aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '096ba42ce9'
${ noResults }
suricata/rust/src/detect/uint.rs

934 lines
28 KiB
Rust
Raw Blame History

/* Copyright (C) 2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
use nom7::branch::alt;
use nom7::bytes::complete::{is_a, tag, tag_no_case, take_while};
use nom7::character::complete::{char, digit1, hex_digit1, i32 as nom_i32};
use nom7::combinator::{all_consuming, map_opt, opt, value, verify};
use nom7::error::{make_error, Error, ErrorKind};
use nom7::multi::many1;
use nom7::Err;
use nom7::IResult;
use super::EnumString;
use std::ffi::{c_int, c_void, CStr};
#[derive(PartialEq, Eq, Clone, Debug)]
#[repr(u8)]
pub enum DetectUintMode {
DetectUintModeEqual,
DetectUintModeLt,
DetectUintModeLte,
DetectUintModeGt,
DetectUintModeGte,
DetectUintModeRange,
DetectUintModeNe,
DetectUintModeNegRg,
DetectUintModeBitmask,
DetectUintModeNegBitmask,
}
#[derive(Debug, PartialEq)]
#[repr(C)]
pub struct DetectUintData<T> {
pub arg1: T,
pub arg2: T,
pub mode: DetectUintMode,
}
#[derive(Debug, PartialEq)]
pub enum DetectUintIndex {
Any,
All,
All1,
OrAbsent,
Index((bool, i32)),
NumberMatches(DetectUintData<u32>),
}
#[derive(Debug, PartialEq)]
pub struct DetectUintArrayData<T> {
pub du: DetectUintData<T>,
pub index: DetectUintIndex,
// subslice
pub start: i32,
pub end: i32,
}
fn parse_uint_index_precise(s: &str) -> IResult<&str, DetectUintIndex> {
let (s, oob) = opt(tag("oob_or"))(s)?;
let (s, _) = opt(is_a(" "))(s)?;
let (s, i32_index) = nom_i32(s)?;
Ok((s, DetectUintIndex::Index((oob.is_some(), i32_index))))
}
fn parse_uint_index_nb(s: &str) -> IResult<&str, DetectUintIndex> {
let (s, _) = tag("nb")(s)?;
let (s, _) = opt(is_a(" "))(s)?;
let (s, du32) = detect_parse_uint::<u32>(s)?;
Ok((s, DetectUintIndex::NumberMatches(du32)))
}
fn parse_uint_index_val(s: &str) -> Option<DetectUintIndex> {
let (_s, arg1) = alt((parse_uint_index_precise, parse_uint_index_nb))(s).ok()?;
Some(arg1)
}
fn parse_uint_subslice_aux(s: &str) -> IResult<&str, (i32, i32)> {
let (s, start) = nom_i32(s)?;
let (s, _) = char(':')(s)?;
let (s, end) = nom_i32(s)?;
return Ok((s, (start, end)));
}
fn parse_uint_subslice(parts: &[&str]) -> Option<(i32, i32)> {
if parts.len() < 3 {
return Some((0, 0));
}
let (_, (start, end)) = parse_uint_subslice_aux(parts[2]).ok()?;
if start > 0 && end > 0 && end <= start {
SCLogError!("subslice must end after start {} {}", start, end);
return None;
}
if start < 0 && end < 0 && end <= start {
SCLogError!("subslice must end after start {} {}", start, end);
return None;
}
return Some((start, end));
}
fn parse_uint_index(parts: &[&str]) -> Option<DetectUintIndex> {
let index = if parts.len() >= 2 {
match parts[1] {
"all" => DetectUintIndex::All,
"all1" => DetectUintIndex::All1,
"any" => DetectUintIndex::Any,
"or_absent" => DetectUintIndex::OrAbsent,
// not only a literal, but some numeric value
_ => return parse_uint_index_val(parts[1]),
}
} else {
DetectUintIndex::Any
};
return Some(index);
}
pub(crate) fn detect_parse_array_uint<T: DetectIntType>(s: &str) -> Option<DetectUintArrayData<T>> {
let parts: Vec<&str> = s.split(',').collect();
if parts.len() > 3 {
SCLogError!("Too many comma-separated parts in multi-integer");
return None;
}
let index = parse_uint_index(&parts)?;
let (_, du) = detect_parse_uint::<T>(parts[0]).ok()?;
let (start, end) = parse_uint_subslice(&parts)?;
Some(DetectUintArrayData {
du,
index,
start,
end,
})
}
pub(crate) fn detect_parse_array_uint_enum<T1: DetectIntType, T2: EnumString<T1>>(
s: &str,
) -> Option<DetectUintArrayData<T1>> {
let parts: Vec<&str> = s.split(',').collect();
if parts.len() > 3 {
SCLogError!("Too many comma-separated parts in multi-integer");
return None;
}
let index = parse_uint_index(&parts)?;
let du = detect_parse_uint_enum::<T1, T2>(parts[0])?;
let (start, end) = parse_uint_subslice(&parts)?;
Some(DetectUintArrayData {
du,
index,
start,
end,
})
}
pub(crate) fn detect_uint_match_at_index<T, U: DetectIntType>(
array: &[T], ctx: &DetectUintArrayData<U>, get_value: impl Fn(&T) -> Option<U>, eof: bool,
) -> c_int {
let start = if ctx.start >= 0 {
ctx.start as usize
} else {
((array.len() as i32) + ctx.start) as usize
};
let end = if ctx.end > 0 {
ctx.end as usize
} else {
((array.len() as i32) + ctx.end) as usize
};
let subslice = if end > array.len() || start >= end {
&array[..0]
} else {
&array[start..end]
};
match &ctx.index {
DetectUintIndex::Any => {
for response in subslice {
if let Some(code) = get_value(response) {
if detect_match_uint::<U>(&ctx.du, code) {
return 1;
}
}
}
return 0;
}
DetectUintIndex::OrAbsent => {
let mut has_elem = false;
for response in subslice {
if let Some(code) = get_value(response) {
if detect_match_uint::<U>(&ctx.du, code) {
return 1;
}
has_elem = true;
}
}
if !has_elem && eof {
return 1;
}
return 0;
}
DetectUintIndex::NumberMatches(du32) => {
if !eof {
match du32.mode {
DetectUintMode::DetectUintModeGt | DetectUintMode::DetectUintModeGte => {}
_ => {
return 0;
}
}
}
let mut nb = 0u32;
for response in subslice {
if let Some(code) = get_value(response) {
if detect_match_uint::<U>(&ctx.du, code) {
nb += 1;
}
}
}
if detect_match_uint(du32, nb) {
return 1;
}
return 0;
}
DetectUintIndex::All => {
if !eof {
return 0;
}
for response in subslice {
if let Some(code) = get_value(response) {
if !detect_match_uint::<U>(&ctx.du, code) {
return 0;
}
}
}
return 1;
}
DetectUintIndex::All1 => {
if !eof {
return 0;
}
let mut has_elem = false;
for response in subslice {
if let Some(code) = get_value(response) {
if !detect_match_uint::<U>(&ctx.du, code) {
return 0;
}
has_elem = true;
}
}
if has_elem {
return 1;
}
return 0;
}
DetectUintIndex::Index((oob, idx)) => {
let index = if *idx < 0 {
// negative values for backward indexing.
((subslice.len() as i32) + idx) as usize
} else {
*idx as usize
};
if subslice.len() <= index {
if *oob && eof {
return 1;
}
return 0;
}
if let Some(code) = get_value(&subslice[index]) {
return detect_match_uint::<U>(&ctx.du, code) as c_int;
}
return 0;
}
}
}
#[derive(Debug, PartialEq)]
struct FlagItem<T> {
value: T,
neg: bool,
}
fn parse_flag_list_item<T1: DetectIntType, T2: EnumString<T1>>(
s: &str,
) -> IResult<&str, FlagItem<T1>> {
let (s, _) = opt(is_a(" "))(s)?;
let (s, neg) = opt(tag("!"))(s)?;
let neg = neg.is_some();
let (s, vals) = take_while(|c| c != ' ' && c != ',')(s)?;
let value = T2::from_str(vals);
if value.is_none() {
SCLogError!("Bitflag unexpected value {}", vals);
return Err(Err::Error(make_error(s, ErrorKind::Switch)));
}
let value = value.unwrap().into_u();
let (s, _) = opt(is_a(" ,"))(s)?;
Ok((s, FlagItem { neg, value }))
}
fn parse_flag_list<T1: DetectIntType, T2: EnumString<T1>>(
s: &str,
) -> IResult<&str, Vec<FlagItem<T1>>> {
return many1(parse_flag_list_item::<T1, T2>)(s);
}
pub fn detect_parse_uint_bitflags<T1: DetectIntType, T2: EnumString<T1>>(
s: &str,
) -> Option<DetectUintData<T1>> {
if let Ok((_, ctx)) = detect_parse_uint::<T1>(s) {
return Some(ctx);
}
// otherwise, try strings for bitmask
if let Ok((rem, l)) = parse_flag_list::<T1, T2>(s) {
if !rem.is_empty() {
SCLogError!("junk at the end of bitflags");
return None;
}
let mut arg1 = T1::min_value();
let mut arg2 = T1::min_value();
for elem in l.iter() {
if elem.value & arg1 != T1::min_value() {
SCLogError!(
"Repeated bitflag for {}",
T2::from_u(elem.value).unwrap().to_str()
);
return None;
}
arg1 |= elem.value;
if !elem.neg {
arg2 |= elem.value;
}
}
let ctx = DetectUintData::<T1> {
arg1,
arg2,
mode: DetectUintMode::DetectUintModeBitmask,
};
return Some(ctx);
}
return None;
}
/// Parses a string for detection with integers, using enumeration strings
///
/// Needs to specify T1 the integer type (like u8)
/// And the Enumeration for the stringer.
/// Will try to parse numerical value first, as any integer detection keyword
/// And if this fails, will resort to using the enumeration strings.
///
/// Returns Some DetectUintData on success, None on failure
pub fn detect_parse_uint_enum<T1: DetectIntType, T2: EnumString<T1>>(
s: &str,
) -> Option<DetectUintData<T1>> {
if let Ok((_, ctx)) = detect_parse_uint::<T1>(s) {
return Some(ctx);
}
// we need to precise the Error type, we get error[E0283]: type annotations needed
let (s, neg) = opt(char::<_, Error<_>>('!'))(s).ok()?;
let mode = if neg.is_some() {
DetectUintMode::DetectUintModeNe
} else {
DetectUintMode::DetectUintModeEqual
};
if let Some(enum_val) = T2::from_str(s) {
let ctx = DetectUintData::<T1> {
arg1: enum_val.into_u(),
arg2: T1::min_value(),
mode,
};
return Some(ctx);
}
SCLogError!("Unexpected value for enumeration integer: {}", s);
return None;
}
pub trait DetectIntType:
std::str::FromStr
+ std::cmp::PartialOrd
+ std::ops::BitOrAssign
+ num::PrimInt
+ num::Bounded
+ num::ToPrimitive
+ num::FromPrimitive
{
}
impl<T> DetectIntType for T where
T: std::str::FromStr
+ std::cmp::PartialOrd
+ std::ops::BitOrAssign
+ num::PrimInt
+ num::Bounded
+ num::ToPrimitive
+ num::FromPrimitive
{
}
pub fn detect_parse_uint_unit(i: &str) -> IResult<&str, u64> {
let (i, unit) = alt((
value(1024, tag_no_case("kib")),
value(1024, tag_no_case("kb")),
value(1024 * 1024, tag_no_case("mib")),
value(1024 * 1024, tag_no_case("mb")),
value(1024 * 1024 * 1024, tag_no_case("gib")),
value(1024 * 1024 * 1024, tag_no_case("gb")),
))(i)?;
return Ok((i, unit));
}
pub fn detect_parse_uint_value_hex<T: DetectIntType>(i: &str) -> IResult<&str, T> {
let (i, _) = tag("0x")(i)?;
let (i, arg1s) = hex_digit1(i)?;
match T::from_str_radix(arg1s, 16) {
Ok(arg1) => Ok((i, arg1)),
_ => Err(Err::Error(make_error(i, ErrorKind::Verify))),
}
}
pub fn detect_parse_uint_value<T: DetectIntType>(i: &str) -> IResult<&str, T> {
let (i, arg1) = alt((detect_parse_uint_value_hex, detect_parse_uint_with_unit))(i)?;
Ok((i, arg1))
}
pub fn detect_parse_uint_with_unit<T: DetectIntType>(i: &str) -> IResult<&str, T> {
let (i, arg1) = map_opt(digit1, |s: &str| s.parse::<T>().ok())(i)?;
let (i, unit) = opt(detect_parse_uint_unit)(i)?;
if arg1 >= T::one() {
if let Some(u) = unit {
if T::max_value().to_u64().unwrap() / u < arg1.to_u64().unwrap() {
return Err(Err::Error(make_error(i, ErrorKind::Verify)));
}
let ru64 = arg1 * T::from_u64(u).unwrap();
return Ok((i, ru64));
}
}
Ok((i, arg1))
}
pub fn detect_parse_uint_start_equal<T: DetectIntType>(
i: &str,
) -> IResult<&str, DetectUintData<T>> {
let (i, _) = opt(tag("="))(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg1) = detect_parse_uint_value(i)?;
Ok((
i,
DetectUintData {
arg1,
arg2: T::min_value(),
mode: DetectUintMode::DetectUintModeEqual,
},
))
}
pub fn detect_parse_uint_start_interval<T: DetectIntType>(
i: &str,
) -> IResult<&str, DetectUintData<T>> {
let (i, neg) = opt(char('!'))(i)?;
let (i, arg1) = detect_parse_uint_value(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, _) = alt((tag("-"), tag("<>")))(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg2) = verify(detect_parse_uint_value, |x| {
x > &arg1 && *x - arg1 > T::one()
})(i)?;
let mode = if neg.is_some() {
DetectUintMode::DetectUintModeNegRg
} else {
DetectUintMode::DetectUintModeRange
};
Ok((i, DetectUintData { arg1, arg2, mode }))
}
pub fn detect_parse_uint_bitmask<T: DetectIntType>(i: &str) -> IResult<&str, DetectUintData<T>> {
let (i, _) = opt(is_a(" "))(i)?;
let (i, _) = tag("&")(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg1) = detect_parse_uint_value(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, neg) = opt(tag("!"))(i)?;
let (i, _) = tag("=")(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg2) = detect_parse_uint_value(i)?;
if arg2 & arg1 != arg2 {
// could never match
return Err(Err::Error(make_error(i, ErrorKind::Verify)));
}
let mode = if neg.is_none() {
DetectUintMode::DetectUintModeBitmask
} else {
DetectUintMode::DetectUintModeNegBitmask
};
Ok((i, DetectUintData { arg1, arg2, mode }))
}
fn detect_parse_uint_start_interval_inclusive<T: DetectIntType>(
i: &str,
) -> IResult<&str, DetectUintData<T>> {
let (i, neg) = opt(char('!'))(i)?;
let (i, arg1) = verify(detect_parse_uint_value::<T>, |x| *x > T::min_value())(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, _) = alt((tag("-"), tag("<>")))(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg2) = verify(detect_parse_uint_value::<T>, |x| {
*x > arg1 && *x < T::max_value()
})(i)?;
let mode = if neg.is_some() {
DetectUintMode::DetectUintModeNegRg
} else {
DetectUintMode::DetectUintModeRange
};
Ok((
i,
DetectUintData {
arg1: arg1 - T::one(),
arg2: arg2 + T::one(),
mode,
},
))
}
pub fn detect_parse_uint_mode(i: &str) -> IResult<&str, DetectUintMode> {
let (i, mode) = alt((
value(DetectUintMode::DetectUintModeGte, tag(">=")),
value(DetectUintMode::DetectUintModeLte, tag("<=")),
value(DetectUintMode::DetectUintModeGt, tag(">")),
value(DetectUintMode::DetectUintModeLt, tag("<")),
value(DetectUintMode::DetectUintModeNe, tag("!=")),
value(DetectUintMode::DetectUintModeNe, tag("!")),
value(DetectUintMode::DetectUintModeEqual, tag("=")),
))(i)?;
return Ok((i, mode));
}
fn detect_parse_uint_start_symbol<T: DetectIntType>(i: &str) -> IResult<&str, DetectUintData<T>> {
let (i, mode) = detect_parse_uint_mode(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg1) = detect_parse_uint_value(i)?;
match mode {
DetectUintMode::DetectUintModeNe => {}
DetectUintMode::DetectUintModeLt => {
if arg1 == T::min_value() {
return Err(Err::Error(make_error(i, ErrorKind::Verify)));
}
}
DetectUintMode::DetectUintModeLte => {
if arg1 == T::max_value() {
return Err(Err::Error(make_error(i, ErrorKind::Verify)));
}
}
DetectUintMode::DetectUintModeGt => {
if arg1 == T::max_value() {
return Err(Err::Error(make_error(i, ErrorKind::Verify)));
}
}
DetectUintMode::DetectUintModeGte => {
if arg1 == T::min_value() {
return Err(Err::Error(make_error(i, ErrorKind::Verify)));
}
}
_ => {
return Err(Err::Error(make_error(i, ErrorKind::MapOpt)));
}
}
Ok((
i,
DetectUintData {
arg1,
arg2: T::min_value(),
mode,
},
))
}
pub fn detect_match_uint<T: DetectIntType>(x: &DetectUintData<T>, val: T) -> bool {
match x.mode {
DetectUintMode::DetectUintModeEqual => {
if val == x.arg1 {
return true;
}
}
DetectUintMode::DetectUintModeNe => {
if val != x.arg1 {
return true;
}
}
DetectUintMode::DetectUintModeLt => {
if val < x.arg1 {
return true;
}
}
DetectUintMode::DetectUintModeLte => {
if val <= x.arg1 {
return true;
}
}
DetectUintMode::DetectUintModeGt => {
if val > x.arg1 {
return true;
}
}
DetectUintMode::DetectUintModeGte => {
if val >= x.arg1 {
return true;
}
}
DetectUintMode::DetectUintModeRange => {
if val > x.arg1 && val < x.arg2 {
return true;
}
}
DetectUintMode::DetectUintModeNegRg => {
if val <= x.arg1 || val >= x.arg2 {
return true;
}
}
DetectUintMode::DetectUintModeBitmask => {
if val & x.arg1 == x.arg2 {
return true;
}
}
DetectUintMode::DetectUintModeNegBitmask => {
if val & x.arg1 != x.arg2 {
return true;
}
}
}
return false;
}
pub fn detect_parse_uint_notending<T: DetectIntType>(i: &str) -> IResult<&str, DetectUintData<T>> {
let (i, _) = opt(is_a(" "))(i)?;
let (i, uint) = alt((
detect_parse_uint_bitmask,
detect_parse_uint_start_interval,
detect_parse_uint_start_equal,
detect_parse_uint_start_symbol,
))(i)?;
Ok((i, uint))
}
pub fn detect_parse_uint<T: DetectIntType>(i: &str) -> IResult<&str, DetectUintData<T>> {
let (i, uint) = detect_parse_uint_notending(i)?;
let (i, _) = all_consuming(take_while(|c| c == ' '))(i)?;
Ok((i, uint))
}
pub fn detect_parse_uint_inclusive<T: DetectIntType>(i: &str) -> IResult<&str, DetectUintData<T>> {
let (i, _) = opt(is_a(" "))(i)?;
let (i, uint) = alt((
detect_parse_uint_start_interval_inclusive,
detect_parse_uint_start_equal,
detect_parse_uint_start_symbol,
))(i)?;
let (i, _) = all_consuming(take_while(|c| c == ' '))(i)?;
Ok((i, uint))
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU64Parse(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u64> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Ok((_, ctx)) = detect_parse_uint::<u64>(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut _;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU64Match(
arg: u64, ctx: &DetectUintData<u64>,
) -> std::os::raw::c_int {
if detect_match_uint(ctx, arg) {
return 1;
}
return 0;
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU64Free(ctx: &mut DetectUintData<u64>) {
// Just unbox...
std::mem::drop(Box::from_raw(ctx));
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU32Parse(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u32> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Ok((_, ctx)) = detect_parse_uint::<u32>(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut _;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU32ParseInclusive(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u32> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Ok((_, ctx)) = detect_parse_uint_inclusive::<u32>(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut _;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU32Match(
arg: u32, ctx: &DetectUintData<u32>,
) -> std::os::raw::c_int {
if detect_match_uint(ctx, arg) {
return 1;
}
return 0;
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU32Free(ctx: &mut DetectUintData<u32>) {
// Just unbox...
std::mem::drop(Box::from_raw(ctx));
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU8Parse(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u8> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Ok((_, ctx)) = detect_parse_uint::<u8>(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut _;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU8Match(arg: u8, ctx: &DetectUintData<u8>) -> std::os::raw::c_int {
if detect_match_uint(ctx, arg) {
return 1;
}
return 0;
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU8Free(ctx: &mut DetectUintData<u8>) {
// Just unbox...
std::mem::drop(Box::from_raw(ctx));
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU8ArrayParse(ustr: *const std::os::raw::c_char) -> *mut c_void {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Some(ctx) = detect_parse_array_uint::<u8>(s) {
let boxed = Box::new(ctx);
// DetectUintArrayData<u8> cannot be cbindgend
return Box::into_raw(boxed) as *mut c_void;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU8ArrayFree(ctx: &mut DetectUintArrayData<u8>) {
std::mem::drop(Box::from_raw(ctx));
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU32ArrayParse(ustr: *const std::os::raw::c_char) -> *mut c_void {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Some(ctx) = detect_parse_array_uint::<u32>(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut c_void;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU32ArrayFree(ctx: &mut DetectUintData<u32>) {
// Just unbox...
std::mem::drop(Box::from_raw(ctx));
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU16Parse(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u16> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Ok((_, ctx)) = detect_parse_uint::<u16>(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut _;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU16Match(
arg: u16, ctx: &DetectUintData<u16>,
) -> std::os::raw::c_int {
if detect_match_uint(ctx, arg) {
return 1;
}
return 0;
}
#[no_mangle]
pub unsafe extern "C" fn SCDetectU16Free(ctx: &mut DetectUintData<u16>) {
// Just unbox...
std::mem::drop(Box::from_raw(ctx));
}
#[cfg(test)]
mod tests {
use super::*;
use suricata_derive::EnumStringU8;
#[derive(Clone, Debug, PartialEq, EnumStringU8)]
#[repr(u8)]
pub enum TestEnum {
Zero = 0,
BestValueEver = 42,
}
#[test]
fn test_detect_parse_uint_enum() {
let ctx = detect_parse_uint_enum::<u8, TestEnum>("best_value_ever").unwrap();
assert_eq!(ctx.arg1, 42);
assert_eq!(ctx.mode, DetectUintMode::DetectUintModeEqual);
let ctx = detect_parse_uint_enum::<u8, TestEnum>(">1").unwrap();
assert_eq!(ctx.arg1, 1);
assert_eq!(ctx.mode, DetectUintMode::DetectUintModeGt);
}
#[test]
fn test_parse_uint_bitmask() {
let (_, val) = detect_parse_uint::<u64>("&0x40!=0").unwrap();
assert_eq!(val.arg1, 0x40);
assert_eq!(val.arg2, 0);
assert_eq!(val.mode, DetectUintMode::DetectUintModeNegBitmask);
assert!(!detect_match_uint(&val, 0xBF));
assert!(detect_match_uint(&val, 0x40));
let (_, val) = detect_parse_uint::<u64>("&0xc0=0x80").unwrap();
assert_eq!(val.arg1, 0xc0);
assert_eq!(val.arg2, 0x80);
assert_eq!(val.mode, DetectUintMode::DetectUintModeBitmask);
assert!(detect_match_uint(&val, 0x80));
assert!(!detect_match_uint(&val, 0x40));
assert!(!detect_match_uint(&val, 0xc0));
// could never match
assert!(detect_parse_uint::<u64>("&0xc0=12").is_err());
}
#[test]
fn test_parse_uint_hex() {
let (_, val) = detect_parse_uint::<u64>("0x100").unwrap();
assert_eq!(val.arg1, 0x100);
let (_, val) = detect_parse_uint::<u8>("0xFF").unwrap();
assert_eq!(val.arg1, 255);
let (_, val) = detect_parse_uint::<u8>("0xff").unwrap();
assert_eq!(val.arg1, 255);
}
#[test]
fn test_parse_uint_negated_range() {
let (_, val) = detect_parse_uint::<u8>("!1-6").unwrap();
assert_eq!(val.arg1, 1);
assert_eq!(val.arg2, 6);
assert_eq!(val.mode, DetectUintMode::DetectUintModeNegRg);
assert!(detect_match_uint(&val, 1));
assert!(!detect_match_uint(&val, 2));
assert!(!detect_match_uint(&val, 5));
assert!(detect_match_uint(&val, 6));
}
#[test]
fn test_parse_uint_unit() {
let (_, val) = detect_parse_uint::<u64>(" 2kb").unwrap();
assert_eq!(val.arg1, 2048);
assert!(detect_parse_uint::<u8>("2kb").is_err());
let (_, val) = detect_parse_uint::<u32>("> 3MB").unwrap();
assert_eq!(val.arg1, 3 * 1024 * 1024);
}
#[test]
fn test_parse_uint_like_mqtt_protocol_version() {
let (_, val) = detect_parse_uint::<u8>("3").unwrap();
assert_eq!(val.mode, DetectUintMode::DetectUintModeEqual);
assert_eq!(val.arg1, 3);
let (_, val) = detect_parse_uint::<u8>("5").unwrap();
assert_eq!(val.mode, DetectUintMode::DetectUintModeEqual);
assert_eq!(val.arg1, 5);
let (_, val) = detect_parse_uint::<u8>(">3").unwrap();
assert_eq!(val.mode, DetectUintMode::DetectUintModeGt);
assert_eq!(val.arg1, 3);
let (_, val) = detect_parse_uint::<u8>("<44").unwrap();
assert_eq!(val.mode, DetectUintMode::DetectUintModeLt);
assert_eq!(val.arg1, 44);
assert!(detect_parse_uint::<u8>("").is_err());
assert!(detect_parse_uint::<u8>("<444").is_err());
}
}
Reference in New Issue View Git Blame Copy Permalink