<div dir="ltr"><p class="gmail-m_-1051445376259755073gmail-m_-7213713143604219512gmail-_1qeIAgB0cPwnLhDF9XSiJM">Hello everyone,</p><p class="gmail-m_-1051445376259755073gmail-m_-7213713143604219512gmail-_1qeIAgB0cPwnLhDF9XSiJM">I'd like to know
where in the source
code is done the call of the functions which inspect the payload
keywords. I've already searched for it, but didn't find yet. <br></p><p class="gmail-m_-1051445376259755073gmail-m_-7213713143604219512gmail-_1qeIAgB0cPwnLhDF9XSiJM">I've found where the Match functions are being called in detect.c file, <span style="font-family:courier new,monospace">SigMatchSignatures<span style="font-family:arial,sans-serif"> (Suricata 3.1) and <span style="font-family:courier new,monospace">DetectRunInspectRulePacketMatches<font face="arial,sans-serif"> (Suricata 4.1)</font></span> functions. <span class="gmail-m_4427706381385068438gmail-im">But, if i understood correctly, these functions only check the non-payload keywords.</span></span></span></p><p class="gmail-m_-1051445376259755073gmail-m_-7213713143604219512gmail-_1qeIAgB0cPwnLhDF9XSiJM">I imagine that to check a rule like this one:</p><p class="gmail-m_-1051445376259755073gmail-m_-7213713143604219512gmail-_1qeIAgB0cPwnLhDF9XSiJM"><span style="font-family:courier new,monospace">alert
http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"Test rule.";
content:"GET"; http_method; content:"/openlogo-75.png"; http_uri;
content:"Mozilla/5.0"; http_user_agent; content:"HTTP/1.1"; sid:3;)</span></p><p class="gmail-m_-1051445376259755073gmail-m_-7213713143604219512gmail-_1qeIAgB0cPwnLhDF9XSiJM">there
needs to be a loop which calls the "http_method inspection function",
the "http_uri inpection function" and so on... In the same way as in <span style="font-family:courier new,monospace"><span style="font-family:arial,sans-serif"><span style="font-family:courier new,monospace"><span style="font-family:arial,sans-serif"><span style="font-family:courier new,monospace">DetectRunInspectRulePacketMatch.</span></span></span></span></span> So, where is this loop or how
can i find it?<br></p><div>Basically, what i have to do is count, for each rule, the number of keywords that matches.</div><div>I
know that when one of the keywords don't match, the keyword checking
for this rule is over. So, what i intend to do is modify the loop where
each keyword checking function are being called to not stop when there
is a mismatch.</div></div>