diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index 91df4fb299..c90ff65b78 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 Open Information Security Foundation +/* Copyright (C) 2019-2024 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -18,9 +18,22 @@ // written by Giuseppe Longo use crate::core::Direction; -use crate::sip::sip::SIPTransaction; +use crate::detect::{ + DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister, + DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt, + SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT, +}; +use crate::sip::sip::{SIPTransaction, ALPROTO_SIP}; +use std::ffi::CStr; +use std::os::raw::{c_int, c_void}; use std::ptr; +static mut G_SIP_PROTOCOL_BUFFER_ID: c_int = 0; +static mut G_SIP_STAT_CODE_BUFFER_ID: c_int = 0; +static mut G_SIP_STAT_MSG_BUFFER_ID: c_int = 0; +static mut G_SIP_REQUEST_LINE_BUFFER_ID: c_int = 0; +static mut G_SIP_RESPONSE_LINE_BUFFER_ID: c_int = 0; + #[no_mangle] pub unsafe extern "C" fn rs_sip_tx_get_method( tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, @@ -59,10 +72,37 @@ pub unsafe extern "C" fn rs_sip_tx_get_uri( return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_sip_tx_get_protocol( - tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, direction: u8, -) -> u8 { +unsafe extern "C" fn sip_protocol_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SIP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_SIP_PROTOCOL_BUFFER_ID) < 0 { + return -1; + } + return 0; +} + +unsafe extern "C" fn sip_protocol_get( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + sip_protocol_get_data, + ); +} + +unsafe extern "C" fn sip_protocol_get_data( + tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, SIPTransaction); match direction.into() { Direction::ToServer => { if let Some(ref r) = tx.request { @@ -70,7 +110,7 @@ pub unsafe extern "C" fn rs_sip_tx_get_protocol( if !v.is_empty() { *buffer = v.as_ptr(); *buffer_len = v.len() as u32; - return 1; + return true; } } } @@ -80,88 +120,279 @@ pub unsafe extern "C" fn rs_sip_tx_get_protocol( if !v.is_empty() { *buffer = v.as_ptr(); *buffer_len = v.len() as u32; - return 1; + return true; } } } } - *buffer = ptr::null(); *buffer_len = 0; + return false; +} +unsafe extern "C" fn sip_stat_code_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SIP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_SIP_STAT_CODE_BUFFER_ID) < 0 { + return -1; + } return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_sip_tx_get_stat_code( - tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, -) -> u8 { +unsafe extern "C" fn sip_stat_code_get( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + sip_stat_code_get_data, + ); +} + +unsafe extern "C" fn sip_stat_code_get_data( + tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, SIPTransaction); if let Some(ref r) = tx.response { let c = &r.code; if !c.is_empty() { *buffer = c.as_ptr(); *buffer_len = c.len() as u32; - return 1; + return true; } } - *buffer = ptr::null(); *buffer_len = 0; + return false; +} +unsafe extern "C" fn sip_stat_msg_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SIP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_SIP_STAT_MSG_BUFFER_ID) < 0 { + return -1; + } return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_sip_tx_get_stat_msg( - tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, -) -> u8 { +unsafe extern "C" fn sip_stat_msg_get( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + sip_stat_msg_get_data, + ); +} +unsafe extern "C" fn sip_stat_msg_get_data( + tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, SIPTransaction); if let Some(ref r) = tx.response { let re = &r.reason; if !re.is_empty() { *buffer = re.as_ptr(); *buffer_len = re.len() as u32; - return 1; + return true; } } - *buffer = ptr::null(); *buffer_len = 0; + return false; +} +unsafe extern "C" fn sip_request_line_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SIP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_SIP_REQUEST_LINE_BUFFER_ID) < 0 { + return -1; + } return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_sip_tx_get_request_line( - tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, -) -> u8 { +unsafe extern "C" fn sip_request_line_get( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + sip_request_line_get_data, + ); +} + +unsafe extern "C" fn sip_request_line_get_data( + tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, SIPTransaction); if let Some(ref r) = tx.request_line { if !r.is_empty() { *buffer = r.as_ptr(); *buffer_len = r.len() as u32; - return 1; + return true; } } - *buffer = ptr::null(); *buffer_len = 0; + return false; +} +unsafe extern "C" fn sip_response_line_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SIP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_SIP_RESPONSE_LINE_BUFFER_ID) < 0 { + return -1; + } return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_sip_tx_get_response_line( - tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, -) -> u8 { +unsafe extern "C" fn sip_response_line_get( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + sip_response_line_get_data, + ); +} + +unsafe extern "C" fn sip_response_line_get_data( + tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, SIPTransaction); if let Some(ref r) = tx.response_line { if !r.is_empty() { *buffer = r.as_ptr(); *buffer_len = r.len() as u32; - return 1; + return true; } } - *buffer = ptr::null(); *buffer_len = 0; + return false; +} - return 0; +#[no_mangle] +pub unsafe extern "C" fn ScDetectSipRegister() { + let kw = SCSigTableElmt { + name: b"sip.protocol\0".as_ptr() as *const libc::c_char, + desc: b"sticky buffer to match on the SIP protocol\0".as_ptr() as *const libc::c_char, + url: b"/rules/sip-keywords.html#sip-protocol\0".as_ptr() as *const libc::c_char, + Setup: sip_protocol_setup, + flags: SIGMATCH_NOOPT, + AppLayerTxMatch: None, + Free: None, + }; + let _g_sip_protocol_kw_id = DetectHelperKeywordRegister(&kw); + G_SIP_PROTOCOL_BUFFER_ID = DetectHelperBufferMpmRegister( + b"sip.protocol\0".as_ptr() as *const libc::c_char, + b"sip.protocol\0".as_ptr() as *const libc::c_char, + ALPROTO_SIP, + true, + true, + sip_protocol_get, + ); + let kw = SCSigTableElmt { + name: b"sip.stat_code\0".as_ptr() as *const libc::c_char, + desc: b"sticky buffer to match on the SIP status code\0".as_ptr() as *const libc::c_char, + url: b"/rules/sip-keywords.html#sip-stat-code\0".as_ptr() as *const libc::c_char, + Setup: sip_stat_code_setup, + flags: SIGMATCH_NOOPT, + AppLayerTxMatch: None, + Free: None, + }; + let _g_sip_stat_code_kw_id = DetectHelperKeywordRegister(&kw); + G_SIP_STAT_CODE_BUFFER_ID = DetectHelperBufferMpmRegister( + b"sip.stat_code\0".as_ptr() as *const libc::c_char, + b"sip.stat_code\0".as_ptr() as *const libc::c_char, + ALPROTO_SIP, + true, + false, + sip_stat_code_get, + ); + let kw = SCSigTableElmt { + name: b"sip.stat_msg\0".as_ptr() as *const libc::c_char, + desc: b"sticky buffer to match on the SIP status message\0".as_ptr() as *const libc::c_char, + url: b"/rules/sip-keywords.html#sip-stat-msg\0".as_ptr() as *const libc::c_char, + Setup: sip_stat_msg_setup, + flags: SIGMATCH_NOOPT, + AppLayerTxMatch: None, + Free: None, + }; + let _g_sip_stat_msg_kw_id = DetectHelperKeywordRegister(&kw); + G_SIP_STAT_MSG_BUFFER_ID = DetectHelperBufferMpmRegister( + b"sip.stat_msg\0".as_ptr() as *const libc::c_char, + b"sip.stat_msg\0".as_ptr() as *const libc::c_char, + ALPROTO_SIP, + true, + false, + sip_stat_msg_get, + ); + let kw = SCSigTableElmt { + name: b"sip.request_line\0".as_ptr() as *const libc::c_char, + desc: b"sticky buffer to match on the SIP request line\0".as_ptr() as *const libc::c_char, + url: b"/rules/sip-keywords.html#sip-request-line\0".as_ptr() as *const libc::c_char, + Setup: sip_request_line_setup, + flags: SIGMATCH_NOOPT, + AppLayerTxMatch: None, + Free: None, + }; + let _g_sip_request_line_kw_id = DetectHelperKeywordRegister(&kw); + G_SIP_REQUEST_LINE_BUFFER_ID = DetectHelperBufferMpmRegister( + b"sip.request_line\0".as_ptr() as *const libc::c_char, + b"sip.request_line\0".as_ptr() as *const libc::c_char, + ALPROTO_SIP, + false, + true, + sip_request_line_get, + ); + let kw = SCSigTableElmt { + name: b"sip.response_line\0".as_ptr() as *const libc::c_char, + desc: b"sticky buffer to match on the SIP response line\0".as_ptr() as *const libc::c_char, + url: b"/rules/sip-keywords.html#sip-response-line\0".as_ptr() as *const libc::c_char, + Setup: sip_response_line_setup, + flags: SIGMATCH_NOOPT, + AppLayerTxMatch: None, + Free: None, + }; + let _g_sip_response_line_kw_id = DetectHelperKeywordRegister(&kw); + G_SIP_RESPONSE_LINE_BUFFER_ID = DetectHelperBufferMpmRegister( + b"sip.response_line\0".as_ptr() as *const libc::c_char, + b"sip.response_line\0".as_ptr() as *const libc::c_char, + ALPROTO_SIP, + true, + false, + sip_response_line_get, + ); } diff --git a/rust/src/sip/sip.rs b/rust/src/sip/sip.rs index 38f76fb277..1a73d4e46a 100755 --- a/rust/src/sip/sip.rs +++ b/rust/src/sip/sip.rs @@ -435,7 +435,7 @@ pub extern "C" fn rs_sip_tx_get_alstate_progress( 1 } -static mut ALPROTO_SIP: AppProto = ALPROTO_UNKNOWN; +pub static mut ALPROTO_SIP: AppProto = ALPROTO_UNKNOWN; #[no_mangle] pub unsafe extern "C" fn rs_sip_parse_request( diff --git a/src/Makefile.am b/src/Makefile.am index 148821ea2b..25cc7a6d4e 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -262,11 +262,6 @@ noinst_HEADERS = \ detect-sameip.h \ detect-sid.h \ detect-sip-method.h \ - detect-sip-protocol.h \ - detect-sip-request-line.h \ - detect-sip-response-line.h \ - detect-sip-stat-code.h \ - detect-sip-stat-msg.h \ detect-sip-uri.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ @@ -841,11 +836,6 @@ libsuricata_c_a_SOURCES = \ detect-sameip.c \ detect-sid.c \ detect-sip-method.c \ - detect-sip-protocol.c \ - detect-sip-request-line.c \ - detect-sip-response-line.c \ - detect-sip-stat-code.c \ - detect-sip-stat-msg.c \ detect-sip-uri.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index bbf8b916ae..794f680dd4 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -203,11 +203,6 @@ #include "detect-krb5-ticket-encryption.h" #include "detect-sip-method.h" #include "detect-sip-uri.h" -#include "detect-sip-protocol.h" -#include "detect-sip-stat-code.h" -#include "detect-sip-stat-msg.h" -#include "detect-sip-request-line.h" -#include "detect-sip-response-line.h" #include "detect-target.h" #include "detect-template-rust-buffer.h" #include "detect-quic-sni.h" @@ -664,11 +659,6 @@ void SigTableSetup(void) DetectKrb5TicketEncryptionRegister(); DetectSipMethodRegister(); DetectSipUriRegister(); - DetectSipProtocolRegister(); - DetectSipStatCodeRegister(); - DetectSipStatMsgRegister(); - DetectSipRequestLineRegister(); - DetectSipResponseLineRegister(); DetectTargetRegister(); DetectTemplateRustBufferRegister(); DetectQuicSniRegister(); @@ -704,6 +694,7 @@ void SigTableSetup(void) ScDetectEnipRegister(); ScDetectMqttRegister(); ScDetectRfbRegister(); + ScDetectSipRegister(); /* close keyword registration */ DetectBufferTypeCloseRegistration(); diff --git a/src/detect-sip-protocol.c b/src/detect-sip-protocol.c deleted file mode 100644 index 069d707771..0000000000 --- a/src/detect-sip-protocol.c +++ /dev/null @@ -1,116 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * - * \author Giuseppe Longo - * - * Implements sip.protocol sticky buffer - * - */ - -#include "suricata-common.h" -#include "threads.h" -#include "decode.h" -#include "detect.h" - -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-engine-content-inspection.h" -#include "detect-content.h" -#include "detect-pcre.h" - -#include "flow.h" -#include "flow-var.h" -#include "flow-util.h" - -#include "util-debug.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "util-spm.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "detect-sip-protocol.h" -#include "stream-tcp.h" - -#include "rust.h" - -#define KEYWORD_NAME "sip.protocol" -#define KEYWORD_DOC "sip-keywords.html#sip-protocol" -#define BUFFER_NAME "sip.protocol" -#define BUFFER_DESC "sip protocol" -static int g_buffer_id = 0; - -static int DetectSipProtocolSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *_f, - const uint8_t flow_flags, void *txv, const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (rs_sip_tx_get_protocol(txv, &b, &b_len, flow_flags) != 1) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - - return buffer; -} - -void DetectSipProtocolRegister(void) -{ - /* sip.protocol sticky buffer */ - sigmatch_table[DETECT_AL_SIP_PROTOCOL].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SIP_PROTOCOL].desc = "sticky buffer to match on the SIP protocol"; - sigmatch_table[DETECT_AL_SIP_PROTOCOL].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SIP_PROTOCOL].Setup = DetectSipProtocolSetup; - sigmatch_table[DETECT_AL_SIP_PROTOCOL].flags |= SIGMATCH_NOOPT; - - DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SIP, 1); - DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SIP, 1); - DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 1, - DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 1, - DetectEngineInspectBufferGeneric, GetData); - - DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); - - g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); - - SCLogDebug("registering " BUFFER_NAME " rule option"); -} diff --git a/src/detect-sip-protocol.h b/src/detect-sip-protocol.h deleted file mode 100644 index e4ac75be80..0000000000 --- a/src/detect-sip-protocol.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - */ - -#ifndef SURICATA_DETECT_SIP_PROTOCOL_H -#define SURICATA_DETECT_SIP_PROTOCOL_H - -void DetectSipProtocolRegister(void); - -#endif /* SURICATA_DETECT_SIP_PROTOCOL_H */ diff --git a/src/detect-sip-request-line.c b/src/detect-sip-request-line.c deleted file mode 100644 index 23ce659d3f..0000000000 --- a/src/detect-sip-request-line.c +++ /dev/null @@ -1,113 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * - * \author Giuseppe Longo - * - * Implements the sip.request_line sticky buffer - */ - -#include "suricata-common.h" -#include "threads.h" -#include "decode.h" -#include "detect.h" - -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-content.h" -#include "detect-pcre.h" -#include "detect-urilen.h" - -#include "flow.h" -#include "flow-var.h" -#include "flow-util.h" - -#include "util-debug.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "util-spm.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "detect-sip-request-line.h" -#include "stream-tcp.h" - -#include "rust.h" - -#define KEYWORD_NAME "sip.request_line" -#define KEYWORD_DOC "sip-keywords.html#sip-request-line" -#define BUFFER_NAME "sip.request_line" -#define BUFFER_DESC "sip request line" -static int g_buffer_id = 0; - -static int DetectSipRequestLineSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, - Flow *_f, const uint8_t _flow_flags, - void *txv, const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (rs_sip_tx_get_request_line(txv, &b, &b_len) != 1) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - return buffer; -} - -void DetectSipRequestLineRegister(void) -{ - /* sip.request_line sticky buffer */ - sigmatch_table[DETECT_AL_SIP_REQUEST_LINE].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SIP_REQUEST_LINE].desc = "sticky buffer to match on the SIP request line"; - sigmatch_table[DETECT_AL_SIP_REQUEST_LINE].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SIP_REQUEST_LINE].Setup = DetectSipRequestLineSetup; - sigmatch_table[DETECT_AL_SIP_REQUEST_LINE].flags |= SIGMATCH_NOOPT; - - DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); - - DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SIP, 1); - - DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); - - g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); - - SCLogDebug("registering " BUFFER_NAME " rule option"); -} diff --git a/src/detect-sip-request-line.h b/src/detect-sip-request-line.h deleted file mode 100644 index 01e2438520..0000000000 --- a/src/detect-sip-request-line.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - */ - -#ifndef SURICATA_DETECT_SIP_REQUEST_LINE_H -#define SURICATA_DETECT_SIP_REQUEST_LINE_H - -void DetectSipRequestLineRegister(void); - -#endif /* SURICATA_DETECT_SIP_REQUEST_LINE_H */ diff --git a/src/detect-sip-response-line.c b/src/detect-sip-response-line.c deleted file mode 100644 index a98a6c7d7c..0000000000 --- a/src/detect-sip-response-line.c +++ /dev/null @@ -1,113 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * - * \author Giuseppe Longo - * - * Implements the sip.response_line sticky buffer - */ - -#include "suricata-common.h" -#include "threads.h" -#include "decode.h" -#include "detect.h" - -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-content.h" -#include "detect-pcre.h" -#include "detect-urilen.h" - -#include "flow.h" -#include "flow-var.h" -#include "flow-util.h" - -#include "util-debug.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "util-spm.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "detect-sip-response-line.h" -#include "stream-tcp.h" - -#include "rust.h" - -#define KEYWORD_NAME "sip.response_line" -#define KEYWORD_DOC "sip-keywords.html#sip-response-line" -#define BUFFER_NAME "sip.response_line" -#define BUFFER_DESC "sip response line" -static int g_buffer_id = 0; - -static int DetectSipResponseLineSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, - Flow *_f, const uint8_t _flow_flags, - void *txv, const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (rs_sip_tx_get_response_line(txv, &b, &b_len) != 1) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - return buffer; -} - -void DetectSipResponseLineRegister(void) -{ - /* sip.response_line sticky buffer */ - sigmatch_table[DETECT_AL_SIP_RESPONSE_LINE].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SIP_RESPONSE_LINE].desc = "sticky buffer to match on the SIP response line"; - sigmatch_table[DETECT_AL_SIP_RESPONSE_LINE].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SIP_RESPONSE_LINE].Setup = DetectSipResponseLineSetup; - sigmatch_table[DETECT_AL_SIP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT; - - DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetData); - - DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SIP, 1); - - DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); - - g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); - - SCLogDebug("registering " BUFFER_NAME " rule option"); -} diff --git a/src/detect-sip-response-line.h b/src/detect-sip-response-line.h deleted file mode 100644 index 8541140021..0000000000 --- a/src/detect-sip-response-line.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - */ - -#ifndef SURICATA_DETECT_SIP_RESPONSE_LINE_H -#define SURICATA_DETECT_SIP_RESPONSE_LINE_H - -void DetectSipResponseLineRegister(void); - -#endif /* SURICATA_DETECT_SIP_RESPONSE_LINE_H */ diff --git a/src/detect-sip-stat-code.c b/src/detect-sip-stat-code.c deleted file mode 100644 index 965a697366..0000000000 --- a/src/detect-sip-stat-code.c +++ /dev/null @@ -1,116 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * - * \author Giuseppe Longo - * - * Implements the sip.stat_code sticky buffer - * - */ - -#include "suricata-common.h" -#include "threads.h" -#include "decode.h" -#include "detect.h" - -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-content.h" -#include "detect-pcre.h" -#include "detect-urilen.h" - -#include "flow.h" -#include "flow-var.h" -#include "flow-util.h" - -#include "util-debug.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "util-spm.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "detect-sip-stat-code.h" -#include "stream-tcp.h" - -#include "rust.h" - -#define KEYWORD_NAME "sip.stat_code" -#define KEYWORD_DOC "sip-keywords.html#sip-stat-code" -#define BUFFER_NAME "sip.method" -#define BUFFER_DESC "sip response status code" -static int g_buffer_id = 0; - -static int DetectSipStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *_f, - const uint8_t _flow_flags, void *txv, const int list_id) -{ - SCEnter(); - - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (rs_sip_tx_get_stat_code(txv, &b, &b_len) != 1) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - - return buffer; -} - -void DetectSipStatCodeRegister (void) -{ - /* sip.stat_code sticky buffer */ - sigmatch_table[DETECT_AL_SIP_STAT_CODE].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SIP_STAT_CODE].desc = "sticky buffer to match on the SIP status code"; - sigmatch_table[DETECT_AL_SIP_STAT_CODE].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SIP_STAT_CODE].Setup = DetectSipStatCodeSetup; - sigmatch_table[DETECT_AL_SIP_STAT_CODE].flags |= SIGMATCH_NOOPT; - - DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 1, - DetectEngineInspectBufferGeneric, GetData); - - DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 4, PrefilterGenericMpmRegister, - GetData, ALPROTO_SIP, 1); - - DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); - - g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); - - SCLogDebug("registering " BUFFER_NAME " rule option"); -} diff --git a/src/detect-sip-stat-code.h b/src/detect-sip-stat-code.h deleted file mode 100644 index 31cacdaa7a..0000000000 --- a/src/detect-sip-stat-code.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - */ - -#ifndef SURICATA_DETECT_SIP_STAT_CODE_H -#define SURICATA_DETECT_SIP_STAT_CODE_H - -void DetectSipStatCodeRegister(void); - -#endif /* SURICATA_DETECT_SIP_STAT_CODE_H */ diff --git a/src/detect-sip-stat-msg.c b/src/detect-sip-stat-msg.c deleted file mode 100644 index abcf803c6c..0000000000 --- a/src/detect-sip-stat-msg.c +++ /dev/null @@ -1,116 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * - * \author Giuseppe Longo - * - * Implements the sip.stat_msg sticky buffer - * - */ - -#include "suricata-common.h" -#include "threads.h" -#include "decode.h" -#include "detect.h" - -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-content.h" -#include "detect-pcre.h" -#include "detect-urilen.h" - -#include "flow.h" -#include "flow-var.h" -#include "flow-util.h" - -#include "util-debug.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "util-spm.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "detect-sip-stat-msg.h" -#include "stream-tcp.h" - -#include "rust.h" - -#define KEYWORD_NAME "sip.stat_msg" -#define KEYWORD_DOC "sip-keywords.html#sip-stat-msg" -#define BUFFER_NAME "sip.stat_msg" -#define BUFFER_DESC "sip response status message" -static int g_buffer_id = 0; - -static int DetectSipStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *_f, - const uint8_t _flow_flags, void *txv, const int list_id) -{ - SCEnter(); - - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (rs_sip_tx_get_stat_msg(txv, &b, &b_len) != 1) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - - return buffer; -} - -void DetectSipStatMsgRegister (void) -{ - /* sip.stat_msg sticky buffer */ - sigmatch_table[DETECT_AL_SIP_STAT_MSG].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SIP_STAT_MSG].desc = "sticky buffer to match on the SIP status message"; - sigmatch_table[DETECT_AL_SIP_STAT_MSG].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SIP_STAT_MSG].Setup = DetectSipStatMsgSetup; - sigmatch_table[DETECT_AL_SIP_STAT_MSG].flags |= SIGMATCH_NOOPT; - - DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 1, - DetectEngineInspectBufferGeneric, GetData); - - DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 3, PrefilterGenericMpmRegister, - GetData, ALPROTO_SIP, 1); - - DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); - - g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); - - SCLogDebug("registering " BUFFER_NAME " rule option"); -} diff --git a/src/detect-sip-stat-msg.h b/src/detect-sip-stat-msg.h deleted file mode 100644 index 9d35fb3733..0000000000 --- a/src/detect-sip-stat-msg.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - */ - -#ifndef SURICATA_DETECT_SIP_STAT_MSG_H -#define SURICATA_DETECT_SIP_STAT_MSG_H - -void DetectSipStatMsgRegister(void); - -#endif /* SURICATA_DETECT_SIP_STAT_MSG_H */