add flowbits:set; only sigs to be treated as ip only

15 years ago · 7e5c52c80b
parent bca8fbc79e
commit 7e5c52c80b
5 changed files with 157 additions and 8 deletions
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@ -48,6 +48,7 @@
 #include "util-classification-config.h"
 #include "util-rule-vars.h"

+#include "flow-util.h"
 #include "util-debug.h"
 #include "util-unittest.h"
 #include "util-unittest-helper.h"
@ -919,6 +920,31 @@ void DetectEngineIPOnlyThreadDeinit(DetectEngineIPOnlyThreadCtx *io_tctx) {
    SCFree(io_tctx->sig_match_array);
 }

+static inline
+int IPOnlyMatchCompatSMs(ThreadVars *tv,
+                         DetectEngineThreadCtx *det_ctx,
+                         Signature *s, Packet *p)
+{
+    SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
+    int match;
+
+    while (sm != NULL) {
+        if (sm->type != DETECT_FLOWBITS) {
+            sm = sm->next;
+            continue;
+        }
+
+        match = sigmatch_table[sm->type].Match(tv, det_ctx, p, s, sm);
+        if (match > 0) {
+            sm = sm->next;
+            continue;
+        }
+        return 0;
+    }
+
+    return 1;
+}
+
 /**
 * \brief Match a packet against the IP Only detection engine contexts
 *
@ -927,7 +953,8 @@ void DetectEngineIPOnlyThreadDeinit(DetectEngineIPOnlyThreadCtx *io_tctx) {
 * \param io_ctx Pointer to the current ip only thread detection engine
 * \param p Pointer to the Packet to match against
 */
-void IPOnlyMatchPacket(DetectEngineCtx *de_ctx,
+void IPOnlyMatchPacket(ThreadVars *tv,
+                       DetectEngineCtx *de_ctx,
                       DetectEngineThreadCtx *det_ctx,
                       DetectEngineIPOnlyCtx *io_ctx,
                       DetectEngineIPOnlyThreadCtx *io_tctx, Packet *p)
@ -1002,6 +1029,10 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx,
                    if (!(s->proto.proto[(IP_GET_IPPROTO(p)/8)] & (1 << (IP_GET_IPPROTO(p) % 8))))
                        continue;

+                    if (!IPOnlyMatchCompatSMs(tv, det_ctx, s, p)) {
+                        continue;
+                    }
+
                    SCLogDebug("Signum %"PRIu16" match (sid: %"PRIu16", msg: %s)",
                               u * 8 + i, s->id, s->msg);

@ -1998,6 +2029,107 @@ int IPOnlyTestSig12(void) {
    return result;
 }

+static int IPOnlyTestSig13(void)
+{
+    int result = 0;
+    DetectEngineCtx de_ctx;
+
+    memset(&de_ctx, 0, sizeof(DetectEngineCtx));
+
+    de_ctx.flags |= DE_QUIET;
+
+    Signature *s = SigInit(&de_ctx,
+                           "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
+                           "flowbits:set,myflow1; sid:1; rev:1;)");
+    if (s == NULL) {
+        goto end;
+    }
+    if (SignatureIsIPOnly(&de_ctx, s))
+        result = 1;
+    else
+        printf("expected a IPOnly signature: ");
+
+    SigFree(s);
+end:
+    return result;
+}
+
+static int IPOnlyTestSig14(void)
+{
+    int result = 0;
+    DetectEngineCtx de_ctx;
+
+    memset(&de_ctx, 0, sizeof(DetectEngineCtx));
+
+    de_ctx.flags |= DE_QUIET;
+
+    Signature *s = SigInit(&de_ctx,
+                           "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
+                           "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
+    if (s == NULL) {
+        goto end;
+    }
+    if (SignatureIsIPOnly(&de_ctx, s))
+        printf("expected a IPOnly signature: ");
+    else
+        result = 1;
+
+    SigFree(s);
+end:
+    return result;
+}
+
+int IPOnlyTestSig15(void)
+{
+    int result = 0;
+    uint8_t *buf = (uint8_t *)"Hi all!";
+    uint16_t buflen = strlen((char *)buf);
+
+    uint8_t numpkts = 1;
+    uint8_t numsigs = 7;
+
+    Packet *p[1];
+    Flow f;
+    GenericVar flowvar;
+    memset(&f, 0, sizeof(Flow));
+    memset(&flowvar, 0, sizeof(GenericVar));
+    FLOW_INITIALIZE(&f);
+
+    p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+    p[0]->flow = &f;
+    p[0]->flow->flowvar = &flowvar;
+    p[0]->flags |= PKT_HAS_FLOW;
+    p[0]->flowflags |= FLOW_PKT_TOSERVER;
+
+    char *sigs[numsigs];
+    sigs[0]= "alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
+        "flowbits:set,one; sid:1;)";
+    sigs[1]= "alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; "
+        "flowbits:set,two; sid:2;)";
+    sigs[2]= "alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; "
+        "flowbits:set,three; sid:3;)";
+    sigs[3]= "alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; "
+        "flowbits:set,four; sid:4;)";
+    sigs[4]= "alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; "
+        "flowbits:set,five; sid:5;)";
+    sigs[5]= "alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
+        "flowbits:set,six; sid:6;)";
+    sigs[6]= "alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
+        "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
+
+    /* Sid numbers (we could extract them from the sig) */
+    uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
+    uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
+
+    result = UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
+
+    UTHFreePackets(p, numpkts);
+
+    FLOW_DESTROY(&f);
+    return result;
+}
+
 #endif /* UNITTESTS */

 void IPOnlyRegisterTests(void) {
@ -2016,6 +2148,11 @@ void IPOnlyRegisterTests(void) {
    UtRegisterTest("IPOnlyTestSig10", IPOnlyTestSig10, 1);
    UtRegisterTest("IPOnlyTestSig11", IPOnlyTestSig11, 1);
    UtRegisterTest("IPOnlyTestSig12", IPOnlyTestSig12, 1);
+    UtRegisterTest("IPOnlyTestSig13", IPOnlyTestSig13, 1);
+    UtRegisterTest("IPOnlyTestSig14", IPOnlyTestSig14, 1);
+    UtRegisterTest("IPOnlyTestSig15", IPOnlyTestSig15, 1);
 #endif
+
+    return;
 }

--- a/src/detect-engine-iponly.h
+++ b/src/detect-engine-iponly.h
@ -51,9 +51,9 @@ int IPOnlyCIDRItemParseSingle(IPOnlyCIDRItem *dd, char *str);
 int IPOnlyCIDRItemSetup(IPOnlyCIDRItem *gh, char *s);

 void IPOnlyCIDRListPrint(IPOnlyCIDRItem *);
-void IPOnlyMatchPacket(DetectEngineCtx *, DetectEngineThreadCtx *,
-                       DetectEngineIPOnlyCtx *, DetectEngineIPOnlyThreadCtx *,
-                       Packet *);
+void IPOnlyMatchPacket(ThreadVars *tv, DetectEngineCtx *,
+                       DetectEngineThreadCtx *, DetectEngineIPOnlyCtx *,
+                       DetectEngineIPOnlyThreadCtx *, Packet *);
 void IPOnlyInit(DetectEngineCtx *, DetectEngineIPOnlyCtx *);
 void IPOnlyPrint(DetectEngineCtx *, DetectEngineIPOnlyCtx *);
 void IPOnlyDeinit(DetectEngineCtx *, DetectEngineIPOnlyCtx *);
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@ -61,6 +61,8 @@ void DetectFlowbitsRegister (void) {
    sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup;
    sigmatch_table[DETECT_FLOWBITS].Free  = DetectFlowbitFree;
    sigmatch_table[DETECT_FLOWBITS].RegisterTests = FlowBitsRegisterTests;
+    /* this is compatible to ip-only signatures */
+    sigmatch_table[DETECT_FLOWBITS].flags |= SIGMATCH_IPONLY_COMPAT;

    const char *eb;
    int eo;
@ -750,6 +752,7 @@ static int FlowBitsTestSig06(void) {
    p->payload_len = buflen;
    p->proto = IPPROTO_TCP;
    p->flags |= PKT_HAS_FLOW;
+    p->flowflags |= FLOW_PKT_TOSERVER;

    de_ctx = DetectEngineCtxInit();

--- a/src/detect.c
+++ b/src/detect.c
@ -1352,7 +1352,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
        {
            SCLogDebug("testing against \"ip-only\" signatures");

-            IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
+            IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
            /* save in the flow that we scanned this direction... locking is
             * done in the FlowSetIPOnlyFlag function. */
            FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
@ -1383,7 +1383,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
    } else {
        /* no flow */
        /* Even without flow we should match the packet src/dst */
-        IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
+        IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx,
+                          &det_ctx->io_ctx, p);

        det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
    }
@ -1914,9 +1915,15 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
    if (sm == NULL)
        goto iponly;

-    for ( ;sm != NULL; sm = sm->next) {
+    for ( ; sm != NULL; sm = sm->next) {
        if ( !(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
            return 0;
+        /* we have enabled flowbits to be compatible with ip only sigs, as long
+         * as the sig only has a "set" flowbits */
+        if (sm->type == DETECT_FLOWBITS &&
+            (((DetectFlowbitsData *)sm->ctx)->cmd != DETECT_FLOWBITS_CMD_SET) ) {
+            return 0;
+        }
    }

 iponly:
--- a/src/util-var-name.c
+++ b/src/util-var-name.c
@ -121,6 +121,8 @@ void VariableNameFreeHash() {
    if (variable_names != NULL) {
        HashListTableFree(variable_names);
        HashListTableFree(variable_idxs);
+        variable_names = NULL;
+        variable_idxs = NULL;
    }
 }

@ -195,4 +197,4 @@ char *VariableIdxGetName(uint16_t idx, uint8_t type)
 error:
    VariableNameFree(fn);
    return NULL;
-}
+}