aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-8.0.x
main-7.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8984bc6801'
${ noResults }
suricata/rust/src/detect/transforms/xor.rs

149 lines
4.6 KiB
Rust
Raw Blame History

/* Copyright (C) 2024 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_QUOTES_MANDATORY;
use std::ffi::CStr;
use std::os::raw::{c_int, c_void};
static mut G_TRANSFORM_XOR_ID: c_int = 0;
#[derive(Debug, PartialEq)]
struct DetectTransformXorData {
key: Vec<u8>,
}
fn xor_parse_do(i: &str) -> Option<DetectTransformXorData> {
if i.len() % 2 != 0 {
SCLogError!("XOR transform key's length must be an even number");
return None;
}
if i.len() / 2 > u8::MAX.into() {
SCLogError!("Key length too big for XOR transform");
return None;
}
if let Ok(key) = hex::decode(i) {
return Some(DetectTransformXorData { key });
}
SCLogError!("XOR transform key must be hexadecimal characters only");
return None;
}
unsafe fn xor_parse(raw: *const std::os::raw::c_char) -> *mut c_void {
let raw: &CStr = CStr::from_ptr(raw); //unsafe
if let Ok(s) = raw.to_str() {
if let Some(ctx) = xor_parse_do(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut _;
}
}
return std::ptr::null_mut();
}
#[no_mangle]
unsafe extern "C" fn xor_setup(
_de: *mut c_void, s: *mut c_void, opt_str: *const std::os::raw::c_char,
) -> c_int {
let ctx = xor_parse(opt_str);
if ctx.is_null() {
return -1;
}
return DetectSignatureAddTransform(s, G_TRANSFORM_XOR_ID, ctx);
}
fn xor_transform_do(input: &[u8], output: &mut [u8], ctx: &DetectTransformXorData) {
let mut ki = 0;
for (i, o) in input.iter().zip(output.iter_mut()) {
*o = (*i) ^ ctx.key[ki];
ki = (ki + 1) % ctx.key.len();
}
}
#[no_mangle]
unsafe extern "C" fn xor_transform(buffer: *mut c_void, ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
return;
}
let input = build_slice!(input, input_len as usize);
let output = InspectionBufferCheckAndExpand(buffer, input_len);
if output.is_null() {
// allocation failure
return;
}
let output = std::slice::from_raw_parts_mut(output, input_len as usize);
let ctx = cast_pointer!(ctx, DetectTransformXorData);
xor_transform_do(input, output, ctx);
InspectionBufferTruncate(buffer, input_len);
}
unsafe extern "C" fn xor_free(_de: *mut c_void, ctx: *mut c_void) {
std::mem::drop(Box::from_raw(ctx as *mut DetectTransformXorData));
}
#[no_mangle]
pub unsafe extern "C" fn DetectTransformXorRegister() {
let kw = SCTransformTableElmt {
name: b"xor\0".as_ptr() as *const libc::c_char,
desc: b"modify buffer via XOR decoding before inspection\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#xor\0".as_ptr() as *const libc::c_char,
Setup: xor_setup,
flags: SIGMATCH_QUOTES_MANDATORY,
Transform: xor_transform,
Free: Some(xor_free),
TransformValidate: None,
};
unsafe {
G_TRANSFORM_XOR_ID = DetectHelperTransformRegister(&kw);
if G_TRANSFORM_XOR_ID < 0 {
SCLogWarning!("Failed registering transform dot_prefix");
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_xor_parse() {
assert!(xor_parse_do("nohexa").is_none());
let key = b"\x0a\x0d\xc8\xff";
assert_eq!(
xor_parse_do("0a0DC8ff"),
Some(DetectTransformXorData { key: key.to_vec() })
);
}
#[test]
fn test_xor_transform() {
let buf = b"example.com";
let mut out = vec![0; buf.len()];
let ctx = xor_parse_do("0a0DC8ff").unwrap();
xor_transform_do(buf, &mut out, &ctx);
assert_eq!(out, b"ou\xa9\x92za\xad\xd1ib\xa5");
}
}
Reference in New Issue View Git Blame Copy Permalink