mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
381 lines
10 KiB
C
381 lines
10 KiB
C
/* Copyright (C) 2007-2021 Open Information Security Foundation
|
|
*
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
* the GNU General Public License version 2 as published by the Free
|
|
* Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* \author Breno Silva <breno.silva@gmail.com>
|
|
*
|
|
* Implements the decode-event keyword
|
|
*/
|
|
|
|
#include "suricata-common.h"
|
|
#include "suricata.h"
|
|
#include "decode.h"
|
|
#include "detect.h"
|
|
#include "detect-parse.h"
|
|
|
|
#include "flow-var.h"
|
|
#include "decode-events.h"
|
|
|
|
#include "util-debug.h"
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
|
|
/* Need to get the DEvents[] array */
|
|
|
|
#include "detect-engine-event.h"
|
|
#include "util-unittest.h"
|
|
|
|
#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
|
|
|
|
static DetectParseRegex parse_regex;
|
|
|
|
static int DetectEngineEventMatch (DetectEngineThreadCtx *,
|
|
Packet *, const Signature *, const SigMatchCtx *);
|
|
static int DetectEngineEventSetup (DetectEngineCtx *, Signature *, const char *);
|
|
static int DetectDecodeEventSetup (DetectEngineCtx *, Signature *, const char *);
|
|
static int DetectStreamEventSetup (DetectEngineCtx *, Signature *, const char *);
|
|
static void DetectEngineEventFree (DetectEngineCtx *, void *);
|
|
#ifdef UNITTESTS
|
|
void EngineEventRegisterTests(void);
|
|
#endif
|
|
|
|
/**
|
|
* \brief Registration function for decode-event: keyword
|
|
*/
|
|
void DetectEngineEventRegister (void)
|
|
{
|
|
sigmatch_table[DETECT_ENGINE_EVENT].name = "engine-event";
|
|
sigmatch_table[DETECT_ENGINE_EVENT].Match = DetectEngineEventMatch;
|
|
sigmatch_table[DETECT_ENGINE_EVENT].Setup = DetectEngineEventSetup;
|
|
sigmatch_table[DETECT_ENGINE_EVENT].Free = DetectEngineEventFree;
|
|
#ifdef UNITTESTS
|
|
sigmatch_table[DETECT_ENGINE_EVENT].RegisterTests = EngineEventRegisterTests;
|
|
#endif
|
|
|
|
sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event";
|
|
sigmatch_table[DETECT_DECODE_EVENT].Match = DetectEngineEventMatch;
|
|
sigmatch_table[DETECT_DECODE_EVENT].Setup = DetectDecodeEventSetup;
|
|
sigmatch_table[DETECT_DECODE_EVENT].Free = DetectEngineEventFree;
|
|
sigmatch_table[DETECT_DECODE_EVENT].flags |= SIGMATCH_DEONLY_COMPAT;
|
|
|
|
sigmatch_table[DETECT_STREAM_EVENT].name = "stream-event";
|
|
sigmatch_table[DETECT_STREAM_EVENT].Match = DetectEngineEventMatch;
|
|
sigmatch_table[DETECT_STREAM_EVENT].Setup = DetectStreamEventSetup;
|
|
sigmatch_table[DETECT_STREAM_EVENT].Free = DetectEngineEventFree;
|
|
|
|
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
|
|
}
|
|
|
|
/**
|
|
* \brief This function is used to match decoder event flags set on a packet with those passed via decode-event:
|
|
*
|
|
* \param t pointer to thread vars
|
|
* \param det_ctx pointer to the pattern matcher thread
|
|
* \param p pointer to the current packet
|
|
* \param s pointer to the Signature
|
|
* \param m pointer to the sigmatch
|
|
*
|
|
* \retval 0 no match
|
|
* \retval 1 match
|
|
*/
|
|
static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
|
|
Packet *p, const Signature *s, const SigMatchCtx *ctx)
|
|
{
|
|
SCEnter();
|
|
|
|
const DetectEngineEventData *de = (const DetectEngineEventData *)ctx;
|
|
|
|
if (ENGINE_ISSET_EVENT(p, de->event)) {
|
|
SCLogDebug("de->event matched %u", de->event);
|
|
SCReturnInt(1);
|
|
}
|
|
|
|
SCReturnInt(0);
|
|
}
|
|
|
|
/**
|
|
* \brief This function is used to parse decoder events options passed via decode-event: keyword
|
|
*
|
|
* \param rawstr Pointer to the user provided decode-event options
|
|
*
|
|
* \retval de pointer to DetectFlowData on success
|
|
* \retval NULL on failure
|
|
*/
|
|
static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
|
|
{
|
|
int i;
|
|
DetectEngineEventData *de = NULL;
|
|
int ret = 0, res = 0, found = 0;
|
|
size_t pcre2len;
|
|
|
|
ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
|
|
if (ret < 1) {
|
|
SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32
|
|
", string %s", ret, rawstr);
|
|
goto error;
|
|
}
|
|
|
|
char copy_str[128] = "";
|
|
pcre2len = sizeof(copy_str);
|
|
res = pcre2_substring_copy_bynumber(parse_regex.match, 0, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
|
|
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
|
|
goto error;
|
|
}
|
|
|
|
for (i = 0; DEvents[i].event_name != NULL; i++) {
|
|
if (strcasecmp(DEvents[i].event_name,copy_str) == 0) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (found == 0) {
|
|
SCLogError(SC_ERR_UNKNOWN_DECODE_EVENT, "unknown decode event \"%s\"",
|
|
copy_str);
|
|
goto error;
|
|
}
|
|
|
|
de = SCMalloc(sizeof(DetectEngineEventData));
|
|
if (unlikely(de == NULL))
|
|
goto error;
|
|
|
|
de->event = DEvents[i].code;
|
|
|
|
if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {
|
|
StreamTcpReassembleConfigEnableOverlapCheck();
|
|
}
|
|
return de;
|
|
|
|
error:
|
|
if (de)
|
|
SCFree(de);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* \brief this function is used to add the parsed decode-event into the current signature
|
|
*
|
|
* \param de_ctx pointer to the Detection Engine Context
|
|
* \param s pointer to the Current Signature
|
|
* \param rawstr pointer to the user provided decode-event options
|
|
*
|
|
* \retval 0 on Success
|
|
* \retval -1 on Failure
|
|
*/
|
|
static int DetectEngineEventSetupDo(
|
|
DetectEngineCtx *de_ctx, Signature *s, const char *rawstr, uint16_t smtype)
|
|
{
|
|
DetectEngineEventData *de = DetectEngineEventParse(rawstr);
|
|
if (de == NULL)
|
|
return -1;
|
|
|
|
SCLogDebug("rawstr %s %u", rawstr, de->event);
|
|
|
|
SigMatch *sm = SigMatchAlloc();
|
|
if (sm == NULL) {
|
|
SCFree(de);
|
|
return -1;
|
|
}
|
|
|
|
sm->type = smtype;
|
|
sm->ctx = (SigMatchCtx *)de;
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int DetectEngineEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
|
|
{
|
|
return DetectEngineEventSetupDo (de_ctx, s, rawstr, DETECT_ENGINE_EVENT);
|
|
}
|
|
|
|
/**
|
|
* \brief this function will free memory associated with DetectEngineEventData
|
|
*
|
|
* \param de pointer to DetectEngineEventData
|
|
*/
|
|
static void DetectEngineEventFree(DetectEngineCtx *de_ctx, void *ptr)
|
|
{
|
|
DetectEngineEventData *de = (DetectEngineEventData *)ptr;
|
|
if (de)
|
|
SCFree(de);
|
|
}
|
|
|
|
|
|
/**
|
|
* \brief this function Setup the 'decode-event' keyword by setting the correct
|
|
* signature type
|
|
*/
|
|
static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
|
|
{
|
|
char drawstr[64] = "decoder.";
|
|
|
|
/* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */
|
|
strlcat(drawstr, rawstr, sizeof(drawstr));
|
|
|
|
return DetectEngineEventSetupDo(de_ctx, s, drawstr, DETECT_DECODE_EVENT);
|
|
}
|
|
|
|
/**
|
|
* \brief this function Setup the 'stream-event' keyword by resolving the alias
|
|
*/
|
|
static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
|
|
{
|
|
char srawstr[64] = "stream.";
|
|
|
|
if (strcmp(rawstr, "est_synack_resend_with_different_ack") == 0) {
|
|
rawstr = "est_synack_resend_with_diff_ack";
|
|
} else if (strcmp(rawstr, "3whs_synack_resend_with_different_ack") == 0) {
|
|
rawstr = "3whs_synack_resend_with_diff_ack";
|
|
}
|
|
|
|
/* stream:$EVENT alias command develop as decode-event:stream.$EVENT */
|
|
strlcat(srawstr, rawstr, sizeof(srawstr));
|
|
|
|
return DetectEngineEventSetup(de_ctx, s, srawstr);
|
|
}
|
|
|
|
/*
|
|
* ONLY TESTS BELOW THIS COMMENT
|
|
*/
|
|
#ifdef UNITTESTS
|
|
|
|
/**
|
|
* \test EngineEventTestParse01 is a test for a valid decode-event value
|
|
*/
|
|
static int EngineEventTestParse01 (void)
|
|
{
|
|
DetectEngineEventData *de = DetectEngineEventParse("decoder.ipv4.pkt_too_small");
|
|
|
|
FAIL_IF_NULL(de);
|
|
|
|
DetectEngineEventFree(NULL, de);
|
|
|
|
PASS;
|
|
}
|
|
|
|
|
|
/**
|
|
* \test EngineEventTestParse02 is a test for a valid upper + lower case decode-event value
|
|
*/
|
|
static int EngineEventTestParse02 (void)
|
|
{
|
|
DetectEngineEventData *de = DetectEngineEventParse("decoder.PPP.pkt_too_small");
|
|
|
|
FAIL_IF_NULL(de);
|
|
|
|
DetectEngineEventFree(NULL, de);
|
|
|
|
PASS;
|
|
}
|
|
|
|
/**
|
|
* \test EngineEventTestParse03 is a test for a valid upper case decode-event value
|
|
*/
|
|
static int EngineEventTestParse03 (void)
|
|
{
|
|
DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL");
|
|
|
|
FAIL_IF_NULL(de);
|
|
|
|
DetectEngineEventFree(NULL, de);
|
|
|
|
PASS;
|
|
}
|
|
|
|
/**
|
|
* \test EngineEventTestParse04 is a test for an invalid upper case decode-event value
|
|
*/
|
|
static int EngineEventTestParse04 (void)
|
|
{
|
|
DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT");
|
|
|
|
FAIL_IF_NOT_NULL(de);
|
|
|
|
DetectEngineEventFree(NULL, de);
|
|
|
|
PASS;
|
|
}
|
|
|
|
/**
|
|
* \test EngineEventTestParse05 is a test for an invalid char into the decode-event value
|
|
*/
|
|
static int EngineEventTestParse05 (void)
|
|
{
|
|
DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR");
|
|
|
|
FAIL_IF_NOT_NULL(de);
|
|
|
|
DetectEngineEventFree(NULL, de);
|
|
|
|
PASS;
|
|
}
|
|
|
|
/**
|
|
* \test EngineEventTestParse06 is a test for match function with valid decode-event value
|
|
*/
|
|
static int EngineEventTestParse06 (void)
|
|
{
|
|
Packet *p = PacketGetFromAlloc();
|
|
FAIL_IF_NULL(p);
|
|
|
|
ThreadVars tv;
|
|
|
|
memset(&tv, 0, sizeof(ThreadVars));
|
|
|
|
ENGINE_SET_EVENT(p,PPP_PKT_TOO_SMALL);
|
|
|
|
DetectEngineEventData *de = DetectEngineEventParse("decoder.ppp.pkt_too_small");
|
|
FAIL_IF_NULL(de);
|
|
|
|
de->event = PPP_PKT_TOO_SMALL;
|
|
|
|
SigMatch *sm = SigMatchAlloc();
|
|
FAIL_IF_NULL(sm);
|
|
|
|
sm->type = DETECT_DECODE_EVENT;
|
|
sm->ctx = (SigMatchCtx *)de;
|
|
|
|
FAIL_IF_NOT(DetectEngineEventMatch(NULL, p, NULL, sm->ctx));
|
|
|
|
SCFree(p);
|
|
SCFree(de);
|
|
SCFree(sm);
|
|
|
|
PASS;
|
|
}
|
|
|
|
/**
|
|
* \brief this function registers unit tests for EngineEvent
|
|
*/
|
|
void EngineEventRegisterTests(void)
|
|
{
|
|
UtRegisterTest("EngineEventTestParse01", EngineEventTestParse01);
|
|
UtRegisterTest("EngineEventTestParse02", EngineEventTestParse02);
|
|
UtRegisterTest("EngineEventTestParse03", EngineEventTestParse03);
|
|
UtRegisterTest("EngineEventTestParse04", EngineEventTestParse04);
|
|
UtRegisterTest("EngineEventTestParse05", EngineEventTestParse05);
|
|
UtRegisterTest("EngineEventTestParse06", EngineEventTestParse06);
|
|
}
|
|
#endif /* UNITTESTS */
|