aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: adds utility file for uint keywords

Browse Source
pull/4702/head
Philippe Antoine 5 years ago committed by Victor Julien
parent 0355b70f5a
commit 75ec528384
3 changed files with 281 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
src/Makefile.am
Unescape Escape View File

@ -148,6 +148,7 @@ detect-engine-sigorder.c detect-engine-sigorder.h \
detect-engine-state.c detect-engine-state.h \
detect-engine-tag.c detect-engine-tag.h \
detect-engine-threshold.c detect-engine-threshold.h \
detect-engine-uint.c detect-engine-uint.h \
detect-fast-pattern.c detect-fast-pattern.h \
detect-file-data.c detect-file-data.h \
detect-file-hash-common.c detect-file-hash-common.h \

231
src/detect-engine-uint.c
Unescape Escape View File

@ -0,0 +1,231 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Philippe Antoine <p.antoine@catenacyber.fr>
*
*/
#include "suricata-common.h"
#include "util-byte.h"
#include "detect-parse.h"
#include "detect-engine-uint.h"
/**
* \brief Regex for parsing our options
*/
#define PARSE_REGEX "^\\s*([0-9]*)?\\s*([<>=-]+)?\\s*([0-9]+)?\\s*$"
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
{
switch (du32->mode) {
case DETECT_UINT_EQ:
if (parg == du32->arg1) {
return 1;
}
return 0;
case DETECT_UINT_LT:
if (parg < du32->arg1) {
return 1;
}
return 0;
case DETECT_UINT_GT:
if (parg > du32->arg1) {
return 1;
}
return 0;
case DETECT_UINT_RA:
if (parg > du32->arg1 && parg < du32->arg2) {
return 1;
}
return 0;
default:
BUG_ON("unknown mode");
}
return 0;
}
/**
* \brief This function is used to parse u32 options passed via some u32 keyword
*
* \param u32str Pointer to the user provided u32 options
*
* \retval DetectU32Data pointer to DetectU32Data on success
* \retval NULL on failure
*/
DetectU32Data *DetectU32Parse (const char *u32str)
{
DetectU32Data u32da;
DetectU32Data *u32d = NULL;
char arg1[16] = "";
char arg2[16] = "";
char arg3[16] = "";
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
ret = pcre_exec(parse_regex, parse_regex_study, u32str, strlen(u32str), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 2 || ret > 4) {
SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
return NULL;
}
res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 1, arg1, sizeof(arg1));
if (res < 0) {
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
return NULL;
}
SCLogDebug("Arg1 \"%s\"", arg1);
if (ret >= 3) {
res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 2, arg2, sizeof(arg2));
if (res < 0) {
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
return NULL;
}
SCLogDebug("Arg2 \"%s\"", arg2);
if (ret >= 4) {
res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 3, arg3, sizeof(arg3));
if (res < 0) {
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
return NULL;
}
SCLogDebug("Arg3 \"%s\"", arg3);
}
}
if (strlen(arg2) > 0) {
/*set the values*/
switch(arg2[0]) {
case '<':
case '>':
if (strlen(arg3) == 0)
return NULL;
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg3), arg3) < 0) {
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
return NULL;
}
SCLogDebug("u32 is %"PRIu32"",u32da.arg1);
if (strlen(arg1) > 0)
return NULL;
if (arg2[0] == '<') {
u32da.mode = DETECT_UINT_LT;
} else { // arg2[0] == '>'
u32da.mode = DETECT_UINT_GT;
}
break;
case '-':
if (strlen(arg1)== 0)
return NULL;
if (strlen(arg3)== 0)
return NULL;
u32da.mode = DETECT_UINT_RA;
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
return NULL;
}
if (ByteExtractStringUint32(&u32da.arg2, 10, strlen(arg3), arg3) < 0) {
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
return NULL;
}
SCLogDebug("u32 is %"PRIu32" to %"PRIu32"", u32da.arg1, u32da.arg2);
if (u32da.arg1 >= u32da.arg2) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid u32 range. ");
return NULL;
}
break;
default:
u32da.mode = DETECT_UINT_EQ;
if (strlen(arg2) > 0 ||
strlen(arg3) > 0 ||
strlen(arg1) == 0)
return NULL;
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
return NULL;
}
}
} else {
u32da.mode = DETECT_UINT_EQ;
if (strlen(arg3) > 0 ||
strlen(arg1) == 0)
return NULL;
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
return NULL;
}
}
u32d = SCCalloc(1, sizeof (DetectU32Data));
if (unlikely(u32d == NULL))
return NULL;
u32d->arg1 = u32da.arg1;
u32d->arg2 = u32da.arg2;
u32d->mode = u32da.mode;
return u32d;
}
void
PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx)
{
const DetectU32Data *a = smctx;
v->u8[0] = a->mode;
v->u32[1] = a->arg1;
v->u32[2] = a->arg2;
}
bool
PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx)
{
const DetectU32Data *a = smctx;
if (v.u8[0] == a->mode &&
v.u32[1] == a->arg1 &&
v.u32[2] == a->arg2)
return true;
return false;
}
static bool g_detect_u32_registered = false;
void DetectU32Register(void)
{
if (g_detect_u32_registered == false) {
// register only once
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_detect_u32_registered = true;
}
}

49
src/detect-engine-uint.h
Unescape Escape View File

@ -0,0 +1,49 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Philippe Antoine <p.antoine@catenacyber.fr>
*/
#ifndef __DETECT_ENGINE_UINT_H
#define __DETECT_ENGINE_UINT_H
#include "detect-engine-prefilter-common.h"
typedef enum {
DETECT_UINT_LT,
DETECT_UINT_EQ,
DETECT_UINT_GT,
DETECT_UINT_RA,
} DetectUintMode;
typedef struct DetectU32Data_ {
uint32_t arg1; /**< first arg value in the signature*/
uint32_t arg2; /**< second arg value in the signature, in case of range
operator*/
DetectUintMode mode; /**< operator used in the signature */
} DetectU32Data;
int DetectU32Match(const uint32_t parg, const DetectU32Data *du32);
DetectU32Data *DetectU32Parse (const char *u32str);
void PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx);
bool PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx);
void DetectU32Register(void);
#endif /* __DETECT_UTIL_UINT_H */
Write Preview
Loading…
Cancel
Save