suricata
app-layer-rfb.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
22  *
23  * RFB (VNC) application layer detector and parser.
24  *
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "util-unittest.h"
30 
31 #include "app-layer-detect-proto.h"
32 #include "app-layer-parser.h"
33 #include "app-layer-rfb.h"
34 
35 #include "rust-bindings.h"
36 
37 static int RFBRegisterPatternsForProtocolDetection(void)
38 {
40  "RFB ", 4, 0, STREAM_TOCLIENT) < 0)
41  {
42  return -1;
43  }
45  "RFB ", 4, 0, STREAM_TOSERVER) < 0)
46  {
47  return -1;
48  }
49  return 0;
50 }
51 
52 void RFBParserRegisterTests(void);
53 
55 {
56  rs_rfb_register_parser();
57  if (RFBRegisterPatternsForProtocolDetection() < 0 )
58  return;
59 #ifdef UNITTESTS
62 #endif
63 }
64 
65 
66 #ifdef UNITTESTS
67 
68 #include "stream-tcp.h"
69 #include "util-unittest-helper.h"
70 
71 static int RFBParserTest(void)
72 {
73  uint64_t ret[4];
76 
77  StreamTcpInitConfig(true);
78  TcpSession ssn;
79  memset(&ssn, 0, sizeof(ssn));
80 
81  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 59001, 5900);
82  FAIL_IF_NULL(f);
83  f->protoctx = &ssn;
84  f->proto = IPPROTO_TCP;
85  f->alproto = ALPROTO_RFB;
86 
87  static const unsigned char rfb_version_str[12] = {
88  0x52, 0x46, 0x42, 0x20, 0x30, 0x30, 0x33, 0x2e, 0x30, 0x30, 0x37, 0x0a
89  };
90 
91  // the RFB server sending the first handshake message
93  (uint8_t *)rfb_version_str, sizeof(rfb_version_str));
94  FAIL_IF_NOT(r == 0);
95 
97  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)rfb_version_str, sizeof(rfb_version_str));
98  FAIL_IF_NOT(r == 0);
99 
100  static const unsigned char security_types[3] = {
101  0x02, 0x01, 0x02
102  };
104  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)security_types, sizeof(security_types));
105  FAIL_IF_NOT(r == 0);
106 
107  static const unsigned char type_selection[1] = {
108  0x01
109  };
111  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)type_selection, sizeof(type_selection));
112  FAIL_IF_NOT(r == 0);
113 
114  static const unsigned char client_init[1] = {
115  0x01
116  };
118  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)client_init, sizeof(client_init));
119  FAIL_IF_NOT(r == 0);
120 
121  static const unsigned char server_init[] = {
122  0x05, 0x00, 0x03, 0x20, 0x20, 0x18, 0x00, 0x01,
123  0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x10, 0x08,
124  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e,
125  0x61, 0x6e, 0x65, 0x61, 0x67, 0x6c, 0x65, 0x73,
126  0x40, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f,
127  0x73, 0x74, 0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
128  0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e
129  };
130 
132  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)server_init, sizeof(server_init));
133  FAIL_IF_NOT(r == 0);
134 
136  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
137  FAIL_IF_NOT(ret[0] == 1); // inspect_id[0]
138  FAIL_IF_NOT(ret[1] == 1); // inspect_id[1]
139  FAIL_IF_NOT(ret[2] == 1); // log_id
140  FAIL_IF_NOT(ret[3] == 1); // min_id
141 
144  StreamTcpFreeConfig(true);
145  UTHFreeFlow(f);
146 
147  PASS;
148 }
149 
151 {
152  UtRegisterTest("RFBParserTest", RFBParserTest);
153 }
154 
155 #endif
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
AppLayerProtoDetectPMRegisterPatternCI
int AppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-insensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1812
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:375
Flow_
Flow data structure.
Definition: flow.h:353
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:277
Flow_::protoctx
void * protoctx
Definition: flow.h:451
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
STREAM_START
#define STREAM_START
Definition: stream.h:29
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:485
RegisterRFBParsers
void RegisterRFBParsers(void)
Definition: app-layer-rfb.c:54
app-layer-detect-proto.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
app-layer-rfb.h
app-layer-parser.h
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1752
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:526
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:251
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:885
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:670
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1211
suricata-common.h
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:172
RFBParserRegisterTests
void RFBParserRegisterTests(void)
Definition: app-layer-rfb.c:150
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:54
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
TcpSession_
Definition: stream-tcp-private.h:260
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460