aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '05bca0b6fb'
${ noResults }
suricata/src/detect-engine-enip.c

284 lines
8.7 KiB
C
Raw Blame History

/* Copyright (C) 2015-2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/** \file
*
* \author Kevin Wong <kwong@solananetworks.com>
*
* Based on detect-engine-modbus.c
*/
#include "suricata-common.h"
#include "app-layer.h"
#include "detect.h"
#include "detect-cipservice.h"
#include "detect-engine-enip.h"
#include "flow.h"
#include "util-debug.h"
#if 0
/**
* \brief Print fields from ENIP Packet
* @param enip_data
*/
void PrintENIPAL(ENIPTransaction *enip_data)
{
SCLogDebug("============================================");
SCLogDebug("ENCAP HEADER cmd 0x%x, length %d, session 0x%x, status 0x%x",
enip_data->header.command, enip_data->header.length,
enip_data->header.session, enip_data->header.status);
//SCLogDebug("context 0x%x option 0x%x", enip_data->header.context, enip_data->header.option);
SCLogDebug("ENCAP DATA HEADER handle 0x%x, timeout %d, count %d",
enip_data->encap_data_header.interface_handle,
enip_data->encap_data_header.timeout,
enip_data->encap_data_header.item_count);
SCLogDebug("ENCAP ADDR ITEM type 0x%x, length %d",
enip_data->encap_addr_item.type, enip_data->encap_addr_item.length);
SCLogDebug("ENCAP DATA ITEM type 0x%x, length %d sequence 0x%x",
enip_data->encap_data_item.type, enip_data->encap_data_item.length,
enip_data->encap_data_item.sequence_count);
CIPServiceEntry *svc = NULL;
int count = 0;
TAILQ_FOREACH(svc, &enip_data->service_list, next)
{
//SCLogDebug("CIP Service #%d : 0x%x", count, svc->service);
count++;
}
}
#endif
/**
* \brief Matches the rule to the CIP segment in ENIP Packet
* @param svc - the CIP service entry
* * @param cipserviced - the CIP service rule
*/
static int CIPPathMatch(CIPServiceEntry *svc, DetectCipServiceData *cipserviced)
{
uint16_t class = 0;
uint16_t attrib = 0;
int found_class = 0;
SegmentEntry *seg = NULL;
TAILQ_FOREACH(seg, &svc->segment_list, next)
{
switch(seg->segment)
{
case PATH_CLASS_8BIT:
class = seg->value;
if (cipserviced->cipclass == class)
{
if (cipserviced->tokens == 2)
{// if rule only has class
return 1;
} else
{
found_class = 1;
}
}
break;
case PATH_INSTANCE_8BIT:
break;
case PATH_ATTR_8BIT: //single attribute
attrib = seg->value;
if ((cipserviced->tokens == 3) &&
(cipserviced->cipclass == class) &&
(cipserviced->cipattribute == attrib) &&
(cipserviced->matchattribute == 1))
{ // if rule has class & attribute, matched all here
return 1;
}
if ((cipserviced->tokens == 3) &&
(cipserviced->cipclass == class) &&
(cipserviced->matchattribute == 0))
{ // for negation rule on attribute
return 1;
}
break;
case PATH_CLASS_16BIT:
class = seg->value;
if (cipserviced->cipclass == class)
{
if (cipserviced->tokens == 2)
{// if rule only has class
return 1;
} else
{
found_class = 1;
}
}
break;
case PATH_INSTANCE_16BIT:
break;
default:
return 0;
}
}
if (found_class == 0)
{ // if haven't matched class yet, no need to check attribute
return 0;
}
if ((svc->service == CIP_SET_ATTR_LIST) ||
(svc->service == CIP_GET_ATTR_LIST))
{
AttributeEntry *attr = NULL;
TAILQ_FOREACH (attr, &svc->attrib_list, next)
{
if (cipserviced->cipattribute == attr->attribute)
{
return 1;
}
}
}
return 0;
}
/**
* \brief Matches the rule to the ENIP Transaction
* @param enip_data - the ENIP transation
* * @param cipserviced - the CIP service rule
*/
static int CIPServiceMatch(ENIPTransaction *enip_data,
DetectCipServiceData *cipserviced)
{
int count = 1;
CIPServiceEntry *svc = NULL;
//SCLogDebug("CIPServiceMatchAL");
TAILQ_FOREACH(svc, &enip_data->service_list, next)
{
SCLogDebug("CIPServiceMatchAL service #%d : 0x%x dir %d",
count, svc->service, svc->direction);
if (cipserviced->cipservice == svc->service)
{ // compare service
//SCLogDebug("Rule Match for cip service %d",cipserviced->cipservice );
if (cipserviced->tokens > 1)
{ //if rule params have class and attribute
if ((svc->service == CIP_SET_ATTR_LIST) || (svc->service
== CIP_SET_ATTR_SINGLE) || (svc->service
== CIP_GET_ATTR_LIST) || (svc->service
== CIP_GET_ATTR_SINGLE))
{ //decode path
if (CIPPathMatch(svc, cipserviced) == 1)
{
if (svc->direction == 1) return 0; //don't match responses
return 1;
}
}
} else
{
if (svc->direction == 1) return 0; //don't match responses
// SCLogDebug("CIPServiceMatchAL found");
return 1;
}
}
count++;
}
return 0;
}
/** \brief Do the content inspection & validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect ( and sm: SigMatch to inspect)
* \param f Flow
* \param flags App layer flags
* \param alstate App layer state
* \param txv Pointer to ENIP Transaction structure
*
* \retval 0 no match or 1 match
*/
int DetectEngineInspectCIP(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
{
SCEnter();
ENIPTransaction *tx = (ENIPTransaction *) txv;
DetectCipServiceData *cipserviced = (DetectCipServiceData *)engine->smd->ctx;
if (cipserviced == NULL)
{
SCLogDebug("no cipservice state, no match");
SCReturnInt(0);
}
//SCLogDebug("DetectEngineInspectCIP %d", cipserviced->cipservice);
if (CIPServiceMatch(tx, cipserviced) == 1)
{
//SCLogDebug("DetectCIPServiceMatchAL found");
SCReturnInt(1);
}
SCReturnInt(0);
}
/** \brief Do the content inspection & validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect ( and sm: SigMatch to inspect)
* \param f Flow
* \param flags App layer flags
* \param alstate App layer state
* \param txv Pointer to ENIP Transaction structure
*
* \retval 0 no match or 1 match
*/
int DetectEngineInspectENIP(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
{
SCEnter();
ENIPTransaction *tx = (ENIPTransaction *) txv;
DetectEnipCommandData *enipcmdd = (DetectEnipCommandData *)engine->smd->ctx;
if (enipcmdd == NULL)
{
SCLogDebug("no enipcommand state, no match");
SCReturnInt(0);
}
//SCLogDebug("DetectEngineInspectENIP %d, %d", enipcmdd->enipcommand, tx->header.command);
if (enipcmdd->enipcommand == tx->header.command)
{
// SCLogDebug("DetectENIPCommandMatchAL found!");
SCReturnInt(1);
}
SCReturnInt(0);
}
Reference in New Issue View Git Blame Copy Permalink