detect: tcp.hdr sticky buffer

Sticky buffer to inspect the TCP header.
7 years ago · 35be8385eb
parent 47ef8f5822
commit 35be8385eb
8 changed files with 276 additions and 0 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -248,6 +248,7 @@ detect-tag.c detect-tag.h \
 detect-target.c detect-target.h \
 detect-template.c detect-template.h \
 detect-template2.c detect-template2.h \
+detect-tcphdr.c detect-tcphdr.h \
 detect-tcpmss.c detect-tcpmss.h \
 detect-ftpdata.c detect-ftpdata.h \
 detect-template-rust-buffer.c detect-template-rust-buffer.h \
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@ -42,6 +42,7 @@
 #include "util-memcpy.h"
 #include "conf.h"
 #include "detect-fast-pattern.h"
+#include "detect-tcphdr.h"

 #include "flow.h"
 #include "flow-var.h"
@ -1384,6 +1385,11 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
            }

            SetRawReassemblyFlag(de_ctx, sh);
+
+            mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_L4HDR_TS);
+            if (mpm_store != NULL) {
+                PrefilterTcpHeaderRegister(de_ctx, sh, mpm_store->mpm_ctx);
+            }
        }
        if (SGH_DIRECTION_TC(sh)) {
            mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_TCP_PKT_TC);
@ -1397,6 +1403,11 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
            }

            SetRawReassemblyFlag(de_ctx, sh);
+
+            mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_L4HDR_TC);
+            if (mpm_store != NULL) {
+                PrefilterTcpHeaderRegister(de_ctx, sh, mpm_store->mpm_ctx);
+            }
       }
    } else if (SGH_PROTO(sh, IPPROTO_UDP)) {
        if (SGH_DIRECTION_TS(sh)) {
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@ -167,6 +167,7 @@
 #include "detect-app-layer-protocol.h"
 #include "detect-template.h"
 #include "detect-template2.h"
+#include "detect-tcphdr.h"
 #include "detect-tcpmss.h"
 #include "detect-krb5-cname.h"
 #include "detect-krb5-errcode.h"
@ -524,6 +525,7 @@ void SigTableSetup(void)
    DetectBase64DataRegister();
    DetectTemplateRegister();
    DetectTemplate2Register();
+    DetectTcphdrRegister();
    DetectTcpmssRegister();
    DetectKrb5CNameRegister();
    DetectKrb5ErrCodeRegister();
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@ -225,6 +225,7 @@ enum {

    DETECT_TEMPLATE,
    DETECT_TEMPLATE2,
+    DETECT_TCPHDR,
    DETECT_TCPMSS,
    DETECT_FTPDATA,
    DETECT_TARGET,
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -54,6 +54,7 @@
 #include "detect-byte-extract.h"
 #include "detect-content.h"
 #include "detect-uricontent.h"
+#include "detect-tcphdr.h"
 #include "detect-engine-threshold.h"
 #include "detect-engine-content-inspection.h"

@ -1248,6 +1249,15 @@ int DetectEnginePktInspectionSetup(Signature *s)
        SCLogDebug("sid %u: DetectEngineInspectRulePayloadMatches appended", s->id);
    }

+    if (s->sm_arrays[DETECT_SM_LIST_L4HDR] &&
+            (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))))
+    {
+        if (DetectEnginePktInspectionAppend(s, DetectEngineInspectRuleTcpHeaderMatches,
+                s->sm_arrays[DETECT_SM_LIST_L4HDR]) < 0)
+            return -1;
+        SCLogDebug("sid %u: DetectEngineInspectRuleTcpHeaderMatches appended", s->id);
+    }
+
    if (s->sm_arrays[DETECT_SM_LIST_MATCH]) {
        if (DetectEnginePktInspectionAppend(s, DetectEngineInspectRulePacketMatches,
                s->sm_arrays[DETECT_SM_LIST_MATCH]) < 0)
--- a/src/detect-tcphdr.c
+++ b/src/detect-tcphdr.c
@ -0,0 +1,168 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ *
+ */
+
+#include "suricata-common.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-prefilter.h"
+#include "detect-engine-content-inspection.h"
+#include "detect-fast-pattern.h"
+#include "detect-tcphdr.h"
+
+/* prototypes */
+static int DetectTcphdrSetup (DetectEngineCtx *, Signature *, const char *);
+#ifdef UNITTESTS
+void DetectTcphdrRegisterTests (void);
+#endif
+
+/**
+ * \brief Registration function for tcphdr: keyword
+ */
+
+void DetectTcphdrRegister(void)
+{
+    sigmatch_table[DETECT_TCPHDR].name = "tcp.hdr";
+    sigmatch_table[DETECT_TCPHDR].desc = "sticky buffer to match on the TCP header";
+    sigmatch_table[DETECT_TCPHDR].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#tcphdr";
+    sigmatch_table[DETECT_TCPHDR].Setup = DetectTcphdrSetup;
+    sigmatch_table[DETECT_TCPHDR].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+#ifdef UNITTESTS
+    sigmatch_table[DETECT_TCPHDR].RegisterTests = DetectTcphdrRegisterTests;
+#endif
+    SupportFastPatternForSigMatchList(DETECT_SM_LIST_L4HDR, 2);
+    return;
+}
+
+/**
+ * \brief this function is used to atcphdrd the parsed tcphdr data into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param tcphdrstr pointer to the user provided tcphdr options
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+static int DetectTcphdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *tcphdrstr)
+{
+    if (!(DetectProtoContainsProto(&s->proto, IPPROTO_TCP)))
+        return -1;
+
+    s->flags |= SIG_FLAG_REQUIRE_PACKET;
+
+    if (DetectBufferSetActiveList(s, DETECT_SM_LIST_L4HDR) < 0)
+        return -1;
+
+    return 0;
+}
+
+static void PrefilterTcpHeader(DetectEngineThreadCtx *det_ctx,
+        Packet *p, const void *pectx)
+{
+    SCEnter();
+
+    uint32_t hlen = TCP_GET_HLEN(p);
+    if (((uint8_t *)p->tcph + (ptrdiff_t)hlen) >
+            ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
+    {
+        SCLogDebug("data out of range: %p > %p",
+                ((uint8_t *)p->tcph + (ptrdiff_t)hlen),
+                ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)));
+        SCReturn;
+    }
+
+    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+    if (hlen < mpm_ctx->minlen)
+        SCReturn;
+
+    (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+            &det_ctx->mtc, &det_ctx->pmq,
+            (uint8_t *)p->tcph, hlen);
+}
+
+int PrefilterTcpHeaderRegister(DetectEngineCtx *de_ctx,
+        SigGroupHead *sgh, MpmCtx *mpm_ctx)
+{
+    return PrefilterAppendEngine(de_ctx, sgh,
+            PrefilterTcpHeader, mpm_ctx, NULL, "tcp.hdr");
+}
+
+/**
+ *  \brief Do the content inspection & validation for a signature
+ *
+ *  \param det_ctx Detection engine thread context
+ *  \param s Signature to inspect
+ *  \param p Packet
+ *
+ *  \retval false no match
+ *  \retval true match
+ */
+bool DetectEngineInspectRuleTcpHeaderMatches(
+     ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
+     const Signature *s, const SigMatchData *sm_data,
+     Flow *f, Packet *p,
+     uint8_t *alert_flags)
+{
+    SCEnter();
+
+    BUG_ON(sm_data == NULL);
+    BUG_ON(sm_data != s->sm_arrays[DETECT_SM_LIST_L4HDR]);
+
+    if (!(PKT_IS_TCP(p))) {
+        SCReturnInt(false);
+    }
+    uint32_t hlen = TCP_GET_HLEN(p);
+    if (((uint8_t *)p->tcph + (ptrdiff_t)hlen) >
+            ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
+    {
+        SCLogDebug("data out of range: %p > %p",
+                ((uint8_t *)p->tcph + (ptrdiff_t)hlen),
+                ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)));
+        SCReturnInt(false);
+    }
+
+#ifdef DEBUG
+    det_ctx->payload_persig_cnt++;
+    det_ctx->payload_persig_size += hlen;
+#endif
+    det_ctx->buffer_offset = 0;
+    det_ctx->discontinue_matching = 0;
+    det_ctx->inspection_recursion_counter = 0;
+    det_ctx->replist = NULL;
+
+    int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx,
+            s, sm_data,
+            p, NULL, (uint8_t *)p->tcph, hlen, 0,
+            DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER);
+    if (r == 1) {
+        SCReturnInt(true);
+    }
+    SCReturnInt(false);
+}
+
+#ifdef UNITTESTS
+#include "tests/detect-tcphdr.c"
+#endif
--- a/src/detect-tcphdr.h
+++ b/src/detect-tcphdr.h
@ -0,0 +1,36 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ */
+
+#ifndef _DETECT_TCPHDR_H
+#define _DETECT_TCPHDR_H
+
+int PrefilterTcpHeaderRegister(DetectEngineCtx *de_ctx,
+        SigGroupHead *sgh, MpmCtx *mpm_ctx);
+bool DetectEngineInspectRuleTcpHeaderMatches(
+     ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
+     const Signature *s, const SigMatchData *sm_data,
+     Flow *f, Packet *p,
+     uint8_t *alert_flags);
+void DetectTcphdrRegister(void);
+
+#endif	/* _DETECT_TCPHDR_H */
--- a/src/tests/detect-tcphdr.c
+++ b/src/tests/detect-tcphdr.c
@ -0,0 +1,47 @@
+/* Copyright (C) 2007-2018 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "../suricata-common.h"
+
+#include "../detect.h"
+#include "../detect-parse.h"
+#include "../detect-engine-prefilter-common.h"
+
+#include "../detect-tcphdr.h"
+
+#include "../util-unittest.h"
+
+static int DetectTcphdrParseTest01 (void)
+{
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    FAIL_IF_NULL(de_ctx);
+
+    Signature *sig = DetectEngineAppendSig(de_ctx,
+            "alert tcp any any -> any any (tcp.hdr; content:\"A\"; sid:1; rev:1;)");
+    FAIL_IF_NULL(sig);
+
+    DetectEngineCtxFree(de_ctx);
+    PASS;
+}
+
+/**
+ * \brief this function registers unit tests for DetectTcphdr
+ */
+void DetectTcphdrRegisterTests(void)
+{
+    UtRegisterTest("DetectTcphdrParseTest01", DetectTcphdrParseTest01);
+}