From 8d9d248d8a82820989b8f73982a569f181d83ac4 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 12 Sep 2024 10:44:05 -0400 Subject: [PATCH 1/6] transforms: Make ctx available This commit makes the detection engine thread context available for transforms to use. The Lua transform requires this value. Issue: 2290 --- src/detect-dce-stub-data.c | 4 ++-- src/detect-dnp3.c | 2 +- src/detect-dns-answer-name.c | 2 +- src/detect-dns-query-name.c | 2 +- src/detect-dns-query.c | 2 +- src/detect-engine-frame.c | 16 +++++++------- src/detect-engine-helper.c | 4 ++-- src/detect-engine.c | 10 ++++----- src/detect-engine.h | 6 +++--- src/detect-file-data.c | 5 +++-- src/detect-filemagic.c | 2 +- src/detect-filename.c | 2 +- src/detect-http-client-body.c | 2 +- src/detect-http-cookie.c | 8 +++---- src/detect-http-header-names.c | 4 ++-- src/detect-http-header.c | 12 +++++------ src/detect-http-headers-stub.h | 8 +++---- src/detect-http-host.c | 8 +++---- src/detect-http-method.c | 4 ++-- src/detect-http-protocol.c | 4 ++-- src/detect-http-raw-header.c | 4 ++-- src/detect-http-request-line.c | 4 ++-- src/detect-http-response-line.c | 4 ++-- src/detect-http-start.c | 2 +- src/detect-http-stat-code.c | 4 ++-- src/detect-http-stat-msg.c | 4 ++-- src/detect-http-ua.c | 4 ++-- src/detect-http-uri.c | 6 +++--- src/detect-icmpv4hdr.c | 2 +- src/detect-icmpv6hdr.c | 2 +- src/detect-ike-key-exchange-payload.c | 2 +- src/detect-ike-nonce-payload.c | 2 +- src/detect-ike-spi.c | 4 ++-- src/detect-ike-vendor.c | 2 +- src/detect-ipaddr.c | 4 ++-- src/detect-ipv4hdr.c | 2 +- src/detect-ipv6hdr.c | 2 +- src/detect-ja4-hash.c | 4 ++-- src/detect-krb5-cname.c | 2 +- src/detect-krb5-sname.c | 2 +- src/detect-quic-cyu-hash.c | 2 +- src/detect-quic-cyu-string.c | 2 +- src/detect-quic-sni.c | 2 +- src/detect-quic-ua.c | 2 +- src/detect-quic-version.c | 2 +- src/detect-sip-method.c | 2 +- src/detect-sip-uri.c | 2 +- src/detect-smb-ntlmssp.c | 4 ++-- src/detect-smb-share.c | 4 ++-- src/detect-ssh-hassh-server-string.c | 2 +- src/detect-ssh-hassh-server.c | 2 +- src/detect-ssh-hassh-string.c | 2 +- src/detect-ssh-hassh.c | 2 +- src/detect-ssh-proto.c | 2 +- src/detect-ssh-software.c | 2 +- src/detect-tcphdr.c | 2 +- src/detect-tls-alpn.c | 2 +- src/detect-tls-cert-fingerprint.c | 2 +- src/detect-tls-cert-issuer.c | 2 +- src/detect-tls-cert-serial.c | 2 +- src/detect-tls-cert-subject.c | 2 +- src/detect-tls-certs.c | 2 +- src/detect-tls-ja3-hash.c | 2 +- src/detect-tls-ja3-string.c | 2 +- src/detect-tls-ja3s-hash.c | 2 +- src/detect-tls-ja3s-string.c | 2 +- src/detect-tls-random.c | 6 +++--- src/detect-tls-sni.c | 2 +- src/detect-tls-subjectaltname.c | 2 +- src/detect-transform-base64.c | 24 +++++++++++---------- src/detect-transform-casechange.c | 6 ++++-- src/detect-transform-compress-whitespace.c | 10 +++++---- src/detect-transform-dotprefix.c | 10 +++++---- src/detect-transform-header-lowercase.c | 3 ++- src/detect-transform-md5.c | 6 +++--- src/detect-transform-pcrexform.c | 6 ++++-- src/detect-transform-sha1.c | 7 +++--- src/detect-transform-sha256.c | 8 ++++--- src/detect-transform-strip-pseudo-headers.c | 3 ++- src/detect-transform-strip-whitespace.c | 10 +++++---- src/detect-transform-urldecode.c | 8 ++++--- src/detect-transform-xor.c | 6 ++++-- src/detect-udphdr.c | 2 +- src/detect.h | 2 +- src/util-ja3.c | 4 ++-- 85 files changed, 186 insertions(+), 164 deletions(-) diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index b0ee04590583..9642cabfdf83 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -80,7 +80,7 @@ static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx, SCLogDebug("have data!"); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -106,7 +106,7 @@ static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx, buffer->flags |= DETECT_CI_FLAGS_DCE_BE; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index 807c189611d8..0f1b252f05b4 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -167,7 +167,7 @@ static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx, SCLogDebug("tx %p data %p data_len %u", tx, tx->buffer, tx->buffer_len); InspectionBufferSetup(det_ctx, list_id, buffer, tx->buffer, tx->buffer_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c index dc1272d47510..8c7243e8ae76 100644 --- a/src/detect-dns-answer-name.c +++ b/src/detect-dns-answer-name.c @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-dns-query-name.c b/src/detect-dns-query-name.c index ca1cc79fa4bf..05eb0a8d7a15 100644 --- a/src/detect-dns-query-name.c +++ b/src/detect-dns-query-name.c @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index ef510f15287a..db25af166af5 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -85,7 +85,7 @@ static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx, InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-engine-frame.c b/src/detect-engine-frame.c index fd3163d59732..5b3f01281984 100644 --- a/src/detect-engine-frame.c +++ b/src/detect-engine-frame.c @@ -67,8 +67,8 @@ static bool SetupStreamCallbackData(struct FrameStreamData *dst, const TcpSessio static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset); -static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p, - const DetectEngineTransforms *transforms); +static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms); void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto) @@ -159,7 +159,7 @@ static void PrefilterMpmFrame(DetectEngineThreadCtx *det_ctx, const void *pectx, if (frame->offset >= p->payload_len) return; - BufferSetupUdp(buffer, frame, p, ctx->transforms); + BufferSetupUdp(det_ctx, buffer, frame, p, ctx->transforms); const uint32_t data_len = buffer->inspect_len; const uint8_t *data = buffer->inspect; @@ -251,8 +251,8 @@ bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, c return false; } -static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p, - const DetectEngineTransforms *transforms) +static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms) { uint8_t ci_flags = DETECT_CI_FLAGS_START; uint32_t frame_len; @@ -275,7 +275,7 @@ static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const P AppLayerParserGetFrameNameById(p->flow->proto, p->flow->alproto, frame->type), frame->offset, frame->type, frame->len); - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->inspect_offset = 0; buffer->flags = ci_flags; } @@ -301,7 +301,7 @@ static int DetectFrameInspectUdp(DetectEngineThreadCtx *det_ctx, return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; if (!buffer->initialized) - BufferSetupUdp(buffer, frame, p, transforms); + BufferSetupUdp(det_ctx, buffer, frame, p, transforms); DEBUG_VALIDATE_BUG_ON(!buffer->initialized); if (buffer->inspect == NULL) return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; @@ -387,7 +387,7 @@ static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, c } // PrintRawDataFp(stdout, data, data_len); SCLogDebug("fsd->transforms %p", fsd->transforms); - InspectionBufferSetupMulti(buffer, fsd->transforms, data, data_len); + InspectionBufferSetupMulti(fsd->det_ctx, buffer, fsd->transforms, data, data_len); SCLogDebug("inspect_offset %" PRIu64, fo_inspect_offset); buffer->inspect_offset = fo_inspect_offset; buffer->flags = ci_flags; diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index 740fec7618c8..e389519d31bc 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -57,7 +57,7 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -140,7 +140,7 @@ InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ct InspectionBufferSetupMultiEmpty(buffer); return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; return buffer; } diff --git a/src/detect-engine.c b/src/detect-engine.c index 6dec58b8fa2f..99168dacd663 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -1575,8 +1575,8 @@ void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer) } /** \brief setup the buffer with our initial data */ -void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, - const uint8_t *data, const uint32_t data_len) +void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len) { #ifdef DEBUG_VALIDATION DEBUG_VALIDATE_BUG_ON(!buffer->multi); @@ -1586,7 +1586,7 @@ void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTran buffer->len = 0; buffer->initialized = true; - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } /** \brief setup the buffer with our initial data */ @@ -1694,7 +1694,7 @@ bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_lis return true; } -void InspectionBufferApplyTransforms(InspectionBuffer *buffer, +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms) { if (transforms) { @@ -1703,7 +1703,7 @@ void InspectionBufferApplyTransforms(InspectionBuffer *buffer, if (id == 0) break; BUG_ON(sigmatch_table[id].Transform == NULL); - sigmatch_table[id].Transform(buffer, transforms->transforms[i].options); + sigmatch_table[id].Transform(det_ctx, buffer, transforms->transforms[i].options); SCLogDebug("applied transform %s", sigmatch_table[id].name); } } diff --git a/src/detect-engine.h b/src/detect-engine.h index 11d747537f1e..9f1ac8aff433 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -33,13 +33,13 @@ void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, void InspectionBufferFree(InspectionBuffer *buffer); void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len); -void InspectionBufferApplyTransforms(InspectionBuffer *buffer, +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms); void InspectionBufferClean(DetectEngineThreadCtx *det_ctx); InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id); void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer); -void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, - const uint8_t *data, const uint32_t data_len); +void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len); InspectionBuffer *InspectionBufferMultipleForListGet( DetectEngineThreadCtx *det_ctx, const int list_id, uint32_t local_id); diff --git a/src/detect-file-data.c b/src/detect-file-data.c index a721c08c7cf9..3dc132d8d076 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -192,7 +192,8 @@ static inline InspectionBuffer *FiledataWithXformsGetDataCallback(DetectEngineTh return buffer; } - InspectionBufferSetupMulti(buffer, transforms, base_buffer->inspect, base_buffer->inspect_len); + InspectionBufferSetupMulti( + det_ctx, buffer, transforms, base_buffer->inspect, base_buffer->inspect_len); buffer->inspect_offset = base_buffer->inspect_offset; SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len); SCReturnPtr(buffer, "InspectionBuffer"); @@ -351,7 +352,7 @@ static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx, SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected); } - InspectionBufferSetupMulti(buffer, NULL, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, NULL, data, data_len); SCLogDebug("[list %d] [before] buffer offset %" PRIu64 "; buffer len %" PRIu32 "; data_len %" PRIu32 "; file_size %" PRIu64, list_id, buffer->inspect_offset, buffer->inspect_len, data_len, file_size); diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index f23434d8666e..aa1e319ea11c 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -291,7 +291,7 @@ static InspectionBuffer *FilemagicGetDataCallback(DetectEngineThreadCtx *det_ctx const uint8_t *data = (const uint8_t *)cur_file->magic; uint32_t data_len = (uint32_t)strlen(cur_file->magic); - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-filename.c b/src/detect-filename.c index f75fdbd680fe..11e576071055 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -228,7 +228,7 @@ static InspectionBuffer *FilenameGetDataCallback(DetectEngineThreadCtx *det_ctx, const uint8_t *data = cur_file->name; uint32_t data_len = cur_file->name_len; - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 5e5604ea594d..192d71ff30da 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -202,7 +202,7 @@ static inline InspectionBuffer *HttpRequestBodyXformsGetDataCallback(DetectEngin InspectionBufferSetup(det_ctx, list_id, buffer, base_buffer->inspect, base_buffer->inspect_len); buffer->inspect_offset = base_buffer->inspect_offset; - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len); SCReturnPtr(buffer, "InspectionBuffer"); } diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 5f4898285460..bd92682832ff 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -191,7 +191,7 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -219,7 +219,7 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -240,7 +240,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -261,7 +261,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 66bc73d44c80..8a673cf62404 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -154,7 +154,7 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -175,7 +175,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index be825e5ec714..046aa0bbc4e8 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -159,7 +159,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -193,7 +193,7 @@ static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx, } /* setup buffer and apply transforms */ InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } const uint32_t data_len = buffer->inspect_len; @@ -254,7 +254,7 @@ static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *p /* setup buffer and apply transforms */ InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, ctx->transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, ctx->transforms); } const uint32_t data_len = buffer->inspect_len; @@ -527,7 +527,7 @@ static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); @@ -605,8 +605,8 @@ static InspectionBuffer *GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx, // hdr_td->len is the number of header buffers if (local_id < hdr_td->len) { // we have one valid header buffer - InspectionBufferSetupMulti( - buffer, transforms, hdr_td->items[local_id].buffer, hdr_td->items[local_id].len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, hdr_td->items[local_id].buffer, + hdr_td->items[local_id].len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); } // else there are no more header buffer to get diff --git a/src/detect-http-headers-stub.h b/src/detect-http-headers-stub.h index 82d5f543d7a9..4af6e4f4cfa5 100644 --- a/src/detect-http-headers-stub.h +++ b/src/detect-http-headers-stub.h @@ -68,7 +68,7 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -91,7 +91,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -124,7 +124,7 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -147,7 +147,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-host.c b/src/detect-http-host.c index fe36a261e6cc..e8be92cf2fea 100644 --- a/src/detect-http-host.c +++ b/src/detect-http-host.c @@ -249,7 +249,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_hostname); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -270,7 +270,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -291,7 +291,7 @@ static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -362,7 +362,7 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 8d08f0369e90..e13491cb7515 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -210,7 +210,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_method); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -231,7 +231,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index 6214c80513be..caf3a4b6397e 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -108,7 +108,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -122,7 +122,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (buffer->inspect == NULL) { InspectionBufferSetup( det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2")); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 0bb834b7726a..c3050c17d9fe 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -198,7 +198,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -219,7 +219,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 886e643a3eda..915a88c2b6c8 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -87,7 +87,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -165,7 +165,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_line); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index 69ee8c2709ab..b8fe10fd949c 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -87,7 +87,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -164,7 +164,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->response_line); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-http-start.c b/src/detect-http-start.c index e88ac3cdf68f..3ee38d378c41 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -159,7 +159,7 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index 37dfb2efbdcc..dbca81985a89 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -168,7 +168,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->response_status); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -191,7 +191,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index b1a485d7a933..06b6bb3148ba 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -79,7 +79,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { InspectionBufferSetup(det_ctx, list_id, buffer, (const uint8_t *)"", 0); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -177,7 +177,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->response_message); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 8babd9adcb50..238cac96424a 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -175,7 +175,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(h->value); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -198,7 +198,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 12c6f8788549..29805b7b9ae4 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -237,7 +237,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -260,7 +260,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -328,7 +328,7 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = bstr_ptr(tx->request_uri); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-icmpv4hdr.c b/src/detect-icmpv4hdr.c index 259fbdc2ecc6..3285fb2e9d32 100644 --- a/src/detect-icmpv4hdr.c +++ b/src/detect-icmpv4hdr.c @@ -112,7 +112,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)icmpv4h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index 54f1cd35a04f..214a9e3dba5c 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -118,7 +118,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)icmpv6h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ike-key-exchange-payload.c b/src/detect-ike-key-exchange-payload.c index 9d83fba33dec..bca8e2dfe0fe 100644 --- a/src/detect-ike-key-exchange-payload.c +++ b/src/detect-ike-key-exchange-payload.c @@ -83,7 +83,7 @@ static InspectionBuffer *GetKeyExchangeData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ike-nonce-payload.c b/src/detect-ike-nonce-payload.c index a2c4ac6f9a2a..9c90bb92abe0 100644 --- a/src/detect-ike-nonce-payload.c +++ b/src/detect-ike-nonce-payload.c @@ -83,7 +83,7 @@ static InspectionBuffer *GetNonceData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ike-spi.c b/src/detect-ike-spi.c index 9f310b8f580a..86ed0aadb83e 100644 --- a/src/detect-ike-spi.c +++ b/src/detect-ike-spi.c @@ -100,7 +100,7 @@ static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -121,7 +121,7 @@ static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ike-vendor.c b/src/detect-ike-vendor.c index e3c09e9a44c6..c1b2f6888b2d 100644 --- a/src/detect-ike-vendor.c +++ b/src/detect-ike-vendor.c @@ -58,7 +58,7 @@ static InspectionBuffer *IkeVendorGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ipaddr.c b/src/detect-ipaddr.c index aeac80f71d19..a3d2c6b4c872 100644 --- a/src/detect-ipaddr.c +++ b/src/detect-ipaddr.c @@ -128,7 +128,7 @@ static InspectionBuffer *GetDataSrc(DetectEngineThreadCtx *det_ctx, } else { return NULL; } - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -152,7 +152,7 @@ static InspectionBuffer *GetDataDst(DetectEngineThreadCtx *det_ctx, } else { return NULL; } - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index 78fe0062ea46..196bccb4b69c 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -114,7 +114,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)ip4h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index 2f5e79d33d4e..cc678b082110 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -115,7 +115,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)ip6h; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ja4-hash.c b/src/detect-ja4-hash.c index ebddc6b6d060..dfa9c80c0949 100644 --- a/src/detect-ja4-hash.c +++ b/src/detect-ja4-hash.c @@ -148,7 +148,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, data, 0); InspectionBufferCopy(buffer, data, JA4_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; @@ -170,7 +170,7 @@ static InspectionBuffer *Ja4DetectGetHash(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, NULL, 0); InspectionBufferCopy(buffer, (uint8_t *)b, JA4_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-krb5-cname.c b/src/detect-krb5-cname.c index 1411f7380806..9a71edce8a9d 100644 --- a/src/detect-krb5-cname.c +++ b/src/detect-krb5-cname.c @@ -73,7 +73,7 @@ static InspectionBuffer *GetKrb5CNameData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-krb5-sname.c b/src/detect-krb5-sname.c index 3cd6f0e222cc..9a59da3710d0 100644 --- a/src/detect-krb5-sname.c +++ b/src/detect-krb5-sname.c @@ -73,7 +73,7 @@ static InspectionBuffer *GetKrb5SNameData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, b, b_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, b, b_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-cyu-hash.c b/src/detect-quic-cyu-hash.c index 17836d1596b5..c0a13a5d9581 100644 --- a/src/detect-quic-cyu-hash.c +++ b/src/detect-quic-cyu-hash.c @@ -76,7 +76,7 @@ static InspectionBuffer *QuicHashGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-cyu-string.c b/src/detect-quic-cyu-string.c index c2460f11546c..0112b8c46889 100644 --- a/src/detect-quic-cyu-string.c +++ b/src/detect-quic-cyu-string.c @@ -72,7 +72,7 @@ static InspectionBuffer *QuicStringGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, data, data_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-sni.c b/src/detect-quic-sni.c index 0e4bf2d09101..b3eb08b169b4 100644 --- a/src/detect-quic-sni.c +++ b/src/detect-quic-sni.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetSniData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-quic-ua.c b/src/detect-quic-ua.c index 0e72770cb068..8c81b9da0c80 100644 --- a/src/detect-quic-ua.c +++ b/src/detect-quic-ua.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-quic-version.c b/src/detect-quic-version.c index 08bf80c0022c..7f69d0d041b1 100644 --- a/src/detect-quic-version.c +++ b/src/detect-quic-version.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-sip-method.c b/src/detect-sip-method.c index ed22381d9ffc..5ade9f25563a 100644 --- a/src/detect-sip-method.c +++ b/src/detect-sip-method.c @@ -118,7 +118,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-sip-uri.c b/src/detect-sip-uri.c index daf42235d8c5..0013902bef0e 100644 --- a/src/detect-sip-uri.c +++ b/src/detect-sip-uri.c @@ -97,7 +97,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-smb-ntlmssp.c b/src/detect-smb-ntlmssp.c index aa53269309cf..c8db458e5ab5 100644 --- a/src/detect-smb-ntlmssp.c +++ b/src/detect-smb-ntlmssp.c @@ -69,7 +69,7 @@ static InspectionBuffer *GetNtlmsspUserData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -126,7 +126,7 @@ static InspectionBuffer *GetNtlmsspDomainData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-smb-share.c b/src/detect-smb-share.c index 018d8ceefd79..934ae239533d 100644 --- a/src/detect-smb-share.c +++ b/src/detect-smb-share.c @@ -70,7 +70,7 @@ static InspectionBuffer *GetNamedPipeData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -131,7 +131,7 @@ static InspectionBuffer *GetShareData(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c index f62c72e79c79..bb8443899f1e 100644 --- a/src/detect-ssh-hassh-server-string.c +++ b/src/detect-ssh-hassh-server-string.c @@ -77,7 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c index 98f7d3dc2e2f..a9f62e8e0e0e 100644 --- a/src/detect-ssh-hassh-server.c +++ b/src/detect-ssh-hassh-server.c @@ -78,7 +78,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hasshServer, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c index ad29b90ee764..b64c05321cc4 100644 --- a/src/detect-ssh-hassh-string.c +++ b/src/detect-ssh-hassh-string.c @@ -77,7 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c index 377aa9d2c433..ffad20a6d180 100644 --- a/src/detect-ssh-hassh.c +++ b/src/detect-ssh-hassh.c @@ -78,7 +78,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 19807511e757..8e9cf60c0bd1 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -75,7 +75,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, protocol, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index 0a8d5aab0d97..76455ad44335 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -75,7 +75,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, } InspectionBufferSetup(det_ctx, list_id, buffer, software, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index fd7df2f687d7..b5a3fb7e6c51 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -116,7 +116,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)tcph; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-alpn.c b/src/detect-tls-alpn.c index b4aa82f9c52a..ccee33b14b64 100644 --- a/src/detect-tls-alpn.c +++ b/src/detect-tls-alpn.c @@ -141,7 +141,7 @@ static InspectionBuffer *TlsAlpnGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, a->alpn, a->size); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, a->alpn, a->size); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index 9fec32151dd6..cd73455bc123 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -152,7 +152,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_fingerprint; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index 49bada4cdf6d..b7d6047fe32e 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -141,7 +141,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_issuerdn; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index 0ac7bfdd20cc..ec59a5be4db5 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -151,7 +151,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_serial; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index e0dcde30a830..e7cad1163c75 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -143,7 +143,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)connp->cert0_subject; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-certs.c b/src/detect-tls-certs.c index f34c5e23bfb6..ef222b2f2c9e 100644 --- a/src/detect-tls-certs.c +++ b/src/detect-tls-certs.c @@ -101,7 +101,7 @@ static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetupMulti(buffer, transforms, cert->cert_data, cert->cert_len); + InspectionBufferSetupMulti(det_ctx, buffer, transforms, cert->cert_data, cert->cert_len); buffer->flags = DETECT_CI_FLAGS_SINGLE; SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index 57b0e55edeb5..82d148f5c67e 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -172,7 +172,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 1ec289c6e9d1..4df4e3a56b35 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -162,7 +162,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_str->data; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index 6d3d42e5edf8..96a0104b0de6 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -170,7 +170,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_hash; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index 0104560627d5..3e49e46d205b 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -162,7 +162,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_str->data; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 2dd5871aea0f..74d54a67813c 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -223,7 +223,7 @@ static InspectionBuffer *GetRandomTimeData(DetectEngineThreadCtx *det_ctx, data = ssl_state->server_connp.random; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -250,7 +250,7 @@ static InspectionBuffer *GetRandomBytesData(DetectEngineThreadCtx *det_ctx, data = ssl_state->server_connp.random + DETECT_TLS_RANDOM_TIME_LEN; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -277,7 +277,7 @@ static InspectionBuffer *GetRandomData(DetectEngineThreadCtx *det_ctx, data = ssl_state->server_connp.random; } InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index ce8a068a4717..421530ee5ec9 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -123,7 +123,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect-tls-subjectaltname.c b/src/detect-tls-subjectaltname.c index 350db5d6f655..397a5e67cfaa 100644 --- a/src/detect-tls-subjectaltname.c +++ b/src/detect-tls-subjectaltname.c @@ -121,7 +121,7 @@ static InspectionBuffer *TlsSubjectAltNameGetData(DetectEngineThreadCtx *det_ctx return NULL; } - InspectionBufferSetupMulti(buffer, transforms, (const uint8_t *)connp->cert0_sans[idx], + InspectionBufferSetupMulti(det_ctx, buffer, transforms, (const uint8_t *)connp->cert0_sans[idx], strlen(connp->cert0_sans[idx])); buffer->flags = DETECT_CI_FLAGS_SINGLE; diff --git a/src/detect-transform-base64.c b/src/detect-transform-base64.c index e0fbdeeb44d6..8de44fb7a95a 100644 --- a/src/detect-transform-base64.c +++ b/src/detect-transform-base64.c @@ -42,7 +42,8 @@ static void DetectTransformFromBase64DecodeFree(DetectEngineCtx *, void *); #ifdef UNITTESTS static void DetectTransformFromBase64DecodeRegisterTests(void); #endif -static void TransformFromBase64Decode(InspectionBuffer *buffer, void *options); +static void TransformFromBase64Decode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); #define DETECT_TRANSFORM_FROM_BASE64_MODE_DEFAULT (uint8_t) Base64ModeRFC4648 @@ -113,7 +114,8 @@ static int DetectTransformFromBase64DecodeSetup( SCReturnInt(r); } -static void TransformFromBase64Decode(InspectionBuffer *buffer, void *options) +static void TransformFromBase64Decode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { SCDetectTransformFromBase64Data *b64d = options; const uint8_t *input = buffer->inspect; @@ -171,7 +173,7 @@ static int DetectTransformFromBase64DecodeTest01(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -192,7 +194,7 @@ static int DetectTransformFromBase64DecodeTest01a(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -212,7 +214,7 @@ static int DetectTransformFromBase64DecodeTest02(void) InspectionBufferSetup(NULL, -1, &buffer, input, input_len); buffer_orig = buffer; PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_offset == buffer_orig.inspect_offset); FAIL_IF_NOT(buffer.inspect_len == buffer_orig.inspect_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -234,7 +236,7 @@ static int DetectTransformFromBase64DecodeTest03(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(strncmp((const char *)input, (const char *)buffer.inspect, input_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); @@ -255,7 +257,7 @@ static int DetectTransformFromBase64DecodeTest04(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(strncmp((const char *)input, (const char *)buffer.inspect, input_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); @@ -279,7 +281,7 @@ static int DetectTransformFromBase64DecodeTest05(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -304,7 +306,7 @@ static int DetectTransformFromBase64DecodeTest06(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -328,7 +330,7 @@ static int DetectTransformFromBase64DecodeTest07(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); @@ -349,7 +351,7 @@ static int DetectTransformFromBase64DecodeTest08(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); // PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformFromBase64Decode(&buffer, &b64d); + TransformFromBase64Decode(NULL, &buffer, &b64d); FAIL_IF_NOT(buffer.inspect_len == 15); // PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); diff --git a/src/detect-transform-casechange.c b/src/detect-transform-casechange.c index 851030828ced..d53dc8b97eb1 100644 --- a/src/detect-transform-casechange.c +++ b/src/detect-transform-casechange.c @@ -53,7 +53,8 @@ static int DetectTransformToLowerSetup(DetectEngineCtx *de_ctx, Signature *s, co * \param buffer Inspection buffer * \param optstr options string */ -static void DetectTransformToLower(InspectionBuffer *buffer, void *options) +static void DetectTransformToLower( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; @@ -93,7 +94,8 @@ static int DetectTransformToUpperSetup(DetectEngineCtx *de_ctx, Signature *s, co * \param buffer Inspection buffer * \param optstr options string */ -static void DetectTransformToUpper(InspectionBuffer *buffer, void *options) +static void DetectTransformToUpper( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; diff --git a/src/detect-transform-compress-whitespace.c b/src/detect-transform-compress-whitespace.c index 5cbf0fd896f5..446989d4437b 100644 --- a/src/detect-transform-compress-whitespace.c +++ b/src/detect-transform-compress-whitespace.c @@ -38,7 +38,8 @@ static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *, Signature #ifdef UNITTESTS static void DetectTransformCompressWhitespaceRegisterTests(void); #endif -static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options); +static void TransformCompressWhitespace( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); static bool TransformCompressWhitespaceValidate( const uint8_t *content, uint16_t content_len, void *options); @@ -103,7 +104,8 @@ static bool TransformCompressWhitespaceValidate( return true; } -static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options) +static void TransformCompressWhitespace( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; @@ -167,7 +169,7 @@ static int DetectTransformCompressWhitespaceTest01(void) InspectionBufferInit(&buffer, 9); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformCompressWhitespace(&buffer, NULL); + TransformCompressWhitespace(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; @@ -186,7 +188,7 @@ static int DetectTransformCompressWhitespaceTest02(void) PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); TransformDoubleWhitespace(&buffer); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformCompressWhitespace(&buffer, NULL); + TransformCompressWhitespace(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; diff --git a/src/detect-transform-dotprefix.c b/src/detect-transform-dotprefix.c index 52a263372b43..b818c72822b6 100644 --- a/src/detect-transform-dotprefix.c +++ b/src/detect-transform-dotprefix.c @@ -41,7 +41,8 @@ static int DetectTransformDotPrefixSetup (DetectEngineCtx *, Signature *, const #ifdef UNITTESTS static void DetectTransformDotPrefixRegisterTests(void); #endif -static void TransformDotPrefix(InspectionBuffer *buffer, void *options); +static void TransformDotPrefix( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); void DetectTransformDotPrefixRegister(void) { @@ -105,7 +106,8 @@ static int DetectTransformDotPrefixSetup (DetectEngineCtx *de_ctx, Signature *s, * 4. something.google.co.uk --> match * 5. google.com --> no match */ -static void TransformDotPrefix(InspectionBuffer *buffer, void *options) +static void TransformDotPrefix( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const size_t input_len = buffer->inspect_len; @@ -131,7 +133,7 @@ static int DetectTransformDotPrefixTest01(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformDotPrefix(&buffer, NULL); + TransformDotPrefix(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); @@ -151,7 +153,7 @@ static int DetectTransformDotPrefixTest02(void) InspectionBufferInit(&buffer, input_len); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformDotPrefix(&buffer, NULL); + TransformDotPrefix(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); FAIL_IF_NOT(buffer.inspect_len == result_len); FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0); diff --git a/src/detect-transform-header-lowercase.c b/src/detect-transform-header-lowercase.c index 7c776201b308..6df986f9aa89 100644 --- a/src/detect-transform-header-lowercase.c +++ b/src/detect-transform-header-lowercase.c @@ -46,7 +46,8 @@ static int DetectTransformHeaderLowercaseSetup( SCReturnInt(r); } -static void DetectTransformHeaderLowercase(InspectionBuffer *buffer, void *options) +static void DetectTransformHeaderLowercase( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; diff --git a/src/detect-transform-md5.c b/src/detect-transform-md5.c index 9e6ee1986a5b..4fd66d30b515 100644 --- a/src/detect-transform-md5.c +++ b/src/detect-transform-md5.c @@ -39,7 +39,7 @@ static int DetectTransformToMd5Setup (DetectEngineCtx *, Signature *, const char #ifdef UNITTESTS static void DetectTransformToMd5RegisterTests(void); #endif -static void TransformToMd5(InspectionBuffer *buffer, void *options); +static void TransformToMd5(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); void DetectTransformMd5Register(void) { @@ -80,7 +80,7 @@ static int DetectTransformToMd5Setup (DetectEngineCtx *de_ctx, Signature *s, con SCReturnInt(r); } -static void TransformToMd5(InspectionBuffer *buffer, void *options) +static void TransformToMd5(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; @@ -101,7 +101,7 @@ static int DetectTransformToMd5Test01(void) InspectionBufferInit(&buffer, 8); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformToMd5(&buffer, NULL); + TransformToMd5(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; diff --git a/src/detect-transform-pcrexform.c b/src/detect-transform-pcrexform.c index c517175b8722..b24ad64f80d2 100644 --- a/src/detect-transform-pcrexform.c +++ b/src/detect-transform-pcrexform.c @@ -38,7 +38,8 @@ typedef struct DetectTransformPcrexformData { static int DetectTransformPcrexformSetup (DetectEngineCtx *, Signature *, const char *); static void DetectTransformPcrexformFree(DetectEngineCtx *, void *); -static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options); +static void DetectTransformPcrexform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); #ifdef UNITTESTS void DetectTransformPcrexformRegisterTests (void); #endif @@ -132,7 +133,8 @@ static int DetectTransformPcrexformSetup (DetectEngineCtx *de_ctx, Signature *s, SCReturnInt(r); } -static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options) +static void DetectTransformPcrexform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const char *input = (const char *)buffer->inspect; const uint32_t input_len = buffer->inspect_len; diff --git a/src/detect-transform-sha1.c b/src/detect-transform-sha1.c index 927b25e97abd..2da39988521c 100644 --- a/src/detect-transform-sha1.c +++ b/src/detect-transform-sha1.c @@ -40,7 +40,8 @@ static int DetectTransformToSha1Setup (DetectEngineCtx *, Signature *, const cha #ifdef UNITTESTS static void DetectTransformToSha1RegisterTests(void); #endif -static void TransformToSha1(InspectionBuffer *buffer, void *options); +static void TransformToSha1( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); void DetectTransformSha1Register(void) { @@ -81,7 +82,7 @@ static int DetectTransformToSha1Setup (DetectEngineCtx *de_ctx, Signature *s, co SCReturnInt(r); } -static void TransformToSha1(InspectionBuffer *buffer, void *options) +static void TransformToSha1(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; @@ -102,7 +103,7 @@ static int DetectTransformToSha1Test01(void) InspectionBufferInit(&buffer, 8); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformToSha1(&buffer, NULL); + TransformToSha1(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; diff --git a/src/detect-transform-sha256.c b/src/detect-transform-sha256.c index 3eeb582a8361..abbf3aa86c52 100644 --- a/src/detect-transform-sha256.c +++ b/src/detect-transform-sha256.c @@ -40,7 +40,8 @@ static int DetectTransformToSha256Setup (DetectEngineCtx *, Signature *, const c #ifdef UNITTESTS static void DetectTransformToSha256RegisterTests(void); #endif -static void TransformToSha256(InspectionBuffer *buffer, void *options); +static void TransformToSha256( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); void DetectTransformSha256Register(void) { @@ -81,7 +82,8 @@ static int DetectTransformToSha256Setup (DetectEngineCtx *de_ctx, Signature *s, SCReturnInt(r); } -static void TransformToSha256(InspectionBuffer *buffer, void *options) +static void TransformToSha256( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; @@ -102,7 +104,7 @@ static int DetectTransformToSha256Test01(void) InspectionBufferInit(&buffer, 8); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformToSha256(&buffer, NULL); + TransformToSha256(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; diff --git a/src/detect-transform-strip-pseudo-headers.c b/src/detect-transform-strip-pseudo-headers.c index 450900d46037..a62db9f01ec3 100644 --- a/src/detect-transform-strip-pseudo-headers.c +++ b/src/detect-transform-strip-pseudo-headers.c @@ -46,7 +46,8 @@ static int DetectTransformStripPseudoHeadersSetup( SCReturnInt(r); } -static void DetectTransformStripPseudoHeaders(InspectionBuffer *buffer, void *options) +static void DetectTransformStripPseudoHeaders( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; diff --git a/src/detect-transform-strip-whitespace.c b/src/detect-transform-strip-whitespace.c index 32fb96f06ea0..0108f10cf7ce 100644 --- a/src/detect-transform-strip-whitespace.c +++ b/src/detect-transform-strip-whitespace.c @@ -39,7 +39,8 @@ static int DetectTransformStripWhitespaceSetup (DetectEngineCtx *, Signature *, #ifdef UNITTESTS static void DetectTransformStripWhitespaceRegisterTests(void); #endif -static void TransformStripWhitespace(InspectionBuffer *buffer, void *options); +static void TransformStripWhitespace( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); static bool TransformStripWhitespaceValidate(const uint8_t *content, uint16_t content_len, void *options); void DetectTransformStripWhitespaceRegister(void) @@ -99,7 +100,8 @@ static bool TransformStripWhitespaceValidate(const uint8_t *content, return true; } -static void TransformStripWhitespace(InspectionBuffer *buffer, void *options) +static void TransformStripWhitespace( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; @@ -154,7 +156,7 @@ static int DetectTransformStripWhitespaceTest01(void) InspectionBufferInit(&buffer, 8); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformStripWhitespace(&buffer, NULL); + TransformStripWhitespace(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; @@ -173,7 +175,7 @@ static int DetectTransformStripWhitespaceTest02(void) PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); TransformDoubleWhitespace(&buffer); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformStripWhitespace(&buffer, NULL); + TransformStripWhitespace(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; diff --git a/src/detect-transform-urldecode.c b/src/detect-transform-urldecode.c index 13ef03372f5f..7decf334bff5 100644 --- a/src/detect-transform-urldecode.c +++ b/src/detect-transform-urldecode.c @@ -40,7 +40,8 @@ static int DetectTransformUrlDecodeSetup (DetectEngineCtx *, Signature *, const static void DetectTransformUrlDecodeRegisterTests(void); #endif -static void TransformUrlDecode(InspectionBuffer *buffer, void *options); +static void TransformUrlDecode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); void DetectTransformUrlDecodeRegister(void) { @@ -115,7 +116,8 @@ static bool BufferUrlDecode(const uint8_t *input, const uint32_t input_len, uint return changed; } -static void TransformUrlDecode(InspectionBuffer *buffer, void *options) +static void TransformUrlDecode( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { uint32_t output_size; bool changed; @@ -144,7 +146,7 @@ static int DetectTransformUrlDecodeTest01(void) InspectionBufferInit(&buffer, 8); InspectionBufferSetup(NULL, -1, &buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); - TransformUrlDecode(&buffer, NULL); + TransformUrlDecode(NULL, &buffer, NULL); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); FAIL_IF (buffer.inspect_len != strlen("Suricata is 'awesome!'%00%ZZ%4")); FAIL_IF (memcmp(buffer.inspect, "Suricata is 'awesome!'%00%ZZ%4", buffer.inspect_len) != 0); diff --git a/src/detect-transform-xor.c b/src/detect-transform-xor.c index e42700feb369..9c562d00f0d4 100644 --- a/src/detect-transform-xor.c +++ b/src/detect-transform-xor.c @@ -37,7 +37,8 @@ typedef struct DetectTransformXorData { static int DetectTransformXorSetup(DetectEngineCtx *, Signature *, const char *); static void DetectTransformXorFree(DetectEngineCtx *, void *); -static void DetectTransformXor(InspectionBuffer *buffer, void *options); +static void DetectTransformXor( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); #ifdef UNITTESTS void DetectTransformXorRegisterTests(void); #endif @@ -125,7 +126,8 @@ static int DetectTransformXorSetup(DetectEngineCtx *de_ctx, Signature *s, const SCReturnInt(r); } -static void DetectTransformXor(InspectionBuffer *buffer, void *options) +static void DetectTransformXor( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index 9f6d16ebf0b0..d171deaf32d4 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -112,7 +112,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint8_t *data = (const uint8_t *)udph; InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; diff --git a/src/detect.h b/src/detect.h index 9a41669d7f12..6bc7c166ad3e 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1282,7 +1282,7 @@ typedef struct SigTableElmt_ { uint8_t flags, File *, const Signature *, const SigMatchCtx *); /** InspectionBuffer transformation callback */ - void (*Transform)(InspectionBuffer *, void *context); + void (*Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context); bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context); /** keyword setup function pointer */ diff --git a/src/util-ja3.c b/src/util-ja3.c index b89a62e0d0bf..93fec9c37164 100644 --- a/src/util-ja3.c +++ b/src/util-ja3.c @@ -278,7 +278,7 @@ InspectionBuffer *Ja3DetectGetHash(DetectEngineThreadCtx *det_ctx, InspectionBufferSetup(det_ctx, list_id, buffer, NULL, 0); InspectionBufferCopy(buffer, ja3_hash, SC_MD5_HEX_LEN); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } @@ -298,7 +298,7 @@ InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx, return NULL; InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransforms(det_ctx, buffer, transforms); } return buffer; } From 0b5f125f5b8825d4ce89d144388a6d3a54282b03 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 12 Sep 2024 10:47:26 -0400 Subject: [PATCH 2/6] hash: Provide detection engine context to free fn Issue: 2290 This commit extends the hash table logic with an alternate free function that provides the detection engine context. Users that wish to use the next functionality must use the HashListTableInitWithCtx function when initializing the hash table. Using this interface will result in the hash table "free with context" function (new) being used instead. --- src/detect-engine.c | 18 ++++++----- src/util-hashlist.c | 78 +++++++++++++++++++++++++++++++++++++++++++++ src/util-hashlist.h | 6 ++++ 3 files changed, 94 insertions(+), 8 deletions(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index 99168dacd663..08fde8b3a9eb 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -955,14 +955,15 @@ static char DetectBufferTypeCompareIdFunc(void *data1, uint16_t len1, void *data return map1->id == map2->id; } -static void DetectBufferTypeFreeFunc(void *data) +static void DetectBufferTypeFreeFunc(void *ctx, void *data) { - DetectBufferType *map = (DetectBufferType *)data; - - if (map == NULL) { + if (data == NULL) { return; } + DetectBufferType *map = (DetectBufferType *)data; + DetectEngineCtx *de_ctx = (DetectEngineCtx *)ctx; + /* Release transformation option memory, if any */ for (int i = 0; i < map->transforms.cnt; i++) { if (map->transforms.transforms[i].options == NULL) @@ -972,7 +973,8 @@ static void DetectBufferTypeFreeFunc(void *data) sigmatch_table[map->transforms.transforms[i].transform].name); continue; } - sigmatch_table[map->transforms.transforms[i].transform].Free(NULL, map->transforms.transforms[i].options); + sigmatch_table[map->transforms.transforms[i].transform].Free( + de_ctx, map->transforms.transforms[i].options); } SCFree(map); @@ -981,7 +983,7 @@ static void DetectBufferTypeFreeFunc(void *data) static int DetectBufferTypeInit(void) { BUG_ON(g_buffer_type_hash); - g_buffer_type_hash = HashListTableInit(256, DetectBufferTypeHashNameFunc, + g_buffer_type_hash = HashListTableInitWithCtx(256, DetectBufferTypeHashNameFunc, DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc); if (g_buffer_type_hash == NULL) return -1; @@ -1714,7 +1716,7 @@ static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx) const int size = g_buffer_type_id; BUG_ON(!(size > 0)); - de_ctx->buffer_type_hash_name = HashListTableInit(256, DetectBufferTypeHashNameFunc, + de_ctx->buffer_type_hash_name = HashListTableInitWithCtx(256, DetectBufferTypeHashNameFunc, DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc); BUG_ON(de_ctx->buffer_type_hash_name == NULL); de_ctx->buffer_type_hash_id = @@ -1756,7 +1758,7 @@ static void DetectBufferTypeFreeDetectEngine(DetectEngineCtx *de_ctx) { if (de_ctx) { if (de_ctx->buffer_type_hash_name) - HashListTableFree(de_ctx->buffer_type_hash_name); + HashListTableFreeWithCtx(de_ctx, de_ctx->buffer_type_hash_name); if (de_ctx->buffer_type_hash_id) HashListTableFree(de_ctx->buffer_type_hash_id); diff --git a/src/util-hashlist.c b/src/util-hashlist.c index 085a988afe76..b082f164380f 100644 --- a/src/util-hashlist.c +++ b/src/util-hashlist.c @@ -32,6 +32,58 @@ #include "util-debug.h" #include "util-memcmp.h" +HashListTable *HashListTableInitWithCtx(uint32_t size, + uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), + char (*Compare)(void *, uint16_t, void *, uint16_t), void (*FreeWithCtx)(void *, void *)) +{ + sc_errno = SC_OK; + HashListTable *ht = NULL; + + if (size == 0) { + sc_errno = SC_EINVAL; + goto error; + } + + if (Hash == NULL) { + sc_errno = SC_EINVAL; + goto error; + } + + /* setup the filter */ + ht = SCCalloc(1, sizeof(HashListTable)); + if (unlikely(ht == NULL)) { + sc_errno = SC_ENOMEM; + goto error; + } + ht->array_size = size; + ht->Hash = Hash; + ht->FreeWithCtx = FreeWithCtx; + + if (Compare != NULL) + ht->Compare = Compare; + else + ht->Compare = HashListTableDefaultCompare; + + /* setup the bitarray */ + ht->array = SCCalloc(ht->array_size, sizeof(HashListTableBucket *)); + if (ht->array == NULL) { + sc_errno = SC_ENOMEM; + goto error; + } + + ht->listhead = NULL; + ht->listtail = NULL; + return ht; + +error: + if (ht != NULL) { + if (ht->array != NULL) + SCFree(ht->array); + + SCFree(ht); + } + return NULL; +} HashListTable *HashListTableInit(uint32_t size, uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), char (*Compare)(void *, uint16_t, void *, uint16_t), void (*Free)(void *)) @@ -85,6 +137,32 @@ HashListTable *HashListTableInit(uint32_t size, return NULL; } +void HashListTableFreeWithCtx(void *ctx, HashListTable *ht) +{ + uint32_t i = 0; + + if (ht == NULL) + return; + + /* free the buckets */ + for (i = 0; i < ht->array_size; i++) { + HashListTableBucket *hashbucket = ht->array[i]; + while (hashbucket != NULL) { + HashListTableBucket *next_hashbucket = hashbucket->bucknext; + if (ht->FreeWithCtx != NULL) + ht->FreeWithCtx(ctx, hashbucket->data); + SCFree(hashbucket); + hashbucket = next_hashbucket; + } + } + + /* free the array */ + if (ht->array != NULL) + SCFree(ht->array); + + SCFree(ht); +} + void HashListTableFree(HashListTable *ht) { uint32_t i = 0; diff --git a/src/util-hashlist.h b/src/util-hashlist.h index 15bd578e5319..6ae320098ae0 100644 --- a/src/util-hashlist.h +++ b/src/util-hashlist.h @@ -42,10 +42,16 @@ typedef struct HashListTable_ { uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t); char (*Compare)(void *, uint16_t, void *, uint16_t); void (*Free)(void *); + void (*FreeWithCtx)(void *, void *); } HashListTable; /* prototypes */ HashListTable* HashListTableInit(uint32_t, uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), char (*Compare)(void *, uint16_t, void *, uint16_t), void (*Free)(void *)); +HashListTable *HashListTableInitWithCtx(uint32_t, + uint32_t (*Hash)(struct HashListTable_ *, void *, uint16_t), + char (*Compare)(void *, uint16_t, void *, uint16_t), void (*FreeWithCtx)(void *, void *)); + +void HashListTableFreeWithCtx(void *, HashListTable *); void HashListTableFree(HashListTable *); int HashListTableAdd(HashListTable *, void *, uint16_t); int HashListTableRemove(HashListTable *, void *, uint16_t); From ca44cee6f5840e2e15fc33c88f8a972ba7e884f4 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 12 Sep 2024 10:51:03 -0400 Subject: [PATCH 3/6] detect/engine: Prevent double-free of keyword hash Issue: 2290 Defer freeing the keyword hash table until the engine context has been freed. This eliminates a double-free from occurring. For the unittests ONLY, clear the keyword_hash to prevent a double free attempt. --- src/detect-engine.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index 08fde8b3a9eb..ebcf17fe96e6 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2573,6 +2573,9 @@ DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tena static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx) { HashListTableFree(de_ctx->keyword_hash); +#if UNITTESTS + de_ctx->keyword_hash = NULL; +#endif } static void DetectEngineCtxFreeFailedSigs(DetectEngineCtx *de_ctx) @@ -2645,7 +2648,6 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx); - DetectEngineCtxFreeThreadKeywordData(de_ctx); SRepDestroy(de_ctx); DetectEngineCtxFreeFailedSigs(de_ctx); @@ -2668,6 +2670,7 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) DetectPortCleanupList(de_ctx, de_ctx->udp_priorityports); DetectBufferTypeFreeDetectEngine(de_ctx); + DetectEngineCtxFreeThreadKeywordData(de_ctx); SCClassConfDeinit(de_ctx); SCReferenceConfDeinit(de_ctx); From e98aeb8fe1c2cbecc60b38309d95a81f25b99800 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 9 Sep 2024 11:06:32 -0400 Subject: [PATCH 4/6] transform: Add luaxform files Issue: 2290 This commit adds the source files for the new transform -- luaxform. --- src/Makefile.am | 2 + src/detect-engine-register.c | 2 + src/detect-engine-register.h | 1 + src/detect-lua.c | 4 +- src/detect-transform-luaxform.c | 353 ++++++++++++++++++++++++++++++++ src/detect-transform-luaxform.h | 47 +++++ src/util-lua-common.h | 3 + 7 files changed, 409 insertions(+), 3 deletions(-) create mode 100644 src/detect-transform-luaxform.c create mode 100644 src/detect-transform-luaxform.h diff --git a/src/Makefile.am b/src/Makefile.am index 6970d709f35c..2cc08d748704 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -310,6 +310,7 @@ noinst_HEADERS = \ detect-transform-compress-whitespace.h \ detect-transform-dotprefix.h \ detect-transform-header-lowercase.h \ + detect-transform-luaxform.h \ detect-transform-md5.h \ detect-transform-pcrexform.h \ detect-transform-sha1.h \ @@ -879,6 +880,7 @@ libsuricata_c_a_SOURCES = \ detect-transform-compress-whitespace.c \ detect-transform-dotprefix.c \ detect-transform-header-lowercase.c \ + detect-transform-luaxform.c \ detect-transform-md5.c \ detect-transform-pcrexform.c \ detect-transform-sha1.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 6ea3698c2c93..6fe2be844a0c 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -228,6 +228,7 @@ #include "detect-transform-casechange.h" #include "detect-transform-header-lowercase.h" #include "detect-transform-base64.h" +#include "detect-transform-luaxform.h" #include "util-rule-vars.h" @@ -683,6 +684,7 @@ void SigTableSetup(void) DetectTransformToUpperRegister(); DetectTransformHeaderLowercaseRegister(); DetectTransformFromBase64DecodeRegister(); + DetectTransformLuaxformRegister(); DetectFileHandlerRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index c9134c77b83a..64c22f337451 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -315,6 +315,7 @@ enum DetectKeywordId { DETECT_TRANSFORM_TOUPPER, DETECT_TRANSFORM_HEADER_LOWERCASE, DETECT_TRANSFORM_FROM_BASE64, + DETECT_TRANSFORM_LUAXFORM, DETECT_AL_IKE_EXCH_TYPE, DETECT_AL_IKE_SPI_INITIATOR, diff --git a/src/detect-lua.c b/src/detect-lua.c index 36f045f50394..577af3154d58 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -57,6 +57,7 @@ #include "util-var-name.h" #include "util-lua.h" +#include "util-lua-common.h" #include "util-lua-sandbox.h" static int DetectLuaMatch (DetectEngineThreadCtx *, @@ -126,9 +127,6 @@ void DetectLuaRegister(void) #define FLAG_INSTRUCTION_LIMIT_LOGGED BIT_U32(25) #define FLAG_MEMORY_LIMIT_LOGGED BIT_U32(26) -#define DEFAULT_LUA_ALLOC_LIMIT 500000 -#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 - #if 0 /** \brief dump stack from lua state to screen */ void LuaDumpStack(lua_State *state) diff --git a/src/detect-transform-luaxform.c b/src/detect-transform-luaxform.c new file mode 100644 index 000000000000..cc1994721d42 --- /dev/null +++ b/src/detect-transform-luaxform.c @@ -0,0 +1,353 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Jeff Lucovsky + * + * Implements the luxaform transform keyword + */ + +#include "suricata-common.h" + +#include "detect.h" +#include "detect-engine.h" +#include "detect-parse.h" +#include "detect-lua.h" +#include "detect-transform-luaxform.h" +#include "detect-lua-extensions.h" + +#include "util-lua.h" +#include "util-lua-common.h" +#include "util-print.h" + +static int DetectTransformLuaxformSetup(DetectEngineCtx *, Signature *, const char *); +static void DetectTransformLuaxformFree(DetectEngineCtx *de_ctx, void *ptr); +static void TransformLuaxform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options); + +void DetectTransformLuaxformRegister(void) +{ + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].name = "luaxform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].desc = + "pass inspection buffer to a Lua function along with " + "arguments supplied to the transform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].url = "/rules/transforms.html#luaxform"; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Transform = TransformLuaxform; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Free = DetectTransformLuaxformFree; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].Setup = DetectTransformLuaxformSetup; + sigmatch_table[DETECT_TRANSFORM_LUAXFORM].flags |= SIGMATCH_QUOTES_OPTIONAL; +} + +static void DetectTransformLuaxformFree(DetectEngineCtx *de_ctx, void *ptr) +{ + if (ptr != NULL) { + DetectLuaxformData *lua = (DetectLuaxformData *)ptr; + + if (lua->filename) + SCFree(lua->filename); + + if (lua->copystr) + SCFree(lua->copystr); + + if (de_ctx) { + DetectUnregisterThreadCtxFuncs(de_ctx, lua, "luaxform"); + } + + SCFree(lua); + } +} + +static int DetectTransformLuaxformSetupPrime( + DetectEngineCtx *de_ctx, DetectLuaxformData *ld, const Signature *s) +{ + lua_State *luastate = SCLuaSbStateNew(ld->alloc_limit, ld->instruction_limit); + if (luastate == NULL) + return -1; + if (ld->allow_restricted_functions) { + luaL_openlibs(luastate); + } else { + SCLuaSbLoadLibs(luastate); + } + + int status = luaL_loadfile(luastate, ld->filename); + if (status) { + SCLogError("couldn't load file: %s", lua_tostring(luastate, -1)); + goto error; + } + + /* prime the script (or something) */ + if (lua_pcall(luastate, 0, 0, 0) != 0) { + SCLogError("couldn't prime file: %s", lua_tostring(luastate, -1)); + goto error; + } + + lua_getglobal(luastate, "transform"); + if (lua_type(luastate, -1) != LUA_TFUNCTION) { + SCLogError("no transform function in script"); + goto error; + } + lua_pop(luastate, 1); + + /* init -- optional entry point */ + lua_getglobal(luastate, "init"); + if (lua_type(luastate, -1) == LUA_TFUNCTION) { + lua_newtable(luastate); /* stack at -1 */ + if (lua_gettop(luastate) == 0 || lua_type(luastate, 2) != LUA_TTABLE) { + SCLogError("no table setup"); + goto error; + } + + lua_pushliteral(luastate, "script_api_ver"); /* stack at -2 */ + lua_pushnumber(luastate, 1); /* stack at -3 */ + lua_settable(luastate, -3); + + if (lua_pcall(luastate, 1, 1, 0) != 0) { + SCLogError("couldn't run script 'init' function: %s", lua_tostring(luastate, -1)); + goto error; + } + } + + LuaRegisterExtensions(luastate); + /* pop the table */ + lua_pop(luastate, 1); + + SCLuaSbStateClose(luastate); + return 0; + +error: + SCLuaSbStateClose(luastate); + return -1; +} + +static DetectLuaxformData *DetectLuaxformParse(DetectEngineCtx *de_ctx, const char *str) +{ + DetectLuaxformData *lua = NULL; + + /* We have a correct lua option */ + lua = SCCalloc(1, sizeof(DetectLuaxformData)); + if (unlikely(lua == NULL)) { + FatalError("unable to allocate memory for Lua transform: %s", str); + } + + lua->copystr = strdup(str); + + int count = 0; + char *saveptr = NULL; + char *token = strtok_r(lua->copystr, ",", &saveptr); + while (token != NULL && count < LUAXFORM_MAX_ARGS) { + lua->args[count++] = token; + token = strtok_r(NULL, ",", &saveptr); + } + + if (count == 0) { + SCLogError("Lua script name not supplied"); + goto error; + } + + lua->arg_count = count - 1; + + /* get full filename */ + lua->filename = DetectLoadCompleteSigPath(de_ctx, lua->args[0]); + if (lua->filename == NULL) { + goto error; + } + + return lua; + +error: + if (lua != NULL) + DetectTransformLuaxformFree(de_ctx, lua); + return NULL; +} + +static void *DetectLuaxformThreadInit(void *data) +{ + /* Note: This will always be non-null as alloc errors are checked before registering callback */ + DetectLuaxformData *lua = (DetectLuaxformData *)data; + + DetectLuaThreadData *t = SCCalloc(1, sizeof(DetectLuaThreadData)); + if (unlikely(t == NULL)) { + FatalError("unable to allocate luaxform context memory"); + } + + t->luastate = SCLuaSbStateNew(lua->alloc_limit, lua->instruction_limit); + if (t->luastate == NULL) { + SCLogError("luastate pool depleted"); + goto error; + } + + if (lua->allow_restricted_functions) { + luaL_openlibs(t->luastate); + } else { + SCLuaSbLoadLibs(t->luastate); + } + + LuaRegisterExtensions(t->luastate); + + int status = luaL_loadfile(t->luastate, lua->filename); + if (status) { + SCLogError("couldn't load file: %s", lua_tostring(t->luastate, -1)); + goto error; + } + + /* prime the script (or something) */ + if (lua_pcall(t->luastate, 0, 0, 0) != 0) { + SCLogError("couldn't prime file: %s", lua_tostring(t->luastate, -1)); + goto error; + } + + return (void *)t; + +error: + if (t->luastate != NULL) + SCLuaSbStateClose(t->luastate); + SCFree(t); + return NULL; +} + +static void DetectLuaxformThreadFree(void *ctx) +{ + if (ctx != NULL) { + DetectLuaxformThreadData *t = (DetectLuaxformThreadData *)ctx; + if (t->luastate != NULL) + SCLuaSbStateClose(t->luastate); + SCFree(t); + } +} + +/** + * \internal + * \brief Apply the luaxform keyword to the last pattern match + * \param de_ctx detection engine ctx + * \param s signature + * \param str lua filename and optional args + * \retval 0 ok + * \retval -1 failure + */ +static int DetectTransformLuaxformSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + SCEnter(); + + /* First check if Lua rules are enabled, by default Lua in rules + * is disabled. */ + int enabled = 0; + (void)ConfGetBool("security.lua.allow-rules", &enabled); + if (!enabled) { + SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules"); + SCReturnInt(-1); + } + + DetectLuaxformData *lua = DetectLuaxformParse(de_ctx, str); + if (lua == NULL) + goto error; + + /* Load lua sandbox configurations */ + intmax_t lua_alloc_limit = DEFAULT_LUA_ALLOC_LIMIT; + intmax_t lua_instruction_limit = DEFAULT_LUA_INSTRUCTION_LIMIT; + int allow_restricted_functions = 0; + (void)ConfGetInt("security.lua.max-bytes", &lua_alloc_limit); + (void)ConfGetInt("security.lua.max-instructions", &lua_instruction_limit); + (void)ConfGetBool("security.lua.allow-restricted-functions", &allow_restricted_functions); + + lua->alloc_limit = lua_alloc_limit; + lua->instruction_limit = lua_instruction_limit; + lua->allow_restricted_functions = allow_restricted_functions; + + if (DetectTransformLuaxformSetupPrime(de_ctx, lua, s) == -1) { + goto error; + } + + lua->thread_ctx_id = DetectRegisterThreadCtxFuncs( + de_ctx, "luaxform", DetectLuaxformThreadInit, (void *)lua, DetectLuaxformThreadFree, 0); + if (lua->thread_ctx_id == -1) + goto error; + + if (0 == DetectSignatureAddTransform(s, DETECT_TRANSFORM_LUAXFORM, lua)) + SCReturnInt(0); + +error: + + if (lua != NULL) + DetectTransformLuaxformFree(de_ctx, lua); + SCReturnInt(-1); +} + +static void TransformLuaxform( + DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, void *options) +{ + if (buffer->inspect_len == 0) { + return; + } + + DetectLuaxformData *lua = options; + DetectLuaThreadData *tlua = + (DetectLuaThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, lua->thread_ctx_id); + if (tlua == NULL) { + return; + } + + lua_getglobal(tlua->luastate, "transform"); + + const uint8_t *input = buffer->inspect; + const uint32_t input_len = buffer->inspect_len; + /* Lua script args are: buffer length, buffer, arg count, args */ + LuaPushInteger(tlua->luastate, (lua_Integer)input_len); + LuaPushStringBuffer(tlua->luastate, input, (size_t)input_len); + LuaPushInteger(tlua->luastate, (lua_Integer)lua->arg_count); + + /* + * Add provided arguments for lua script (these are optionally + * provided by the rule writer). + * + * Start at offset 1 (arg[0] is the lua script filename) + */ + lua_newtable(tlua->luastate); + for (int i = 1; i < lua->arg_count + 1; i++) { + LuaPushInteger(tlua->luastate, i); + lua_pushstring(tlua->luastate, lua->args[i]); + lua_settable(tlua->luastate, -3); + } + + SCLuaSbResetInstructionCounter(tlua->luastate); + + if (LUA_OK != lua_pcall(tlua->luastate, 4, 2, 0)) { + SCLogDebug("error calling lua script: %s", lua_tostring(tlua->luastate, -1)); + } else { + /* Lua transform functions must return 2 values: buffer and length */ + int return_value_count = lua_gettop(tlua->luastate); + if (return_value_count != 2) { + SCLogDebug("Error: expected 2 return values but got %d", return_value_count); + lua_pop(tlua->luastate, return_value_count); + return; + } + if (lua_isstring(tlua->luastate, -2)) { + const char *transformed_buffer = lua_tostring(tlua->luastate, -2); + int transformed_buffer_byte_count = lua_tointeger(tlua->luastate, -1); + if (transformed_buffer != NULL && transformed_buffer_byte_count > 0) + InspectionBufferCopy( + buffer, (uint8_t *)transformed_buffer, transformed_buffer_byte_count); + SCLogDebug("transform returns [nbytes %d] \"%p\"", transformed_buffer_byte_count, + transformed_buffer); + // PrintRawDataFp(stdout, (const uint8_t *)transformed_buffer, + // transformed_buffer_byte_count); + } + } + + lua_pop(tlua->luastate, 2); // Pop the result string/length +} diff --git a/src/detect-transform-luaxform.h b/src/detect-transform-luaxform.h new file mode 100644 index 000000000000..9a5cb8700f63 --- /dev/null +++ b/src/detect-transform-luaxform.h @@ -0,0 +1,47 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Jeff Lucovsky + */ + +#ifndef SURICATA_DETECT_TRANSFORM_LUAXFORM_H +#define SURICATA_DETECT_TRANSFORM_LUAXFORM_H + +/* prototypes */ +void DetectTransformLuaxformRegister(void); + +#define LUAXFORM_MAX_ARGS 10 + +typedef struct DetectLuaxformData { + int thread_ctx_id; + int allow_restricted_functions; + int arg_count; + uint64_t alloc_limit; + uint64_t instruction_limit; + char *filename; + char *copystr; + char *args[LUAXFORM_MAX_ARGS]; +} DetectLuaxformData; + +typedef struct DetectLuaxformThreadData { + lua_State *luastate; +} DetectLuaxformThreadData; + +#endif /* SURICATA_DETECT_TRANSFORM_LUAXFORM_H */ diff --git a/src/util-lua-common.h b/src/util-lua-common.h index 5d6ea41f4be4..4834f4fa7af9 100644 --- a/src/util-lua-common.h +++ b/src/util-lua-common.h @@ -24,6 +24,9 @@ #ifndef SURICATA_UTIL_LUA_COMMON_H #define SURICATA_UTIL_LUA_COMMON_H +#define DEFAULT_LUA_ALLOC_LIMIT 500000 +#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 + int LuaCallbackError(lua_State *luastate, const char *msg); const char *LuaGetStringArgument(lua_State *luastate, int argc); From 4937ff55bff8762b72a45900fa493e9dd6fc5b60 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 18 Sep 2024 08:18:07 -0400 Subject: [PATCH 5/6] doc: Document luaxform transform Issue: 2290 --- doc/userguide/configuration/suricata-yaml.rst | 5 +- doc/userguide/lua/lua-functions.rst | 15 +-- doc/userguide/lua/lua-usage.rst | 19 +++- doc/userguide/rules/lua-detection.rst | 19 +++- doc/userguide/rules/transforms.rst | 107 ++++++++++++++++++ doc/userguide/upgrade.rst | 1 + 6 files changed, 149 insertions(+), 17 deletions(-) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 3dfc950ec641..06c00777f42d 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -2829,8 +2829,9 @@ Lua ~~~ Suricata 8.0 sandboxes Lua rules by default. The restrictions on the sandbox for Lua rules can be -modified in the ``security.lua`` section of the configuration file. Additionally, Lua rules -can be completely disabled the same as the Suricata 7.0 default: +modified in the ``security.lua`` section of the configuration file. This section also applies to +Lua transforms. Additionally, Lua rules can be completely disabled in the same way as for as the +Suricata 7.0 default: :: diff --git a/doc/userguide/lua/lua-functions.rst b/doc/userguide/lua/lua-functions.rst index 92473d52c35e..6d598e0d7a6a 100644 --- a/doc/userguide/lua/lua-functions.rst +++ b/doc/userguide/lua/lua-functions.rst @@ -6,7 +6,8 @@ Lua functions Differences between `output` and `detect`: ------------------------------------------ -Currently, the ``needs`` key initialization varies, depending on what is the goal of the script: output or detection. +Currently, the ``needs`` key initialization varies, depending on what is the goal of the script: output or detection. The +Lua script for the ``luaxform`` transform **does not use ``needs``**. If the script is for detection, the ``needs`` initialization should be as seen in the example below (see :ref:`lua-detection` for a complete example of a detection script): @@ -812,7 +813,7 @@ Example: return 0 end end - + HasshServerGet ~~~~~~~~~~~~~~ @@ -828,7 +829,7 @@ Example: return 0 end end - + HasshServerGetString ~~~~~~~~~~~~~~~~~~~~ @@ -998,7 +999,7 @@ index so in our case we need to use 0. SCFlowintSet(0, a + 1) else SCFlowintSet(0, 1) - end + end SCFlowintGet ~~~~~~~~~~~~ @@ -1031,7 +1032,7 @@ SCFlowvarSet Set a Flowvar. First parameter is the index, second is the data and third is the length of data. -You can use it to set string +You can use it to set string :: @@ -1041,7 +1042,7 @@ You can use it to set string needs["flowvar"] = {"cnt"} return needs end - + function match(args) a = SCFlowvarGet(0); if a then @@ -1050,7 +1051,7 @@ You can use it to set string else a = tostring(1) SCFlowvarSet(0, a, #a) - end + end Misc ---- diff --git a/doc/userguide/lua/lua-usage.rst b/doc/userguide/lua/lua-usage.rst index 19946db5e54f..a6346f62dc57 100644 --- a/doc/userguide/lua/lua-usage.rst +++ b/doc/userguide/lua/lua-usage.rst @@ -1,20 +1,29 @@ Lua usage in Suricata ===================== -Lua scripting can be used in two components of Suricata. The first is in -output and the second one in rules in the detection engine. +Lua scripting can be used in two components of Suricata: + + * Output + * Detection: ``lua`` keyword and ``luaxform`` transform Both features are using a list of functions to access the data extracted by Suricata. You can get the list of functions in the :ref:`lua-functions` page. -.. note:: Currently, there is a difference in the ``needs`` key in the ``init`` function, depending on what is the usage: ``output`` or ``detection``. The list of available functions may also differ. +.. note:: Currently, there is a difference in the ``needs`` key in the ``init`` function, + depending on what is the usage: ``output`` or ``detection``. The list of available + functions may also differ. The ``luaxform`` doesn't use the ``needs`` key. Lua output ---------- -Lua can be used to write arbitrary output. See :ref:`lua-output` for more information. +Lua scripts can be used to write arbitrary output. See :ref:`lua-output` for more information. Lua detection ------------- -Lua script can be used as a filter condition in signatures. See :ref:`lua-detection` for more information. +Lua scripts can be used as a filter condition in signatures. See :ref:`lua-detection` for more information. + +Lua transform +------------- + +The ``luaxform`` transform can be used in signatures. See :ref:`lua-transform` for more information. diff --git a/doc/userguide/rules/lua-detection.rst b/doc/userguide/rules/lua-detection.rst index 0f2011987ec0..cb2535a41d87 100644 --- a/doc/userguide/rules/lua-detection.rst +++ b/doc/userguide/rules/lua-detection.rst @@ -3,10 +3,18 @@ Lua Scripting for Detection =========================== +There are 2 ways that Lua can be used with detection. These are + +* ``lua`` rule keyword. +* ``luaxform`` transform. + .. note:: Lua is disabled by default for use in rules, it must be enabled in the configuration file. See the ``security.lua`` section of ``suricata.yaml`` and enable ``allow-rules``. +Lua Rule Keyword +^^^^^^^^^^^^^^^^ + Syntax: :: @@ -103,8 +111,13 @@ Entire script: return 0 -Sandbox and Available functions -------------------------------- +Lua Transform: ``luaxform`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +More details in :ref:`lua-transform` + +Lua Sandbox and Available functions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Lua rule scripts are run in a sandbox environment the applies the following restrictions: @@ -140,7 +153,7 @@ Of note, the following standard libraries are not available: This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config` -.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now. +.. note:: Suricata 8.0 has moved to Lua 5.4 and now has builtin support for bitwise and utf8 operations. A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however, work only for diff --git a/doc/userguide/rules/transforms.rst b/doc/userguide/rules/transforms.rst index e536757f29f7..d7823f84e285 100644 --- a/doc/userguide/rules/transforms.rst +++ b/doc/userguide/rules/transforms.rst @@ -243,3 +243,110 @@ This example transforms `"Zm 9v Ym Fy"` to `"foobar"`:: content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; \ content:"foobar"; + +.. _lua-transform: + +luaxform +-------- + +This transform allows a Lua script to apply a transformation +to a buffer. + +Lua scripts that are used for transformations *must* contain a function +named ``transform``. + +Lua transforms can be passed optional arguments -- see the examples below -- but they +are not required to do so. Optional arguments are included with the transform (see example +below). + +Note that the arguments and values are passed without validation +nor interpretation. There is a maximum of 10 arguments. + +The Lua ``transform`` function receive parameters: + + * `input-length` The number of bytes in the buffer provided to the transform + * `input` The buffer provided to the transform + * `argument` The number of arguments provided in the following parameters. If there are + no arguments to the Lua transform, this value will be `0`. + * `arguments` The list of arguments. + +The Lua ``transform`` must return two values + + * `transformed-buffer` The buffer with the transformed bytes. + * `transformed-buffer-byte-count` The number of bytes in the transformed buffer. + +This example supplies the HTTP data to a Lua transform with the transform +results being checked with `content`. + +Example:: + + alert http any any -> any any (msg:"Lua Xform example"; flow:established; \ + file.data; luaxform:./lua/lua-transform.lua; content: "abc"; sid: 2;) + + +The following example supplies the HTTP data to a Lua transform script along with +with arguments that specify the offset and byte count for the transform. +The resulting buffer is then checked with a `content` match. + +Example:: + + alert http any any -> any any (msg:"Lua Xform example"; flow:established; \ + file.data; luaxform:./lua/lua-transform.lua, bytes 12, offset 13; content: "abc"; sid: 1;) + +The following Lua script shows a transform example that handles arguments: `bytes` and `offset` and uses +those values (or defaults, if there are no arguments) for applying the uppercase transform to +the buffer. + +.. code-block:: lua + + function init (args) + -- Initialization time steps can be + -- performed here. + end + + local function get_value(item, key) + if string.find(item, key) then + local _, value = string.match(item, "(%a+)%s*(%d*)") + if value ~= "" then + return tonumber(value) + end + end + + return nil + end + + -- Arguments supported + local bytes_key = "bytes" + local offset_key = "offset" + function transform(input_len, input, argc, args) + local bytes = input_len + local offset = 0 + + -- Look for optional bytes and offset arguments + for i, item in ipairs(args) do + local value = get_value(item, bytes_key) + if value ~= nil then + bytes = value + else + value = get_value(item, offset_key) + if value ~= nil then + offset = value + end + end + end + + local str_len = #input + if offset < 0 or offset > str_len then + print("offset is out of bounds: " .. offset) + return nil + end + + local avail_len = str_len - offset + if bytes < 0 or bytes > avail_len then + print("invalid bytes " .. bytes .. " or bytes exceeds available length " .. avail_len) + return nil + end + + local sub = string.sub(input, offset + 1, offset + bytes) + return string.upper(sub), bytes + end diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 63e2146280ab..2ebbe289d3be 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -79,6 +79,7 @@ Major changes - sip.content_length - Napatech support has been moved to a capture plugin. See :doc:`Napatech plugin `. +- New transform ``luaxform`` that uses a Lua script for sticky buffer transformation. More details in :ref:`lua-transform` Removals ~~~~~~~~ From b3930a35d9ebf9c167bc87b17e4a0605b720ea58 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 10 Oct 2024 09:31:12 -0400 Subject: [PATCH 6/6] detect/transform: Refactor setup/apply pattern git grep -A 1 -w InspectionBufferSetup shows numbers cases of the pattern: - InspectionBufferSetup - InspectionBufferApplyTransforms Refactor the implementations of those functions into InspectionBufferSetupAndApplyTransforms to reduce function call count. Issuer: 2290 --- src/detect-dce-stub-data.c | 8 ++-- src/detect-dnp3.c | 4 +- src/detect-engine-helper.c | 3 +- src/detect-engine.c | 59 +++++++++++++++++++-------- src/detect-engine.h | 3 ++ src/detect-http-cookie.c | 14 +++---- src/detect-http-header-names.c | 7 ++-- src/detect-http-header.c | 11 +++-- src/detect-http-headers-stub.h | 14 +++---- src/detect-http-host.c | 14 +++---- src/detect-http-method.c | 7 ++-- src/detect-http-protocol.c | 9 ++-- src/detect-http-raw-header.c | 7 ++-- src/detect-http-request-line.c | 7 ++-- src/detect-http-response-line.c | 7 ++-- src/detect-http-start.c | 4 +- src/detect-http-stat-code.c | 7 ++-- src/detect-http-stat-msg.c | 8 ++-- src/detect-http-ua.c | 7 ++-- src/detect-http-uri.c | 11 +++-- src/detect-icmpv4hdr.c | 4 +- src/detect-icmpv6hdr.c | 4 +- src/detect-ike-key-exchange-payload.c | 3 +- src/detect-ike-nonce-payload.c | 3 +- src/detect-ike-spi.c | 6 +-- src/detect-ipv4hdr.c | 4 +- src/detect-ipv6hdr.c | 4 +- src/detect-quic-sni.c | 3 +- src/detect-quic-ua.c | 3 +- src/detect-quic-version.c | 3 +- src/detect-sip-method.c | 3 +- src/detect-sip-uri.c | 3 +- src/detect-smb-ntlmssp.c | 6 +-- src/detect-smb-share.c | 6 +-- src/detect-ssh-hassh-server-string.c | 3 +- src/detect-ssh-hassh-server.c | 4 +- src/detect-ssh-hassh-string.c | 5 +-- src/detect-ssh-hassh.c | 5 +-- src/detect-ssh-proto.c | 4 +- src/detect-ssh-software.c | 4 +- src/detect-tcphdr.c | 4 +- src/detect-tls-cert-fingerprint.c | 4 +- src/detect-tls-cert-issuer.c | 4 +- src/detect-tls-cert-serial.c | 4 +- src/detect-tls-cert-subject.c | 4 +- src/detect-tls-ja3-hash.c | 4 +- src/detect-tls-ja3-string.c | 4 +- src/detect-tls-ja3s-hash.c | 4 +- src/detect-tls-ja3s-string.c | 4 +- src/detect-tls-random.c | 12 +++--- src/detect-tls-sni.c | 4 +- src/detect-udphdr.c | 4 +- src/util-ja3.c | 3 +- 53 files changed, 171 insertions(+), 179 deletions(-) diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 9642cabfdf83..e23cfb6a4e60 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -79,8 +79,8 @@ static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx, return NULL; SCLogDebug("have data!"); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -105,8 +105,8 @@ static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx, } else { buffer->flags |= DETECT_CI_FLAGS_DCE_BE; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index 0f1b252f05b4..bba0798da8d8 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -166,8 +166,8 @@ static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx, } SCLogDebug("tx %p data %p data_len %u", tx, tx->buffer, tx->buffer_len); - InspectionBufferSetup(det_ctx, list_id, buffer, tx->buffer, tx->buffer_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, tx->buffer, tx->buffer_len, transforms); } return buffer; } diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index e389519d31bc..b6fbfb199747 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -56,8 +56,7 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, if (!GetBuf(txv, flow_flags, &b, &b_len)) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-engine.c b/src/detect-engine.c index ebcf17fe96e6..b743e013c69c 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -103,6 +103,9 @@ static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p); static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p); +static inline void InspectionBufferApplyTransformsInternal( + DetectEngineThreadCtx *, InspectionBuffer *, const DetectEngineTransforms *); + static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL; static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL; static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL; @@ -1554,6 +1557,27 @@ InspectionBuffer *InspectionBufferMultipleForListGet( return buffer; } +static inline void InspectionBufferApplyTransformsInternal(DetectEngineThreadCtx *det_ctx, + InspectionBuffer *buffer, const DetectEngineTransforms *transforms) +{ + if (transforms) { + for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { + const int id = transforms->transforms[i].transform; + if (id == 0) + break; + BUG_ON(sigmatch_table[id].Transform == NULL); + sigmatch_table[id].Transform(det_ctx, buffer, transforms->transforms[i].options); + SCLogDebug("applied transform %s", sigmatch_table[id].name); + } + } +} + +void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, + const DetectEngineTransforms *transforms) +{ + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); +} + void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size) { memset(buffer, 0, sizeof(*buffer)); @@ -1588,11 +1612,10 @@ void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer buffer->len = 0; buffer->initialized = true; - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); } -/** \brief setup the buffer with our initial data */ -void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, +static inline void InspectionBufferSetupInternal(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) { #ifdef DEBUG_VALIDATION @@ -1610,6 +1633,21 @@ void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, buffer->len = 0; buffer->initialized = true; } +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); +} + +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); + InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms); +} void InspectionBufferFree(InspectionBuffer *buffer) { @@ -1696,21 +1734,6 @@ bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_lis return true; } -void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, - const DetectEngineTransforms *transforms) -{ - if (transforms) { - for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { - const int id = transforms->transforms[i].transform; - if (id == 0) - break; - BUG_ON(sigmatch_table[id].Transform == NULL); - sigmatch_table[id].Transform(det_ctx, buffer, transforms->transforms[i].options); - SCLogDebug("applied transform %s", sigmatch_table[id].name); - } - } -} - static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx) { const int size = g_buffer_type_id; diff --git a/src/detect-engine.h b/src/detect-engine.h index 9f1ac8aff433..df937c3bcdba 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -30,6 +30,9 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size); void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len); +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms); void InspectionBufferFree(InspectionBuffer *buffer); void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len); diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index bd92682832ff..721e093b4e3d 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -190,8 +190,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -218,8 +218,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -239,8 +239,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -260,8 +259,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 8a673cf62404..5ab116928e41 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -153,8 +153,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; @@ -174,8 +174,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 046aa0bbc4e8..a74dbd34c8dd 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -158,8 +158,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -192,8 +191,8 @@ static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx, goto end; } /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } const uint32_t data_len = buffer->inspect_len; @@ -253,8 +252,8 @@ static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *p return; /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, ctx->transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, ctx->transforms); } const uint32_t data_len = buffer->inspect_len; diff --git a/src/detect-http-headers-stub.h b/src/detect-http-headers-stub.h index 4af6e4f4cfa5..0e1a3f108f84 100644 --- a/src/detect-http-headers-stub.h +++ b/src/detect-http-headers-stub.h @@ -67,8 +67,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -90,8 +90,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -123,8 +122,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -146,8 +145,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-host.c b/src/detect-http-host.c index e8be92cf2fea..0663987c92e9 100644 --- a/src/detect-http-host.c +++ b/src/detect-http-host.c @@ -248,8 +248,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_hostname); const uint8_t *data = bstr_ptr(tx->request_hostname); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -269,8 +269,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -290,8 +289,7 @@ static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -361,8 +359,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, data_len = bstr_len(tx->parsed_uri->hostname); } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-method.c b/src/detect-http-method.c index e13491cb7515..e1c6c48596bb 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -209,8 +209,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_method); const uint8_t *data = bstr_ptr(tx->request_method); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -230,8 +230,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index caf3a4b6397e..dcc9381e7e53 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -107,8 +107,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -120,9 +120,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup( - det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2")); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2"), transforms); } return buffer; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index c3050c17d9fe..a641f7e79278 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -197,8 +197,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = ts ? tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -218,8 +218,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 915a88c2b6c8..954fef6ead1e 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -164,8 +163,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_line); const uint8_t *data = bstr_ptr(tx->request_line); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index b8fe10fd949c..80c1b882f8a2 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -163,8 +162,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_line); const uint8_t *data = bstr_ptr(tx->response_line); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-start.c b/src/detect-http-start.c index 3ee38d378c41..5e4b80d43fa1 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -158,8 +158,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index dbca81985a89..19ed9c0672e3 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -167,8 +167,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_status); const uint8_t *data = bstr_ptr(tx->response_status); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -190,8 +190,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 06b6bb3148ba..f9baab4e347a 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -78,8 +78,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup(det_ctx, list_id, buffer, (const uint8_t *)"", 0); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"", 0, transforms); } return buffer; @@ -176,8 +176,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->response_message); const uint8_t *data = bstr_ptr(tx->response_message); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 238cac96424a..82439c846468 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -174,8 +174,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(h->value); const uint8_t *data = bstr_ptr(h->value); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -197,8 +197,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 29805b7b9ae4..984b5ce27250 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -236,8 +236,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized); const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -259,8 +259,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -327,8 +326,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx->request_uri); const uint8_t *data = bstr_ptr(tx->request_uri); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-icmpv4hdr.c b/src/detect-icmpv4hdr.c index 3285fb2e9d32..0c3016d2d389 100644 --- a/src/detect-icmpv4hdr.c +++ b/src/detect-icmpv4hdr.c @@ -111,8 +111,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index 214a9e3dba5c..0bd9b2b4fc71 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -117,8 +117,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ike-key-exchange-payload.c b/src/detect-ike-key-exchange-payload.c index bca8e2dfe0fe..796af48f30d8 100644 --- a/src/detect-ike-key-exchange-payload.c +++ b/src/detect-ike-key-exchange-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetKeyExchangeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-nonce-payload.c b/src/detect-ike-nonce-payload.c index 9c90bb92abe0..ea7afdac48da 100644 --- a/src/detect-ike-nonce-payload.c +++ b/src/detect-ike-nonce-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetNonceData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-spi.c b/src/detect-ike-spi.c index 86ed0aadb83e..f97ed03b679a 100644 --- a/src/detect-ike-spi.c +++ b/src/detect-ike-spi.c @@ -99,8 +99,7 @@ static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -120,8 +119,7 @@ static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index 196bccb4b69c..1db2bf0f28d6 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -113,8 +113,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index cc678b082110..28a61023e21c 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -114,8 +114,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-sni.c b/src/detect-quic-sni.c index b3eb08b169b4..fc568df37ae6 100644 --- a/src/detect-quic-sni.c +++ b/src/detect-quic-sni.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetSniData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-ua.c b/src/detect-quic-ua.c index 8c81b9da0c80..fc6c3103a109 100644 --- a/src/detect-quic-ua.c +++ b/src/detect-quic-ua.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-version.c b/src/detect-quic-version.c index 7f69d0d041b1..33f355966edc 100644 --- a/src/detect-quic-version.c +++ b/src/detect-quic-version.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-sip-method.c b/src/detect-sip-method.c index 5ade9f25563a..62071254f809 100644 --- a/src/detect-sip-method.c +++ b/src/detect-sip-method.c @@ -117,8 +117,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-sip-uri.c b/src/detect-sip-uri.c index 0013902bef0e..f14021fb0755 100644 --- a/src/detect-sip-uri.c +++ b/src/detect-sip-uri.c @@ -96,8 +96,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-smb-ntlmssp.c b/src/detect-smb-ntlmssp.c index c8db458e5ab5..efcc6f111deb 100644 --- a/src/detect-smb-ntlmssp.c +++ b/src/detect-smb-ntlmssp.c @@ -68,8 +68,7 @@ static InspectionBuffer *GetNtlmsspUserData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -125,8 +124,7 @@ static InspectionBuffer *GetNtlmsspDomainData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-smb-share.c b/src/detect-smb-share.c index 934ae239533d..36bca26a166d 100644 --- a/src/detect-smb-share.c +++ b/src/detect-smb-share.c @@ -69,8 +69,7 @@ static InspectionBuffer *GetNamedPipeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -130,8 +129,7 @@ static InspectionBuffer *GetShareData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c index bb8443899f1e..92b733c10bab 100644 --- a/src/detect-ssh-hassh-server-string.c +++ b/src/detect-ssh-hassh-server-string.c @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c index a9f62e8e0e0e..2410767d4ccb 100644 --- a/src/detect-ssh-hassh-server.c +++ b/src/detect-ssh-hassh-server.c @@ -77,8 +77,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hasshServer, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, hasshServer, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c index b64c05321cc4..2f9602af82a6 100644 --- a/src/detect-ssh-hassh-string.c +++ b/src/detect-ssh-hassh-string.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c index ffad20a6d180..12aefcd5c541 100644 --- a/src/detect-ssh-hassh.c +++ b/src/detect-ssh-hassh.c @@ -61,7 +61,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -77,8 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 8e9cf60c0bd1..63b3b74d35c9 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, protocol, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, protocol, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index 76455ad44335..36e9cb2972e9 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, software, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, software, b_len, transforms); } return buffer; diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index b5a3fb7e6c51..920bdd798bed 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -115,8 +115,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)tcph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index cd73455bc123..dacb27504c90 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -151,8 +151,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_fingerprint); const uint8_t *data = (uint8_t *)connp->cert0_fingerprint; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index b7d6047fe32e..f6a6038a3d98 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -140,8 +140,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_issuerdn); const uint8_t *data = (uint8_t *)connp->cert0_issuerdn; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index ec59a5be4db5..99bdadef2827 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -150,8 +150,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_serial); const uint8_t *data = (uint8_t *)connp->cert0_serial; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index e7cad1163c75..f79bf69d6470 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -142,8 +142,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_subject); const uint8_t *data = (uint8_t *)connp->cert0_subject; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index 82d148f5c67e..9e12b487a1c6 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -171,8 +171,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 4df4e3a56b35..bce623d955b6 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -161,8 +161,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index 96a0104b0de6..ba1dd5613470 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -169,8 +169,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index 3e49e46d205b..10d1d5468c66 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -161,8 +161,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 74d54a67813c..e6eab9920545 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -222,8 +222,8 @@ static InspectionBuffer *GetRandomTimeData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -249,8 +249,8 @@ static InspectionBuffer *GetRandomBytesData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random + DETECT_TLS_RANDOM_TIME_LEN; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -276,8 +276,8 @@ static InspectionBuffer *GetRandomData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index 421530ee5ec9..ff6f2dcd01f7 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -122,8 +122,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.sni); const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index d171deaf32d4..0e604104a8b5 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -111,8 +111,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = UDP_HEADER_LEN; const uint8_t *data = (const uint8_t *)udph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/util-ja3.c b/src/util-ja3.c index 93fec9c37164..af2cbbb2b3e6 100644 --- a/src/util-ja3.c +++ b/src/util-ja3.c @@ -297,8 +297,7 @@ InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; }