mirror of https://github.com/OISF/suricata
				
				
				
			
			You cannot select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
	
	
		
			381 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			C
		
	
			
		
		
	
	
			381 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			C
		
	
| /* Copyright (C) 2007-2021 Open Information Security Foundation
 | |
|  *
 | |
|  * You can copy, redistribute or modify this Program under the terms of
 | |
|  * the GNU General Public License version 2 as published by the Free
 | |
|  * Software Foundation.
 | |
|  *
 | |
|  * This program is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  * GNU General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU General Public License
 | |
|  * version 2 along with this program; if not, write to the Free Software
 | |
|  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 | |
|  * 02110-1301, USA.
 | |
|  */
 | |
| 
 | |
| /**
 | |
|  * \file
 | |
|  *
 | |
|  * \author Breno Silva <breno.silva@gmail.com>
 | |
|  *
 | |
|  * Implements the decode-event keyword
 | |
|  */
 | |
| 
 | |
| #include "suricata-common.h"
 | |
| #include "suricata.h"
 | |
| #include "decode.h"
 | |
| #include "detect.h"
 | |
| #include "detect-parse.h"
 | |
| 
 | |
| #include "flow-var.h"
 | |
| #include "decode-events.h"
 | |
| 
 | |
| #include "util-debug.h"
 | |
| 
 | |
| #include "stream-tcp.h"
 | |
| 
 | |
| 
 | |
| /* Need to get the DEvents[] array */
 | |
| 
 | |
| #include "detect-engine-event.h"
 | |
| #include "util-unittest.h"
 | |
| 
 | |
| #define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
 | |
| 
 | |
| static DetectParseRegex parse_regex;
 | |
| 
 | |
| static int DetectEngineEventMatch (DetectEngineThreadCtx *,
 | |
|         Packet *, const Signature *, const SigMatchCtx *);
 | |
| static int DetectEngineEventSetup (DetectEngineCtx *, Signature *, const char *);
 | |
| static int DetectDecodeEventSetup (DetectEngineCtx *, Signature *, const char *);
 | |
| static int DetectStreamEventSetup (DetectEngineCtx *, Signature *, const char *);
 | |
| static void DetectEngineEventFree (DetectEngineCtx *, void *);
 | |
| #ifdef UNITTESTS
 | |
| void EngineEventRegisterTests(void);
 | |
| #endif
 | |
| 
 | |
| /**
 | |
|  * \brief Registration function for decode-event: keyword
 | |
|  */
 | |
| void DetectEngineEventRegister (void)
 | |
| {
 | |
|     sigmatch_table[DETECT_ENGINE_EVENT].name = "engine-event";
 | |
|     sigmatch_table[DETECT_ENGINE_EVENT].Match = DetectEngineEventMatch;
 | |
|     sigmatch_table[DETECT_ENGINE_EVENT].Setup = DetectEngineEventSetup;
 | |
|     sigmatch_table[DETECT_ENGINE_EVENT].Free  = DetectEngineEventFree;
 | |
| #ifdef UNITTESTS
 | |
|     sigmatch_table[DETECT_ENGINE_EVENT].RegisterTests = EngineEventRegisterTests;
 | |
| #endif
 | |
| 
 | |
|     sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event";
 | |
|     sigmatch_table[DETECT_DECODE_EVENT].Match = DetectEngineEventMatch;
 | |
|     sigmatch_table[DETECT_DECODE_EVENT].Setup = DetectDecodeEventSetup;
 | |
|     sigmatch_table[DETECT_DECODE_EVENT].Free  = DetectEngineEventFree;
 | |
|     sigmatch_table[DETECT_DECODE_EVENT].flags |= SIGMATCH_DEONLY_COMPAT;
 | |
| 
 | |
|     sigmatch_table[DETECT_STREAM_EVENT].name = "stream-event";
 | |
|     sigmatch_table[DETECT_STREAM_EVENT].Match = DetectEngineEventMatch;
 | |
|     sigmatch_table[DETECT_STREAM_EVENT].Setup = DetectStreamEventSetup;
 | |
|     sigmatch_table[DETECT_STREAM_EVENT].Free  = DetectEngineEventFree;
 | |
| 
 | |
|     DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \brief This function is used to match decoder event flags set on a packet with those passed via decode-event:
 | |
|  *
 | |
|  * \param t pointer to thread vars
 | |
|  * \param det_ctx pointer to the pattern matcher thread
 | |
|  * \param p pointer to the current packet
 | |
|  * \param s pointer to the Signature
 | |
|  * \param m pointer to the sigmatch
 | |
|  *
 | |
|  * \retval 0 no match
 | |
|  * \retval 1 match
 | |
|  */
 | |
| static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
 | |
|         Packet *p, const Signature *s, const SigMatchCtx *ctx)
 | |
| {
 | |
|     SCEnter();
 | |
| 
 | |
|     const DetectEngineEventData *de = (const DetectEngineEventData *)ctx;
 | |
| 
 | |
|     if (ENGINE_ISSET_EVENT(p, de->event)) {
 | |
|         SCLogDebug("de->event matched %u", de->event);
 | |
|         SCReturnInt(1);
 | |
|     }
 | |
| 
 | |
|     SCReturnInt(0);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \brief This function is used to parse decoder events options passed via decode-event: keyword
 | |
|  *
 | |
|  * \param rawstr Pointer to the user provided decode-event options
 | |
|  *
 | |
|  * \retval de pointer to DetectFlowData on success
 | |
|  * \retval NULL on failure
 | |
|  */
 | |
| static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
 | |
| {
 | |
|     int i;
 | |
|     DetectEngineEventData *de = NULL;
 | |
|     int ret = 0, res = 0, found = 0;
 | |
|     size_t pcre2len;
 | |
| 
 | |
|     ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
 | |
|     if (ret < 1) {
 | |
|         SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32
 | |
|                 ", string %s", ret, rawstr);
 | |
|         goto error;
 | |
|     }
 | |
| 
 | |
|     char copy_str[128] = "";
 | |
|     pcre2len = sizeof(copy_str);
 | |
|     res = pcre2_substring_copy_bynumber(parse_regex.match, 0, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
 | |
| 
 | |
|     if (res < 0) {
 | |
|         SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
 | |
|         goto error;
 | |
|     }
 | |
| 
 | |
|     for (i = 0; DEvents[i].event_name != NULL; i++) {
 | |
|         if (strcasecmp(DEvents[i].event_name,copy_str) == 0) {
 | |
|             found = 1;
 | |
|             break;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     if (found == 0) {
 | |
|         SCLogError(SC_ERR_UNKNOWN_DECODE_EVENT, "unknown decode event \"%s\"",
 | |
|                 copy_str);
 | |
|         goto error;
 | |
|     }
 | |
| 
 | |
|     de = SCMalloc(sizeof(DetectEngineEventData));
 | |
|     if (unlikely(de == NULL))
 | |
|         goto error;
 | |
| 
 | |
|     de->event = DEvents[i].code;
 | |
| 
 | |
|     if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {
 | |
|         StreamTcpReassembleConfigEnableOverlapCheck();
 | |
|     }
 | |
|     return de;
 | |
| 
 | |
| error:
 | |
|     if (de)
 | |
|         SCFree(de);
 | |
|     return NULL;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \brief this function is used to add the parsed decode-event into the current signature
 | |
|  *
 | |
|  * \param de_ctx pointer to the Detection Engine Context
 | |
|  * \param s pointer to the Current Signature
 | |
|  * \param rawstr pointer to the user provided decode-event options
 | |
|  *
 | |
|  * \retval 0 on Success
 | |
|  * \retval -1 on Failure
 | |
|  */
 | |
| static int DetectEngineEventSetupDo(
 | |
|         DetectEngineCtx *de_ctx, Signature *s, const char *rawstr, uint16_t smtype)
 | |
| {
 | |
|     DetectEngineEventData *de = DetectEngineEventParse(rawstr);
 | |
|     if (de == NULL)
 | |
|         return -1;
 | |
| 
 | |
|     SCLogDebug("rawstr %s %u", rawstr, de->event);
 | |
| 
 | |
|     SigMatch *sm = SigMatchAlloc();
 | |
|     if (sm == NULL) {
 | |
|         SCFree(de);
 | |
|         return -1;
 | |
|     }
 | |
| 
 | |
|     sm->type = smtype;
 | |
|     sm->ctx = (SigMatchCtx *)de;
 | |
| 
 | |
|     SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| 
 | |
| static int DetectEngineEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
 | |
| {
 | |
|     return DetectEngineEventSetupDo (de_ctx, s, rawstr, DETECT_ENGINE_EVENT);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \brief this function will free memory associated with DetectEngineEventData
 | |
|  *
 | |
|  * \param de pointer to DetectEngineEventData
 | |
|  */
 | |
| static void DetectEngineEventFree(DetectEngineCtx *de_ctx, void *ptr)
 | |
| {
 | |
|     DetectEngineEventData *de = (DetectEngineEventData *)ptr;
 | |
|     if (de)
 | |
|         SCFree(de);
 | |
| }
 | |
| 
 | |
| 
 | |
| /**
 | |
|  * \brief this function Setup the 'decode-event' keyword by setting the correct
 | |
|  * signature type
 | |
| */
 | |
| static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
 | |
| {
 | |
|     char drawstr[64] = "decoder.";
 | |
| 
 | |
|     /* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */
 | |
|     strlcat(drawstr, rawstr, sizeof(drawstr));
 | |
| 
 | |
|     return DetectEngineEventSetupDo(de_ctx, s, drawstr, DETECT_DECODE_EVENT);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \brief this function Setup the 'stream-event' keyword by resolving the alias
 | |
| */
 | |
| static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
 | |
| {
 | |
|     char srawstr[64] = "stream.";
 | |
| 
 | |
|     if (strcmp(rawstr, "est_synack_resend_with_different_ack") == 0) {
 | |
|         rawstr = "est_synack_resend_with_diff_ack";
 | |
|     } else if (strcmp(rawstr, "3whs_synack_resend_with_different_ack") == 0) {
 | |
|         rawstr = "3whs_synack_resend_with_diff_ack";
 | |
|     }
 | |
| 
 | |
|     /* stream:$EVENT alias command develop as decode-event:stream.$EVENT */
 | |
|     strlcat(srawstr, rawstr, sizeof(srawstr));
 | |
| 
 | |
|     return DetectEngineEventSetup(de_ctx, s, srawstr);
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * ONLY TESTS BELOW THIS COMMENT
 | |
|  */
 | |
| #ifdef UNITTESTS
 | |
| 
 | |
| /**
 | |
|  * \test EngineEventTestParse01 is a test for a  valid decode-event value
 | |
|  */
 | |
| static int EngineEventTestParse01 (void)
 | |
| {
 | |
|     DetectEngineEventData *de = DetectEngineEventParse("decoder.ipv4.pkt_too_small");
 | |
| 
 | |
|     FAIL_IF_NULL(de);
 | |
| 
 | |
|     DetectEngineEventFree(NULL, de);
 | |
| 
 | |
|     PASS;
 | |
| }
 | |
| 
 | |
| 
 | |
| /**
 | |
|  * \test EngineEventTestParse02 is a test for a  valid upper + lower case decode-event value
 | |
|  */
 | |
| static int EngineEventTestParse02 (void)
 | |
| {
 | |
|     DetectEngineEventData *de = DetectEngineEventParse("decoder.PPP.pkt_too_small");
 | |
| 
 | |
|     FAIL_IF_NULL(de);
 | |
| 
 | |
|     DetectEngineEventFree(NULL, de);
 | |
| 
 | |
|     PASS;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \test EngineEventTestParse03 is a test for a  valid upper case decode-event value
 | |
|  */
 | |
| static int EngineEventTestParse03 (void)
 | |
| {
 | |
|     DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL");
 | |
| 
 | |
|     FAIL_IF_NULL(de);
 | |
| 
 | |
|     DetectEngineEventFree(NULL, de);
 | |
| 
 | |
|     PASS;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \test EngineEventTestParse04 is a test for an  invalid upper case decode-event value
 | |
|  */
 | |
| static int EngineEventTestParse04 (void)
 | |
| {
 | |
|     DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT");
 | |
| 
 | |
|     FAIL_IF_NOT_NULL(de);
 | |
| 
 | |
|     DetectEngineEventFree(NULL, de);
 | |
| 
 | |
|     PASS;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \test EngineEventTestParse05 is a test for an  invalid char into the decode-event value
 | |
|  */
 | |
| static int EngineEventTestParse05 (void)
 | |
| {
 | |
|     DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR");
 | |
| 
 | |
|     FAIL_IF_NOT_NULL(de);
 | |
| 
 | |
|     DetectEngineEventFree(NULL, de);
 | |
| 
 | |
|     PASS;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \test EngineEventTestParse06 is a test for match function with valid decode-event value
 | |
|  */
 | |
| static int EngineEventTestParse06 (void)
 | |
| {
 | |
|     Packet *p = PacketGetFromAlloc();
 | |
|     FAIL_IF_NULL(p);
 | |
| 
 | |
|     ThreadVars tv;
 | |
| 
 | |
|     memset(&tv, 0, sizeof(ThreadVars));
 | |
| 
 | |
|     ENGINE_SET_EVENT(p,PPP_PKT_TOO_SMALL);
 | |
| 
 | |
|     DetectEngineEventData *de = DetectEngineEventParse("decoder.ppp.pkt_too_small");
 | |
|     FAIL_IF_NULL(de);
 | |
| 
 | |
|     de->event = PPP_PKT_TOO_SMALL;
 | |
| 
 | |
|     SigMatch *sm = SigMatchAlloc();
 | |
|     FAIL_IF_NULL(sm);
 | |
| 
 | |
|     sm->type = DETECT_DECODE_EVENT;
 | |
|     sm->ctx = (SigMatchCtx *)de;
 | |
| 
 | |
|     FAIL_IF_NOT(DetectEngineEventMatch(NULL, p, NULL, sm->ctx));
 | |
| 
 | |
|     SCFree(p);
 | |
|     SCFree(de);
 | |
|     SCFree(sm);
 | |
| 
 | |
|     PASS;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * \brief this function registers unit tests for EngineEvent
 | |
|  */
 | |
| void EngineEventRegisterTests(void)
 | |
| {
 | |
|     UtRegisterTest("EngineEventTestParse01", EngineEventTestParse01);
 | |
|     UtRegisterTest("EngineEventTestParse02", EngineEventTestParse02);
 | |
|     UtRegisterTest("EngineEventTestParse03", EngineEventTestParse03);
 | |
|     UtRegisterTest("EngineEventTestParse04", EngineEventTestParse04);
 | |
|     UtRegisterTest("EngineEventTestParse05", EngineEventTestParse05);
 | |
|     UtRegisterTest("EngineEventTestParse06", EngineEventTestParse06);
 | |
| }
 | |
| #endif /* UNITTESTS */
 |