +++ b/src/detect-ssh-hassh-string.c @@ -77,7 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c index 377aa9d2c433..ffad20a6d180 100644 --- a/src/detect-ssh-hassh.c +++ b/src/detect-ssh-hassh.c @@ -78,7 +78,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 19807511e757..8e9cf60c0bd1 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -75,7 +75,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, protocol, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index 0a8d5aab0d97..76455ad44335 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -75,7 +75,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, software, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index fd7df2f687d7..b5a3fb7e6c51 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -116,7 +116,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)tcph; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-alpn.c b/src/detect-tls-alpn.c index b4aa82f9c52a..ccee33b14b64 100644 --- a/src/detect-tls-alpn.c +++ b/src/detect-tls-alpn.c @@ -141,7 +141,7 @@ static InspectionBuffer *TlsAlpnGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, a->alpn, a->size); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, a->alpn, a->size); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index 9fec32151dd6..cd73455bc123 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -152,7 +152,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_fingerprint; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index 49bada4cdf6d..b7d6047fe32e 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -141,7 +141,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_issuerdn; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index 0ac7bfdd20cc..ec59a5be4db5 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -151,7 +151,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_serial; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index e0dcde30a830..e7cad1163c75 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -143,7 +143,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_subject; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-certs.c b/src/detect-tls-certs.c index f34c5e23bfb6..ef222b2f2c9e 100644 --- a/src/detect-tls-certs.c +++ b/src/detect-tls-certs.c @@ -101,7 +101,7 @@ static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, cert->cert_data, cert->cert_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, cert->cert_data, cert->cert_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index 57b0e55edeb5..82d148f5c67e 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -172,7 +172,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 1ec289c6e9d1..4df4e3a56b35 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -162,7 +162,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_str->data; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index 6d3d42e5edf8..96a0104b0de6 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -170,7 +170,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_hash; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index 0104560627d5..3e49e46d205b 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -162,7 +162,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_str->data; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 2dd5871aea0f..74d54a67813c 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -223,7 +223,7 @@ static InspectionBuffer *GetRandomTimeData(DetectEngineThreadCtx *det_ctx, data = ssl_state->server_connp.random; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -250,7 +250,7 @@ static InspectionBuffer *GetRandomBytesData(DetectEngineThreadCtx *det_ctx, data = ssl_state->server_connp.random + DETECT_TLS_RANDOM_TIME_LEN; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -277,7 +277,7 @@ static InspectionBuffer *GetRandomData(DetectEngineThreadCtx *det_ctx, data = ssl_state->server_connp.random; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index ce8a068a4717..421530ee5ec9 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -123,7 +123,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-subjectaltname.c b/src/detect-tls-subjectaltname.c index 350db5d6f655..397a5e67cfaa 100644 --- a/src/detect-tls-subjectaltname.c +++ b/src/detect-tls-subjectaltname.c @@ -121,7 +121,7 @@ static InspectionBuffer *TlsSubjectAltNameGetData(DetectEngineThreadCtx *det_ctx return NULL; } - InspectionBufferSetupMulti(buffer, transforms, (const uint8_t *)connp->cert0_sans[idx], + InspectionBufferSetupMulti(det_ctx, buffer, transforms, (const uint8_t *)connp->cert0_sans[idx], strlen(connp->cert0_sans[idx])); buffer->flags = DETECT_CI_FLAGS_SINGLE; diff --git a/src/detect-transform-base64.c b/src/detect-transform-base64.c index e0fbdeeb44d6..8de44fb7a95a 100644 --- a/src/detect-transform-base64.c +++ b/src/detect-transform-base64.c @@ -42,7 +42,8 @@ static void DetectTransformFromBase64DecodeFree(DetectEngineCtx *, void *); #ifdef UNITTESTS static void DetectTransformFromBase64DecodeRegisterTests(void); #endif -static void TransformFromBase64Decode(InspectionBuffer *buffer, void *options); +static void TransformFromBase64Decode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); #define DETECT_TRANSFORM_FROM_BASE64_MODE_DEFAULT (uint8_t) Base64ModeRFC4648 @@ -113,7 +114,8 @@ static int DetectTransformFromBase64DecodeSetup( SCReturnInt(r); } -static void TransformFromBase64Decode(InspectionBuffer *buffer, void *options) +static void TransformFromBase64Decode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { SCDetectTransformFromBase64Data *b64d = options; const uint8_t *input = buffer->inspect; @@ -171,7 +173,7 @@ static int DetectTransformFromBase64DecodeTest01(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -192,7 +194,7 @@ static int DetectTransformFromBase64DecodeTest01a(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -212,7 +214,7 @@ static int DetectTransformFromBase64DecodeTest02(void) InspectionBufferSetup(NULL, -1, &buffer, input, input_len); buffer_orig = buffer; PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_offset == buffer_orig.inspect_offset); FAIL_IF_NOT(buffer.inspect_len == buffer_orig.inspect_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -234,7 +236,7 @@ static int DetectTransformFromBase64DecodeTest03(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(strncmp((const char *)input, (const char *)buffer.inspect, input_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); @@ -255,7 +257,7 @@ static int DetectTransformFromBase64DecodeTest04(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(strncmp((const char *)input, (const char *)buffer.inspect, input_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); @@ -279,7 +281,7 @@ static int DetectTransformFromBase64DecodeTest05(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -304,7 +306,7 @@ static int DetectTransformFromBase64DecodeTest06(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -328,7 +330,7 @@ static int DetectTransformFromBase64DecodeTest07(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -349,7 +351,7 @@ static int DetectTransformFromBase64DecodeTest08(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); // PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == 15); // PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); diff --git a/src/detect-transform-pcrexform.c b/src/detect-transform-pcrexform.c index c517175b8722..b24ad64f80d2 100644 --- a/src/detect-transform-pcrexform.c +++ b/src/detect-transform-pcrexform.c @@ -38,7 +38,8 @@ typedef struct DetectTransformPcrexformData { static int DetectTransformPcrexformSetup (DetectEngineCtx *, Signature *, const char *); static void DetectTransformPcrexformFree(DetectEngineCtx *, void *); -static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options); +static void DetectTransformPcrexform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); #ifdef UNITTESTS void DetectTransformPcrexformRegisterTests (void); #endif @@ -132,7 +133,8 @@ static int DetectTransformPcrexformSetup (DetectEngineCtx *de_ctx, Signature *s, SCReturnInt(r); } -static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options) +static void DetectTransformPcrexform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const char *input = (const char *)buffer->inspect; const uint32_t input_len = buffer->inspect_len; diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index 9f6d16ebf0b0..d171deaf32d4 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -112,7 +112,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)udph; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect.h b/src/detect.h index fe755b7f0d14..1f96223c8ebf 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1282,7 +1282,7 @@ typedef struct SigTableElmt_ { uint8_t flags, File *, const Signature *, const SigMatchCtx *); /** InspectionBuffer transformation callback */ - void (*Transform)(InspectionBuffer *, void *context); + void (*Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context); bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context); /** keyword setup function pointer */ diff --git a/src/util-ja3.c b/src/util-ja3.c index b89a62e0d0bf..93fec9c37164 100644 --- a/src/util-ja3.c +++ b/src/util-ja3.c @@ -278,7 +278,7 @@ InspectionBuffer *Ja3DetectGetHash(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, NULL, 0); InspectionBufferCopy(buffer, ja3_hash, SC_MD5_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -298,7 +298,7 @@ InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } From 74eb71b21823443612d654b5a64376dd47de2732 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 12 Sep 2024 10:47:26 -0400 Subject: [PATCH 2/7] hash: Provide detection engine context to free fn Issue: 2290 This commit extends the hash table logic with an alternate free function that provides the detection engine context. Users that wish to use the next functionality must use the HashListTableInitWithCtx function when initializing the hash table. Using this interface will result in the hash table "free with context" function (new) being used instead. --- src/detect-engine.c | 18 ++++++----- src/util-hashlist.c | 78 +++++++++++++++++++++++++++++++++++++++++++++ src/util-hashlist.h | 6 ++++ 3 files changed, 94 insertions(+), 8 deletions(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index f93d5ef7a056..58611105a4bc 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -957,14 +957,15 @@ static char DetectBufferTypeCompareIdFunc(void *data1, uint16_t len1, void *data return map1->id == map2->id; } -static void DetectBufferTypeFreeFunc(void *data) +static void DetectBufferTypeFreeFunc(void *ctx, void *data) { - DetectBufferType *map = (DetectBufferType *)data; - - if (map == NULL) { + if (data == NULL) { return; } + DetectBufferType *map = (DetectBufferType *)data; + DetectEngineCtx *de_ctx = (DetectEngineCtx *)ctx; + /* Release transformation option memory, if any */ for (int i = 0; i < map->transforms.cnt; i++) { if (map->transforms.transforms[i].options == NULL) @@ -974,7 +975,8 @@ static void DetectBufferTypeFreeFunc(void *data) sigmatch_table[map->transforms.transforms[i].transform].name); continue; } - sigmatch_table[map->transforms.transforms[i].transform].Free(NULL, map->transforms.transforms[i].options); + sigmatch_table[map->transforms.transforms[i].transform].Free( + de_ctx, map->transforms.transforms[i].options); } SCFree(map); @@ -983,7 +985,7 @@ static void DetectBufferTypeFreeFunc(void *data) static int DetectBufferTypeInit(void) { BUG_ON(g_buffer_type_hash); - g_buffer_type_hash = HashListTableInit(256, DetectBufferTypeHashNameFunc, + g_buffer_type_hash = HashListTableInitWithCtx(256, DetectBufferTypeHashNameFunc, DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc); if (g_buffer_type_hash == NULL) return -1; @@ -1728,7 +1730,7 @@ static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx) const int size = g_buffer_type_id; BUG_ON(!(size > 0)); - de_ctx->buffer_type_hash_name = HashListTableInit(256, DetectBufferTypeHashNameFunc, + de_ctx->buffer_type_hash_name = HashListTableInitWithCtx(256, DetectBufferTypeHashNameFunc, DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc); BUG_ON(de_ctx->buffer_type_hash_name == NULL); de_ctx->buffer_type_hash_id = @@ -1770,7 +1772,7 @@ static void DetectBufferTypeFreeDetectEngine(DetectEngineCtx *de_ctx) { if (de_ctx) { if (de_ctx->buffer_type_hash_name) - HashListTableFree(de_ctx->buffer_type_hash_name); + HashListTableFreeWithCtx(de_ctx, de_ctx->buffer_type_hash_name); if (de_ctx->buffer_type_hash_id) HashListTableFree(de_ctx->buffer_type_hash_id); diff --git a/src/util-hashlist.c b/src/util-hashlist.c index 085a988afe76..b082f164380f 100644 --- a/src/util-hashlist.c +++ b/src/util-hashlist.c @@ -32,6 +32,58 @@ #include "util-debug.h" #include "util-memcmp.h" +HashListTable *HashListTableInitWithCtx(uint32_t size, + uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), + char (*Compare)(void *, uint16_t, void *, uint16_t), void (*FreeWithCtx)(void *, void *)) +{ + sc_errno = SC_OK; + HashListTable *ht = NULL; + + if (size == 0) { + sc_errno = SC_EINVAL; + goto error; + } + + if (Hash == NULL) { + sc_errno = SC_EINVAL; + goto error; + } + + /* setup the filter */ + ht = SCCalloc(1, sizeof(HashListTable)); + if (unlikely(ht == NULL)) { + sc_errno = SC_ENOMEM; + goto error; + } + ht->array_size = size; + ht->Hash = Hash; + ht->FreeWithCtx = FreeWithCtx; + + if (Compare != NULL) + ht->Compare = Compare; + else + ht->Compare = HashListTableDefaultCompare; + + /* setup the bitarray */ + ht->array = SCCalloc(ht->array_size, sizeof(HashListTableBucket *)); + if (ht->array == NULL) { + sc_errno = SC_ENOMEM; + goto error; + } + + ht->listhead = NULL; + ht->listtail = NULL; + return ht; + +error: + if (ht != NULL) { + if (ht->array != NULL) + SCFree(ht->array); + + SCFree(ht); + } + return NULL; +} HashListTable *HashListTableInit(uint32_t size, uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), char (*Compare)(void *, uint16_t, void *, uint16_t), void (*Free)(void *)) @@ -85,6 +137,32 @@ HashListTable *HashListTableInit(uint32_t size, return NULL; } +void HashListTableFreeWithCtx(void *ctx, HashListTable *ht) +{ + uint32_t i = 0; + + if (ht == NULL) + return; + + /* free the buckets */ + for (i = 0; i < ht->array_size; i++) { + HashListTableBucket *hashbucket = ht->array[i]; + while (hashbucket != NULL) { + HashListTableBucket *next_hashbucket = hashbucket->bucknext; + if (ht->FreeWithCtx != NULL) + ht->FreeWithCtx(ctx, hashbucket->data); + SCFree(hashbucket); + hashbucket = next_hashbucket; + } + } + + /* free the array */ + if (ht->array != NULL) + SCFree(ht->array); + + SCFree(ht); +} + void HashListTableFree(HashListTable *ht) { uint32_t i = 0; diff --git a/src/util-hashlist.h b/src/util-hashlist.h index 15bd578e5319..6ae320098ae0 100644 --- a/src/util-hashlist.h +++ b/src/util-hashlist.h @@ -42,10 +42,16 @@ typedef struct HashListTable_ { uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t); char (*Compare)(void *, uint16_t, void *, uint16_t); void (*Free)(void *); + void (*FreeWithCtx)(void *, void *); } HashListTable; /* prototypes */ HashListTable* HashListTableInit(uint32_t, uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), char (*Compare)(void *, uint16_t, void *, uint16_t), void (*Free)(void *)); +HashListTable *HashListTableInitWithCtx(uint32_t, + uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), + char (*Compare)(void *, uint16_t, void *, uint16_t), void (*FreeWithCtx)(void *, void *)); + +void HashListTableFreeWithCtx(void *, HashListTable *); void HashListTableFree(HashListTable *); int HashListTableAdd(HashListTable *, void *, uint16_t); int HashListTableRemove(HashListTable *, void *, uint16_t); From 14af9584e1c18c9f80ce0a1768971c6ee6be8cec Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 12 Sep 2024 10:51:03 -0400 Subject: [PATCH 3/7] detect/engine: Prevent double-free of keyword hash Issue: 2290 Defer freeing the keyword hash table until the engine context has been freed. This eliminates a double-free from occurring. For the unittests ONLY, clear the keyword_hash to prevent a double free attempt. --- src/detect-engine.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index 58611105a4bc..54879d567785 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2587,6 +2587,9 @@ DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tena static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx) { HashListTableFree(de_ctx->keyword_hash); +#if UNITTESTS + de_ctx->keyword_hash = NULL; +#endif } static void DetectEngineCtxFreeFailedSigs(DetectEngineCtx *de_ctx) @@ -2659,7 +2662,6 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx); - DetectEngineCtxFreeThreadKeywordData(de_ctx); SRepDestroy(de_ctx); DetectEngineCtxFreeFailedSigs(de_ctx); @@ -2682,6 +2684,7 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) DetectPortCleanupList(de_ctx, de_ctx->udp_priorityports); DetectBufferTypeFreeDetectEngine(de_ctx); + DetectEngineCtxFreeThreadKeywordData(de_ctx); SCClassConfDeinit(de_ctx); SCReferenceConfDeinit(de_ctx); From ddde6fd7d5838c3c4dba7c16231d3989584b7841 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 9 Sep 2024 11:06:32 -0400 Subject: [PATCH 4/7] transform: Add luaxform files Issue: 2290 This commit adds the source files for the new transform -- luaxform. --- src/Makefile.am | 2 + src/detect-engine-register.c | 2 + src/detect-engine-register.h | 1 + src/detect-lua.c | 4 +- src/detect-transform-luaxform.c | 353 ++++++++++++++++++++++++++++++++ src/detect-transform-luaxform.h | 47 +++++ src/util-lua-common.h | 3 + 7 files changed, 409 insertions(+), 3 deletions(-) create mode 100644 src/detect-transform-luaxform.c create mode 100644 src/detect-transform-luaxform.h diff --git a/src/Makefile.am b/src/Makefile.am index b0f841cfd0c2..50e69db2f788 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -306,6 +306,7 @@ noinst_HEADERS = \ detect-tls-random.h \ detect-tos.h \ detect-transform-base64.h \ + detect-transform-luaxform.h \ detect-transform-pcrexform.h \ detect-ttl.h \ detect-udphdr.h \ @@ -867,6 +868,7 @@ libsuricata_c_a_SOURCES = \ detect-tls-random.c \ detect-tos.c \ detect-transform-base64.c \ + detect-transform-luaxform.c \ detect-transform-pcrexform.c \ detect-ttl.c \ detect-udphdr.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 903cc158cf5f..538d05d97caa 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -217,6 +217,7 @@ #include "detect-transform-pcrexform.h" #include "detect-transform-base64.h" +#include "detect-transform-luaxform.h" #include "util-rule-vars.h" @@ -674,6 +675,7 @@ void SigTableSetup(void) DetectTransformToUpperRegister(); DetectTransformHeaderLowercaseRegister(); DetectTransformFromBase64DecodeRegister(); + DetectTransformLuaxformRegister(); DetectFileHandlerRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index db4cd957af9d..4daa971a2e95 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -315,6 +315,7 @@ enum DetectKeywordId { DETECT_TRANSFORM_TOUPPER, DETECT_TRANSFORM_HEADER_LOWERCASE, DETECT_TRANSFORM_FROM_BASE64, + DETECT_TRANSFORM_LUAXFORM, DETECT_AL_IKE_EXCH_TYPE, DETECT_AL_IKE_SPI_INITIATOR, diff --git a/src/detect-lua.c b/src/detect-lua.c index 36f045f50394..577af3154d58 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -57,6 +57,7 @@ #include "util-var-name.h" #include "util-lua.h" +#include "util-lua-common.h" #include "util-lua-sandbox.h" static int DetectLuaMatch (DetectEngineThreadCtx *, @@ -126,9 +127,6 @@ void DetectLuaRegister(void) #define FLAG_INSTRUCTION_LIMIT_LOGGED BIT_U32(25) #define FLAG_MEMORY_LIMIT_LOGGED BIT_U32(26) -#define DEFAULT_LUA_ALLOC_LIMIT 500000 -#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 - #if 0 /** \brief dump stack from lua state to screen */ void LuaDumpStack(lua_State *state) diff --git a/src/detect-transform-luaxform.c b/src/detect-transform-luaxform.c new file mode 100644 index 000000000000..cc1994721d42 --- /dev/null +++ b/src/detect-transform-luaxform.c @@ -0,0 +1,353 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Jeff Lucovsky + * + * Implements the luxaform transform keyword + */ + +#include "suricata-common.h" + +#include "detect.h" +#include "detect-engine.h" +#include "detect-parse.h" +#include "detect-lua.h" +#include "detect-transform-luaxform.h" +#include "detect-lua-extensions.h" + +#include "util-lua.h" +#include "util-lua-common.h" +#include "util-print.h" + +static int DetectTransformLuaxformSetup(DetectEngineCtx *, Signature *, const char *); +static void DetectTransformLuaxformFree(DetectEngineCtx *de_ctx, void *ptr); +static void TransformLuaxform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); + +void DetectTransformLuaxformRegister(void) +{ + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].name = "luaxform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].desc = + "pass inspection buffer to a Lua function along with " + "arguments supplied to the transform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].url = "/rules/transforms.html#luaxform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Transform = TransformLuaxform; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Free = DetectTransformLuaxformFree; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Setup = DetectTransformLuaxformSetup; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].flags |= SIGMATCH_QUOTES_OPTIONAL; +} + +static void DetectTransformLuaxformFree(DetectEngineCtx *de_ctx, void *ptr) +{ + if (ptr != NULL) { + DetectLuaxformData *lua = (DetectLuaxformData *)ptr; + + if (lua->filename) + SCFree(lua->filename); + + if (lua->copystr) + SCFree(lua->copystr); + + if (de_ctx) { + DetectUnregisterThreadCtxFuncs(de_ctx, lua, "luaxform"); + } + + SCFree(lua); + } +} + +static int DetectTransformLuaxformSetupPrime( + DetectEngineCtx *de_ctx, DetectLuaxformData *ld, const Signature *s) +{ + lua_State *luastate = SCLuaSbStateNew(ld->alloc_limit, ld->instruction_limit); + if (luastate == NULL) + return -1; + if (ld->allow_restricted_functions) { + luaL_openlibs(luastate); + } else { + SCLuaSbLoadLibs(luastate); + } + + int status = luaL_loadfile(luastate, ld->filename); + if (status) { + SCLogError("couldn't load file: %s", lua_tostring(luastate, -1)); + goto error; + } + + /* prime the script (or something) */ + if (lua_pcall(luastate, 0, 0, 0) != 0) { + SCLogError("couldn't prime file: %s", lua_tostring(luastate, -1)); + goto error; + } + + lua_getglobal(luastate, "transform"); + if (lua_type(luastate, -1) != LUA_TFUNCTION) { + SCLogError("no transform function in script"); + goto error; + } + lua_pop(luastate, 1); + + /* init -- optional entry point */ + lua_getglobal(luastate, "init"); + if (lua_type(luastate, -1) == LUA_TFUNCTION) { + lua_newtable(luastate); /* stack at -1 */ + if (lua_gettop(luastate) == 0 || lua_type(luastate, 2) != LUA_TTABLE) { + SCLogError("no table setup"); + goto error; + } + + lua_pushliteral(luastate, "script_api_ver"); /* stack at -2 */ + lua_pushnumber(luastate, 1); /* stack at -3 */ + lua_settable(luastate, -3); + + if (lua_pcall(luastate, 1, 1, 0) != 0) { + SCLogError("couldn't run script 'init' function: %s", lua_tostring(luastate, -1)); + goto error; + } + } + + LuaRegisterExtensions(luastate); + /* pop the table */ + lua_pop(luastate, 1); + + SCLuaSbStateClose(luastate); + return 0; + +error: + SCLuaSbStateClose(luastate); + return -1; +} + +static DetectLuaxformData *DetectLuaxformParse(DetectEngineCtx *de_ctx, const char *str) +{ + DetectLuaxformData *lua = NULL; + + /* We have a correct lua option */ + lua = SCCalloc(1, sizeof(DetectLuaxformData)); + if (unlikely(lua == NULL)) { + FatalError("unable to allocate memory for Lua transform: %s", str); + } + + lua->copystr = strdup(str); + + int count = 0; + char *saveptr = NULL; + char *token = strtok_r(lua->copystr, ",", &saveptr); + while (token != NULL && count < LUAXFORM_MAX_ARGS) { + lua->args[count++] = token; + token = strtok_r(NULL, ",", &saveptr); + } + + if (count == 0) { + SCLogError("Lua script name not supplied"); + goto error; + } + + lua->arg_count = count - 1; + + /* get full filename */ + lua->filename = DetectLoadCompleteSigPath(de_ctx, lua->args[0]); + if (lua->filename == NULL) { + goto error; + } + + return lua; + +error: + if (lua != NULL) + DetectTransformLuaxformFree(de_ctx, lua); + return NULL; +} + +static void *DetectLuaxformThreadInit(void *data) +{ + /* Note: This will always be non-null as alloc errors are checked before registering callback */ + DetectLuaxformData *lua = (DetectLuaxformData *)data; + + DetectLuaThreadData *t = SCCalloc(1, sizeof(DetectLuaThreadData)); + if (unlikely(t == NULL)) { + FatalError("unable to allocate luaxform context memory"); + } + + t->luastate = SCLuaSbStateNew(lua->alloc_limit, lua->instruction_limit); + if (t->luastate == NULL) { + SCLogError("luastate pool depleted"); + goto error; + } + + if (lua->allow_restricted_functions) { + luaL_openlibs(t->luastate); + } else { + SCLuaSbLoadLibs(t->luastate); + } + + LuaRegisterExtensions(t->luastate); + + int status = luaL_loadfile(t->luastate, lua->filename); + if (status) { + SCLogError("couldn't load file: %s", lua_tostring(t->luastate, -1)); + goto error; + } + + /* prime the script (or something) */ + if (lua_pcall(t->luastate, 0, 0, 0) != 0) { + SCLogError("couldn't prime file: %s", lua_tostring(t->luastate, -1)); + goto error; + } + + return (void *)t; + +error: + if (t->luastate != NULL) + SCLuaSbStateClose(t->luastate); + SCFree(t); + return NULL; +} + +static void DetectLuaxformThreadFree(void *ctx) +{ + if (ctx != NULL) { + DetectLuaxformThreadData *t = (DetectLuaxformThreadData *)ctx; + if (t->luastate != NULL) + SCLuaSbStateClose(t->luastate); + SCFree(t); + } +} + +/** + * \internal + * \brief Apply the luaxform keyword to the last pattern match + * \param de_ctx detection engine ctx + * \param s signature + * \param str lua filename and optional args + * \retval 0 ok + * \retval -1 failure + */ +static int DetectTransformLuaxformSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + SCEnter(); + + /* First check if Lua rules are enabled, by default Lua in rules + * is disabled. */ + int enabled = 0; + (void)ConfGetBool("security.lua.allow-rules", &enabled); + if (!enabled) { + SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules"); + SCReturnInt(-1); + } + + DetectLuaxformData *lua = DetectLuaxformParse(de_ctx, str); + if (lua == NULL) + goto error; + + /* Load lua sandbox configurations */ + intmax_t lua_alloc_limit = DEFAULT_LUA_ALLOC_LIMIT; + intmax_t lua_instruction_limit = DEFAULT_LUA_INSTRUCTION_LIMIT; + int allow_restricted_functions = 0; + (void)ConfGetInt("security.lua.max-bytes", &lua_alloc_limit); + (void)ConfGetInt("security.lua.max-instructions", &lua_instruction_limit); + (void)ConfGetBool("security.lua.allow-restricted-functions", &allow_restricted_functions); + + lua->alloc_limit = lua_alloc_limit; + lua->instruction_limit = lua_instruction_limit; + lua->allow_restricted_functions = allow_restricted_functions; + + if (DetectTransformLuaxformSetupPrime(de_ctx, lua, s) == -1) { + goto error; + } + + lua->thread_ctx_id = DetectRegisterThreadCtxFuncs( + de_ctx, "luaxform", DetectLuaxformThreadInit, (void *)lua, DetectLuaxformThreadFree, 0); + if (lua->thread_ctx_id == -1) + goto error; + + if (0 == DetectSignatureAddTransform(s, DETECT_TRANSFORM_LUAXFORM, lua)) + SCReturnInt(0); + +error: + + if (lua != NULL) + DetectTransformLuaxformFree(de_ctx, lua); + SCReturnInt(-1); +} + +static void TransformLuaxform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) +{ + if (buffer->inspect_len == 0) { + return; + } + + DetectLuaxformData *lua = options; + DetectLuaThreadData *tlua = + (DetectLuaThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, lua->thread_ctx_id); + if (tlua == NULL) { + return; + } + + lua_getglobal(tlua->luastate, "transform"); + + const uint8_t *input = buffer->inspect; + const uint32_t input_len = buffer->inspect_len; + /* Lua script args are: buffer length, buffer, arg count, args */ + LuaPushInteger(tlua->luastate, (lua_Integer)input_len); + LuaPushStringBuffer(tlua->luastate, input, (size_t)input_len); + LuaPushInteger(tlua->luastate, (lua_Integer)lua->arg_count); + + /* + * Add provided arguments for lua script (these are optionally + * provided by the rule writer). + * + * Start at offset 1 (arg[0] is the lua script filename) + */ + lua_newtable(tlua->luastate); + for (int i = 1; i < lua->arg_count + 1; i++) { + LuaPushInteger(tlua->luastate, i); + lua_pushstring(tlua->luastate, lua->args[i]); + lua_settable(tlua->luastate, -3); + } + + SCLuaSbResetInstructionCounter(tlua->luastate); + + if (LUA_OK != lua_pcall(tlua->luastate, 4, 2, 0)) { + SCLogDebug("error calling lua script: %s", lua_tostring(tlua->luastate, -1)); + } else { + /* Lua transform functions must return 2 values: buffer and length */ + int return_value_count = lua_gettop(tlua->luastate); + if (return_value_count != 2) { + SCLogDebug("Error: expected 2 return values but got %d", return_value_count); + lua_pop(tlua->luastate, return_value_count); + return; + } + if (lua_isstring(tlua->luastate, -2)) { + const char *transformed_buffer = lua_tostring(tlua->luastate, -2); + int transformed_buffer_byte_count = lua_tointeger(tlua->luastate, -1); + if (transformed_buffer != NULL && transformed_buffer_byte_count > 0) + InspectionBufferCopy( + buffer, (uint8_t *)transformed_buffer, transformed_buffer_byte_count); + SCLogDebug("transform returns [nbytes %d] \"%p\"", transformed_buffer_byte_count, + transformed_buffer); + // PrintRawDataFp(stdout, (const uint8_t *)transformed_buffer, + // transformed_buffer_byte_count); + } + } + + lua_pop(tlua->luastate, 2); // Pop the result string/length +} diff --git a/src/detect-transform-luaxform.h b/src/detect-transform-luaxform.h new file mode 100644 index 000000000000..9a5cb8700f63 --- /dev/null +++ b/src/detect-transform-luaxform.h @@ -0,0 +1,47 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Jeff Lucovsky + */ + +#ifndef SURICATA_DETECT_TRANSFORM_LUAXFORM_H +#define SURICATA_DETECT_TRANSFORM_LUAXFORM_H + +/* prototypes */ +void DetectTransformLuaxformRegister(void); + +#define LUAXFORM_MAX_ARGS 10 + +typedef struct DetectLuaxformData { + int thread_ctx_id; + int allow_restricted_functions; + int arg_count; + uint64_t alloc_limit; + uint64_t instruction_limit; + char *filename; + char *copystr; + char *args[LUAXFORM_MAX_ARGS]; +} DetectLuaxformData; + +typedef struct DetectLuaxformThreadData { + lua_State *luastate; +} DetectLuaxformThreadData; + +#endif /* SURICATA_DETECT_TRANSFORM_LUAXFORM_H */ diff --git a/src/util-lua-common.h b/src/util-lua-common.h index 5d6ea41f4be4..4834f4fa7af9 100644 --- a/src/util-lua-common.h +++ b/src/util-lua-common.h @@ -24,6 +24,9 @@ #ifndef SURICATA_UTIL_LUA_COMMON_H #define SURICATA_UTIL_LUA_COMMON_H +#define DEFAULT_LUA_ALLOC_LIMIT 500000 +#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 + int LuaCallbackError(lua_State *luastate, const char *msg); const char *LuaGetStringArgument(lua_State *luastate, int argc); From fd485b0a5d484959e9d3ed75c4d089b4b4bbd408 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 18 Sep 2024 08:18:07 -0400 Subject: [PATCH 5/7] doc: Document luaxform transform Issue: 2290 --- doc/userguide/configuration/suricata-yaml.rst | 5 +- doc/userguide/lua/lua-functions.rst | 13 +-- doc/userguide/lua/lua-usage.rst | 19 +++- doc/userguide/rules/lua-detection.rst | 19 +++- doc/userguide/rules/transforms.rst | 100 ++++++++++++++++++ doc/userguide/upgrade.rst | 2 + 6 files changed, 142 insertions(+), 16 deletions(-) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index b6488b09f197..d419289c2244 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -2861,8 +2861,9 @@ Lua ~~~ Suricata 8.0 sandboxes Lua rules by default. The restrictions on the sandbox for Lua rules can be -modified in the ``security.lua`` section of the configuration file. Additionally, Lua rules -can be completely disabled the same as the Suricata 7.0 default: +modified in the ``security.lua`` section of the configuration file. This section also applies to +Lua transforms. Additionally, Lua rules can be completely disabled in the same way as for as the +Suricata 7.0 default: :: diff --git a/doc/userguide/lua/lua-functions.rst b/doc/userguide/lua/lua-functions.rst index 92473d52c35e..e37eb3c45a11 100644 --- a/doc/userguide/lua/lua-functions.rst +++ b/doc/userguide/lua/lua-functions.rst @@ -7,6 +7,7 @@ Differences between `output` and `detect`: ------------------------------------------ Currently, the ``needs`` key initialization varies, depending on what is the goal of the script: output or detection. +The Lua script for the ``luaxform`` transform **does not use ``needs``**. If the script is for detection, the ``needs`` initialization should be as seen in the example below (see :ref:`lua-detection` for a complete example of a detection script): @@ -812,7 +813,7 @@ Example: return 0 end end - + HasshServerGet ~~~~~~~~~~~~~~ @@ -828,7 +829,7 @@ Example: return 0 end end - + HasshServerGetString ~~~~~~~~~~~~~~~~~~~~ @@ -998,7 +999,7 @@ index so in our case we need to use 0. SCFlowintSet(0, a + 1) else SCFlowintSet(0, 1) - end + end SCFlowintGet ~~~~~~~~~~~~ @@ -1031,7 +1032,7 @@ SCFlowvarSet Set a Flowvar. First parameter is the index, second is the data and third is the length of data. -You can use it to set string +You can use it to set string :: @@ -1041,7 +1042,7 @@ You can use it to set string needs["flowvar"] = {"cnt"} return needs end - + function match(args) a = SCFlowvarGet(0); if a then @@ -1050,7 +1051,7 @@ You can use it to set string else a = tostring(1) SCFlowvarSet(0, a, #a) - end + end Misc ---- diff --git a/doc/userguide/lua/lua-usage.rst b/doc/userguide/lua/lua-usage.rst index 19946db5e54f..a6346f62dc57 100644 --- a/doc/userguide/lua/lua-usage.rst +++ b/doc/userguide/lua/lua-usage.rst @@ -1,20 +1,29 @@ Lua usage in Suricata ===================== -Lua scripting can be used in two components of Suricata. The first is in -output and the second one in rules in the detection engine. +Lua scripting can be used in two components of Suricata: + + * Output + * Detection: ``lua`` keyword and ``luaxform`` transform Both features are using a list of functions to access the data extracted by Suricata. You can get the list of functions in the :ref:`lua-functions` page. -.. note:: Currently, there is a difference in the ``needs`` key in the ``init`` function, depending on what is the usage: ``output`` or ``detection``. The list of available functions may also differ. +.. note:: Currently, there is a difference in the ``needs`` key in the ``init`` function, + depending on what is the usage: ``output`` or ``detection``. The list of available + functions may also differ. The ``luaxform`` doesn't use the ``needs`` key. Lua output ---------- -Lua can be used to write arbitrary output. See :ref:`lua-output` for more information. +Lua scripts can be used to write arbitrary output. See :ref:`lua-output` for more information. Lua detection ------------- -Lua script can be used as a filter condition in signatures. See :ref:`lua-detection` for more information. +Lua scripts can be used as a filter condition in signatures. See :ref:`lua-detection` for more information. + +Lua transform +------------- + +The ``luaxform`` transform can be used in signatures. See :ref:`lua-transform` for more information. diff --git a/doc/userguide/rules/lua-detection.rst b/doc/userguide/rules/lua-detection.rst index 0f2011987ec0..ed2d8113e8f1 100644 --- a/doc/userguide/rules/lua-detection.rst +++ b/doc/userguide/rules/lua-detection.rst @@ -3,10 +3,18 @@ Lua Scripting for Detection =========================== +There are 2 ways that Lua can be used with detection. These are + +* ``lua`` rule keyword. +* ``luaxform`` transform. + .. note:: Lua is disabled by default for use in rules, it must be enabled in the configuration file. See the ``security.lua`` section of ``suricata.yaml`` and enable ``allow-rules``. +Lua Rule Keyword +^^^^^^^^^^^^^^^^ + Syntax: :: @@ -103,8 +111,13 @@ Entire script: return 0 -Sandbox and Available functions -------------------------------- +Lua Transform: ``luaxform`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +More details in :ref:`lua-transform`. + +Lua Sandbox and Available functions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Lua rule scripts are run in a sandbox environment the applies the following restrictions: @@ -140,7 +153,7 @@ Of note, the following standard libraries are not available: This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config` -.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now. +.. note:: Suricata 8.0 has moved to Lua 5.4 and now has builtin support for bitwise and utf8 operations. A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however, work only for diff --git a/doc/userguide/rules/transforms.rst b/doc/userguide/rules/transforms.rst index e536757f29f7..76f147fea565 100644 --- a/doc/userguide/rules/transforms.rst +++ b/doc/userguide/rules/transforms.rst @@ -243,3 +243,103 @@ This example transforms `"Zm 9v Ym Fy"` to `"foobar"`:: content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; \ content:"foobar"; + +.. _lua-transform: + +luaxform +-------- + +This transform allows a Lua script to apply a transformation +to a buffer. + +Lua scripts that are used for transformations *must* contain a function +named ``transform``. + +Lua transforms can be passed optional arguments -- see the examples below -- but they +are not required to do so. Arguments are comma-separated. + +Note that the arguments and values are passed without validation +nor interpretation. There is a maximum of 10 arguments. + +Lua transform function receives parameters: + + * `input-length` The number of bytes in the buffer provided to the transform + * `input` The buffer provided to the transform + * `argument` The number of arguments provided in the following parameters. If there are + no arguments to the Lua transform, this value will be `0`. + * `arguments` The list of arguments. + +The return value from a transform +This example supplies the HTTP data to a Lua transform and the transform +results are checked with `content`. + +Example:: + + alert http any any -> any any (msg:"Lua Xform example"; flow:established; \ + file.data; luaxform:./lua/lua-transform.lua; content: "abc"; sid: 2;) + + +This example supplies the HTTP data to a Lua transform with with arguments +that specify the offset and byte count for the transform. The resulting +buffer is then checked with a `content` match. + +Example:: + + alert http any any -> any any (msg:"Lua Xform example"; flow:established; \ + file.data; luaxform:./lua/lua-transform.lua, bytes 12, offset 13; content: "abc"; sid: 1;) + + +The following Lua script shows a transform that handles arguments: `bytes` and `offset` and uses +those values (or defaults, if there are no arguments) for applying the uppercase transform to +the buffer. + +.. code-block:: lua + + function init (args) + local needs = {} + return needs + end + + local function get_value(item, key) + if string.find(item, key) then + local _, value = string.match(item, "(%a+)%s*(%d*)") + if value ~= "" then + return tonumber(value) + end + end + + return nil + end + + -- Arguments supported + local bytes_key = "bytes" + local offset_key = "offset" + function transform(input_len, input, argc, args) + local bytes = input_len + local offset = 0 + + -- Look for optional bytes and offset arguments + for i, item in ipairs(args) do + local value = get_value(item, bytes_key) + if value ~= nil then + bytes = value + else + local value = get_value(item, offset_key) + if value ~= nil then + offset = value + end + end + end + local str_len = #input + if offset < 0 or offset > str_len then + print("offset is out of bounds: " .. offset) + return nil + end + str_len = str_len - offset + if bytes < 0 or bytes > str_len then + print("invalid bytes " .. bytes .. " or bytes > length " .. bytes .. " length " .. str_len) + return nil + end + local sub = string.sub(input, offset + 1, offset + bytes) + return string.upper(sub) + end diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 63e2146280ab..7e99e1fefe29 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -79,6 +79,8 @@ Major changes - sip.content_length - Napatech support has been moved to a capture plugin. See :doc:`Napatech plugin `. +- New transform ``luaxform`` that uses a Lua script for sticky buffer transformation. + More details in :ref:`lua-transform`. Removals ~~~~~~~~ From 723947266bd90f634821939ed38ae7d717fc19dd Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 10 Oct 2024 09:31:12 -0400 Subject: [PATCH 6/7] detect/transform: Refactor setup/apply pattern git grep -A 1 -w InspectionBufferSetup shows numbers cases of the pattern: - InspectionBufferSetup - InspectionBufferApplyTransforms Refactor the implementations of those functions into InspectionBufferSetupAndApplyTransforms to reduce function call count. Issuer: 2290 --- src/detect-dce-stub-data.c | 8 ++-- src/detect-dnp3.c | 4 +- src/detect-engine-helper.c | 7 ++-- src/detect-engine.c | 59 +++++++++++++++++++-------- src/detect-engine.h | 3 ++ src/detect-http-cookie.c | 14 +++---- src/detect-http-header-names.c | 7 ++-- src/detect-http-header.c | 11 +++-- src/detect-http-headers-stub.h | 14 +++---- src/detect-http-host.c | 14 +++---- src/detect-http-method.c | 7 ++-- src/detect-http-protocol.c | 9 ++-- src/detect-http-raw-header.c | 7 ++-- src/detect-http-request-line.c | 7 ++-- src/detect-http-response-line.c | 7 ++-- src/detect-http-start.c | 4 +- src/detect-http-stat-code.c | 7 ++-- src/detect-http-stat-msg.c | 8 ++-- src/detect-http-ua.c | 7 ++-- src/detect-http-uri.c | 11 +++-- src/detect-icmpv4hdr.c | 4 +- src/detect-icmpv6hdr.c | 4 +- src/detect-ike-key-exchange-payload.c | 3 +- src/detect-ike-nonce-payload.c | 3 +- src/detect-ike-spi.c | 6 +-- src/detect-ipv4hdr.c | 4 +- src/detect-ipv6hdr.c | 4 +- src/detect-quic-sni.c | 3 +- src/detect-quic-ua.c | 3 +- src/detect-quic-version.c | 3 +- src/detect-sip-method.c | 3 +- src/detect-sip-uri.c | 3 +- src/detect-smb-ntlmssp.c | 6 +-- src/detect-smb-share.c | 6 +-- src/detect-ssh-hassh-server-string.c | 3 +- src/detect-ssh-hassh-server.c | 4 +- src/detect-ssh-hassh-string.c | 5 +-- src/detect-ssh-hassh.c | 5 +-- src/detect-ssh-proto.c | 4 +- src/detect-ssh-software.c | 4 +- src/detect-tcphdr.c | 4 +- src/detect-tls-cert-fingerprint.c | 4 +- src/detect-tls-cert-issuer.c | 4 +- src/detect-tls-cert-serial.c | 4 +- src/detect-tls-cert-subject.c | 4 +- src/detect-tls-ja3-hash.c | 4 +- src/detect-tls-ja3-string.c | 4 +- src/detect-tls-ja3s-hash.c | 4 +- src/detect-tls-ja3s-string.c | 4 +- src/detect-tls-random.c | 12 +++--- src/detect-tls-sni.c | 4 +- src/detect-udphdr.c | 4 +- src/util-ja3.c | 3 +- 53 files changed, 173 insertions(+), 181 deletions(-) diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 9642cabfdf83..e23cfb6a4e60 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -79,8 +79,8 @@ static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx, return NULL; SCLogDebug("have data!"); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -105,8 +105,8 @@ static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx, } else { buffer->flags |= DETECT_CI_FLAGS_DCE_BE; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index 0f1b252f05b4..bba0798da8d8 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -166,8 +166,8 @@ static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx, } SCLogDebug("tx %p data %p data_len %u", tx, tx->buffer, tx->buffer_len); - InspectionBufferSetup(det_ctx, list_id, buffer, tx->buffer, tx->buffer_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, tx->buffer, tx->buffer_len, transforms); } return buffer; } diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index d47e7b72bebe..94cfcfbab537 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -56,8 +56,7 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, if (!GetBuf(txv, flow_flags, &b, &b_len)) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -115,8 +114,8 @@ int DetectHelperKeywordRegister(const SCSigTableElmt *kw) (int (*)(DetectEngineThreadCtx * det_ctx, Flow * f, uint8_t flags, void *alstate, void *txv, const Signature *s, const SigMatchCtx *ctx)) kw->AppLayerTxMatch; sigmatch_table[DETECT_TBLSIZE_IDX].Setup = - (int (*)(DetectEngineCtx *de, Signature *s, const char *raw)) kw->Setup; - sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx *de, void *ptr)) kw->Free; + (int (*)(DetectEngineCtx *de, Signature *s, const char *raw))kw->Setup; + sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx *de, void *ptr))kw->Free; DETECT_TBLSIZE_IDX++; return DETECT_TBLSIZE_IDX - 1; } diff --git a/src/detect-engine.c b/src/detect-engine.c index 54879d567785..924eba6b1d69 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -105,6 +105,9 @@ static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p); static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p); +static inline void InspectionBufferApplyTransformsInternal( + DetectEngineThreadCtx *, InspectionBuffer *, const DetectEngineTransforms *); + static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL; static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL; static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL; @@ -1556,6 +1559,27 @@ InspectionBuffer *InspectionBufferMultipleForListGet( return buffer; } +static inline void InspectionBufferApplyTransformsInternal(DetectEngineThreadCtx *det_ctx, + InspectionBuffer *buffer, const DetectEngineTransforms *transforms) +{ + if (transforms) { + for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { + const int id = transforms->transforms[i].transform; + if (id == 0) + break; + BUG_ON(sigmatch_table[id].Transform == NULL); + sigmatch_table[id].Transform(det_ctx, buffer, transforms->transforms[i].options); + SCLogDebug("applied transform %s", sigmatch_table[id].name); + } + } +} + +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms) +{ + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); +} + void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size) { memset(buffer, 0, sizeof(*buffer)); @@ -1590,11 +1614,10 @@ void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer buffer->len = 0; buffer->initialized = true; - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); } -/** \brief setup the buffer with our initial data */ -void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, +static inline void InspectionBufferSetupInternal(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) { #ifdef DEBUG_VALIDATION @@ -1612,6 +1635,21 @@ void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, buffer->len = 0; buffer->initialized = true; } +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); +} + +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); +} void InspectionBufferFree(InspectionBuffer *buffer) { @@ -1710,21 +1748,6 @@ bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_lis return true; } -void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, - const DetectEngineTransforms *transforms) -{ - if (transforms) { - for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { - const int id = transforms->transforms[i].transform; - if (id == 0) - break; - BUG_ON(sigmatch_table[id].Transform == NULL); - sigmatch_table[id].Transform(det_ctx, buffer, transforms->transforms[i].options); - SCLogDebug("applied transform %s", sigmatch_table[id].name); - } - } -} - static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx) { const int size = g_buffer_type_id; diff --git a/src/detect-engine.h b/src/detect-engine.h index 866ffc8d718e..4f754c0f6241 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -30,6 +30,9 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size); void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len); +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms); void InspectionBufferFree(InspectionBuffer *buffer); void *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len); diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index bd92682832ff..721e093b4e3d 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -190,8 +190,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -218,8 +218,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -239,8 +239,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -260,8 +259,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 8a673cf62404..5ab116928e41 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -153,8 +153,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; @@ -174,8 +174,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 5283549918d7..961da06dabb9 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -158,8 +158,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -192,8 +191,8 @@ static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx, goto end; } /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } const uint32_t data_len = buffer->inspect_len; @@ -253,8 +252,8 @@ static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *p return; /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, ctx->transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, ctx->transforms); } const uint32_t data_len = buffer->inspect_len; diff --git a/src/detect-http-headers-stub.h b/src/detect-http-headers-stub.h index 4af6e4f4cfa5..0e1a3f108f84 100644 --- a/src/detect-http-headers-stub.h +++ b/src/detect-http-headers-stub.h @@ -67,8 +67,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -90,8 +90,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -123,8 +122,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -146,8 +145,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-host.c b/src/detect-http-host.c index e8be92cf2fea..0663987c92e9 100644 --- a/src/detect-http-host.c +++ b/src/detect-http-host.c @@ -248,8 +248,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_hostname); const uint8_t *data = bstr_ptr(tx->request_hostname); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -269,8 +269,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -290,8 +289,7 @@ static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -361,8 +359,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, data_len = bstr_len(tx->parsed_uri->hostname); } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-method.c b/src/detect-http-method.c index e13491cb7515..e1c6c48596bb 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -209,8 +209,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_method); const uint8_t *data = bstr_ptr(tx->request_method); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -230,8 +230,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index caf3a4b6397e..dcc9381e7e53 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -107,8 +107,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -120,9 +120,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup( - det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2")); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2"), transforms); } return buffer; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index c3050c17d9fe..a641f7e79278 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -197,8 +197,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = ts ? tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -218,8 +218,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 915a88c2b6c8..954fef6ead1e 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -164,8 +163,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_line); const uint8_t *data = bstr_ptr(tx->request_line); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index b8fe10fd949c..80c1b882f8a2 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -163,8 +162,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_line); const uint8_t *data = bstr_ptr(tx->response_line); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-start.c b/src/detect-http-start.c index 3ee38d378c41..5e4b80d43fa1 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -158,8 +158,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index dbca81985a89..19ed9c0672e3 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -167,8 +167,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_status); const uint8_t *data = bstr_ptr(tx->response_status); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -190,8 +190,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 06b6bb3148ba..f9baab4e347a 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -78,8 +78,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup(det_ctx, list_id, buffer, (const uint8_t *)"", 0); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"", 0, transforms); } return buffer; @@ -176,8 +176,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_message); const uint8_t *data = bstr_ptr(tx->response_message); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 238cac96424a..82439c846468 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -174,8 +174,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -197,8 +197,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 29805b7b9ae4..984b5ce27250 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -236,8 +236,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized); const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -259,8 +259,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -327,8 +326,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_uri); const uint8_t *data = bstr_ptr(tx->request_uri); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-icmpv4hdr.c b/src/detect-icmpv4hdr.c index a63b2abf8e54..43a884991555 100644 --- a/src/detect-icmpv4hdr.c +++ b/src/detect-icmpv4hdr.c @@ -112,8 +112,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index 214a9e3dba5c..0bd9b2b4fc71 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -117,8 +117,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ike-key-exchange-payload.c b/src/detect-ike-key-exchange-payload.c index bca8e2dfe0fe..796af48f30d8 100644 --- a/src/detect-ike-key-exchange-payload.c +++ b/src/detect-ike-key-exchange-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetKeyExchangeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-nonce-payload.c b/src/detect-ike-nonce-payload.c index 9c90bb92abe0..ea7afdac48da 100644 --- a/src/detect-ike-nonce-payload.c +++ b/src/detect-ike-nonce-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetNonceData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-spi.c b/src/detect-ike-spi.c index 86ed0aadb83e..f97ed03b679a 100644 --- a/src/detect-ike-spi.c +++ b/src/detect-ike-spi.c @@ -99,8 +99,7 @@ static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -120,8 +119,7 @@ static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index 196bccb4b69c..1db2bf0f28d6 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -113,8 +113,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index cc678b082110..28a61023e21c 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -114,8 +114,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-sni.c b/src/detect-quic-sni.c index b3eb08b169b4..fc568df37ae6 100644 --- a/src/detect-quic-sni.c +++ b/src/detect-quic-sni.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetSniData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-ua.c b/src/detect-quic-ua.c index 8c81b9da0c80..fc6c3103a109 100644 --- a/src/detect-quic-ua.c +++ b/src/detect-quic-ua.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-version.c b/src/detect-quic-version.c index 7f69d0d041b1..33f355966edc 100644 --- a/src/detect-quic-version.c +++ b/src/detect-quic-version.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-sip-method.c b/src/detect-sip-method.c index 5ade9f25563a..62071254f809 100644 --- a/src/detect-sip-method.c +++ b/src/detect-sip-method.c @@ -117,8 +117,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-sip-uri.c b/src/detect-sip-uri.c index 0013902bef0e..f14021fb0755 100644 --- a/src/detect-sip-uri.c +++ b/src/detect-sip-uri.c @@ -96,8 +96,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-smb-ntlmssp.c b/src/detect-smb-ntlmssp.c index c8db458e5ab5..efcc6f111deb 100644 --- a/src/detect-smb-ntlmssp.c +++ b/src/detect-smb-ntlmssp.c @@ -68,8 +68,7 @@ static InspectionBuffer *GetNtlmsspUserData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -125,8 +124,7 @@ static InspectionBuffer *GetNtlmsspDomainData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-smb-share.c b/src/detect-smb-share.c index 934ae239533d..36bca26a166d 100644 --- a/src/detect-smb-share.c +++ b/src/detect-smb-share.c @@ -69,8 +69,7 @@ static InspectionBuffer *GetNamedPipeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -130,8 +129,7 @@ static InspectionBuffer *GetShareData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c index bb8443899f1e..92b733c10bab 100644 --- a/src/detect-ssh-hassh-server-string.c +++ b/src/detect-ssh-hassh-server-string.c @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c index a9f62e8e0e0e..2410767d4ccb 100644 --- a/src/detect-ssh-hassh-server.c +++ b/src/detect-ssh-hassh-server.c @@ -77,8 +77,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hasshServer, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, hasshServer, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c index b64c05321cc4..2f9602af82a6 100644 --- a/src/detect-ssh-hassh-string.c +++ b/src/detect-ssh-hassh-string.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c index ffad20a6d180..12aefcd5c541 100644 --- a/src/detect-ssh-hassh.c +++ b/src/detect-ssh-hassh.c @@ -61,7 +61,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -77,8 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 8e9cf60c0bd1..63b3b74d35c9 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, protocol, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, protocol, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index 76455ad44335..36e9cb2972e9 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, software, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, software, b_len, transforms); } return buffer; diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index b5a3fb7e6c51..920bdd798bed 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -115,8 +115,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)tcph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index cd73455bc123..dacb27504c90 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -151,8 +151,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_fingerprint); const uint8_t *data = (uint8_t *)connp->cert0_fingerprint; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index b7d6047fe32e..f6a6038a3d98 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -140,8 +140,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_issuerdn); const uint8_t *data = (uint8_t *)connp->cert0_issuerdn; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index ec59a5be4db5..99bdadef2827 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -150,8 +150,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_serial); const uint8_t *data = (uint8_t *)connp->cert0_serial; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index e7cad1163c75..f79bf69d6470 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -142,8 +142,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_subject); const uint8_t *data = (uint8_t *)connp->cert0_subject; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index 82d148f5c67e..9e12b487a1c6 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -171,8 +171,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 4df4e3a56b35..bce623d955b6 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -161,8 +161,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index 96a0104b0de6..ba1dd5613470 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -169,8 +169,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index 3e49e46d205b..10d1d5468c66 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -161,8 +161,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 74d54a67813c..e6eab9920545 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -222,8 +222,8 @@ static InspectionBuffer *GetRandomTimeData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -249,8 +249,8 @@ static InspectionBuffer *GetRandomBytesData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random + DETECT_TLS_RANDOM_TIME_LEN; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -276,8 +276,8 @@ static InspectionBuffer *GetRandomData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index 421530ee5ec9..ff6f2dcd01f7 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -122,8 +122,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.sni); const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index d171deaf32d4..0e604104a8b5 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -111,8 +111,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = UDP_HEADER_LEN; const uint8_t *data = (const uint8_t *)udph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/util-ja3.c b/src/util-ja3.c index 93fec9c37164..af2cbbb2b3e6 100644 --- a/src/util-ja3.c +++ b/src/util-ja3.c @@ -297,8 +297,7 @@ InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } From 01937b8c38620d594e2045afaa0c1999bc0d65af Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Tue, 19 Nov 2024 08:27:13 -0500 Subject: [PATCH 7/7] clang/format: Fixup format Address clang-format issue with otherwise unchanged source file. --- src/detect-engine-mpm.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index 10bdb86f5bcb..5110e0cad9fa 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -113,7 +113,6 @@ void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type); - int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id);