suricata
app-layer-rfb.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
22  *
23  * RFB (VNC) application layer detector and parser.
24  *
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "util-unittest.h"
30 
31 #include "app-layer-detect-proto.h"
32 #include "app-layer-parser.h"
33 #include "app-layer-rfb.h"
34 
35 #include "rust.h"
36 
37 static int RFBRegisterPatternsForProtocolDetection(void)
38 {
40  "RFB ", 4, 0, STREAM_TOCLIENT) < 0)
41  {
42  return -1;
43  }
45  "RFB ", 4, 0, STREAM_TOSERVER) < 0)
46  {
47  return -1;
48  }
49  return 0;
50 }
51 
52 void RFBParserRegisterTests(void);
53 
55 {
56  rs_rfb_register_parser();
57  if (RFBRegisterPatternsForProtocolDetection() < 0 )
58  return;
59 #ifdef UNITTESTS
62 #endif
63 }
64 
65 
66 #ifdef UNITTESTS
67 
68 #include "stream-tcp.h"
69 #include "util-unittest-helper.h"
70 
71 static int RFBParserTest(void)
72 {
73  uint64_t ret[4];
76 
77  StreamTcpInitConfig(true);
78  TcpSession ssn;
79  memset(&ssn, 0, sizeof(ssn));
80 
81  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 59001, 5900);
82  FAIL_IF_NULL(f);
83  f->protoctx = &ssn;
84  f->proto = IPPROTO_TCP;
85  f->alproto = ALPROTO_RFB;
86 
87  static const unsigned char rfb_version_str[12] = {
88  0x52, 0x46, 0x42, 0x20, 0x30, 0x30, 0x33, 0x2e, 0x30, 0x30, 0x37, 0x0a
89  };
90 
91  // the RFB server sending the first handshake message
92  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT | STREAM_START,
93  (uint8_t *)rfb_version_str, sizeof(rfb_version_str));
94  FAIL_IF_NOT(r == 0);
95 
97  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)rfb_version_str, sizeof(rfb_version_str));
98  FAIL_IF_NOT(r == 0);
99 
100  static const unsigned char security_types[3] = {
101  0x02, 0x01, 0x02
102  };
104  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)security_types, sizeof(security_types));
105  FAIL_IF_NOT(r == 0);
106 
107  static const unsigned char type_selection[1] = {
108  0x01
109  };
111  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)type_selection, sizeof(type_selection));
112  FAIL_IF_NOT(r == 0);
113 
114  static const unsigned char client_init[1] = {
115  0x01
116  };
118  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)client_init, sizeof(client_init));
119  FAIL_IF_NOT(r == 0);
120 
121  static const unsigned char server_init[] = {
122  0x05, 0x00, 0x03, 0x20, 0x20, 0x18, 0x00, 0x01,
123  0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x10, 0x08,
124  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e,
125  0x61, 0x6e, 0x65, 0x61, 0x67, 0x6c, 0x65, 0x73,
126  0x40, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f,
127  0x73, 0x74, 0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
128  0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e
129  };
130 
132  NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)server_init, sizeof(server_init));
133  FAIL_IF_NOT(r == 0);
134 
135  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
136  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
137  FAIL_IF_NOT(ret[0] == 1); // inspect_id[0]
138  FAIL_IF_NOT(ret[1] == 1); // inspect_id[1]
139  FAIL_IF_NOT(ret[2] == 1); // log_id
140  FAIL_IF_NOT(ret[3] == 1); // min_id
141 
142  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
144  StreamTcpFreeConfig(true);
145  UTHFreeFlow(f);
146 
147  PASS;
148 }
149 
151 {
152  UtRegisterTest("RFBParserTest", RFBParserTest);
153 }
154 
155 #endif
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
AppLayerProtoDetectPMRegisterPatternCI
int AppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-insensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1706
stream-tcp.h
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:919
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:372
Flow_
Flow data structure.
Definition: flow.h:350
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
rust.h
Flow_::protoctx
void * protoctx
Definition: flow.h:440
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:474
RegisterRFBParsers
void RegisterRFBParsers(void)
Definition: app-layer-rfb.c:54
app-layer-detect-proto.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:501
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
app-layer-rfb.h
app-layer-parser.h
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1908
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:506
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:690
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1303
suricata-common.h
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:215
RFBParserRegisterTests
void RFBParserRegisterTests(void)
Definition: app-layer-rfb.c:150
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:55
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:449