[Oisf-devel] How to count keyword matches

[Lucas Augusto Mota de Alcantara]

Hello everyone,

I'd like to know where in the source code is done the call of the functions
which inspect the payload keywords. I've already searched for it, but
didn't find yet.

I've found where the Match functions are being called in detect.c file,
SigMatchSignatures (Suricata 3.1) and DetectRunInspectRulePacketMatches
(Suricata 4.1) functions. But, if i understood correctly, these functions
only check the non-payload keywords.

I imagine that to check a rule like this one:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"Test rule.";
content:"GET"; http_method; content:"/openlogo-75.png"; http_uri;
content:"Mozilla/5.0"; http_user_agent; content:"HTTP/1.1"; sid:3;)

there needs to be a loop which calls the "http_method inspection function",
the "http_uri inpection function" and so on... In the same way as in
DetectRunInspectRulePacketMatch.  So, where is this loop or how can i find
it?
Basically, what i have to do is count, for each rule, the number of
keywords that matches.
I know that when one of the keywords don't match, the keyword checking for
this rule is over. So, what i intend to do is modify the loop where each
keyword checking function are being called to not stop when there is a
mismatch.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20190717/1d7f33b5/attachment.html>