suricata
detect-app-layer-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-engine-build.h"
37 #include "detect-app-layer-event.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "decode-events.h"
44 #include "util-byte.h"
45 #include "util-debug.h"
46 #include "util-enum.h"
47 #include "util-profiling.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "stream-tcp-util.h"
51 
52 #define MAX_ALPROTO_NAME 50
53 
54 typedef struct DetectAppLayerEventData_ {
56  uint8_t event_id;
58 
59 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
60  Packet *p, const Signature *s, const SigMatchCtx *ctx);
61 static int DetectAppLayerEventSetup(DetectEngineCtx *, Signature *, const char *);
62 static void DetectAppLayerEventFree(DetectEngineCtx *, void *);
63 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
64  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
65  uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
66 static int g_applayer_events_list_id = 0;
67 
68 /**
69  * \brief Registers the keyword handlers for the "app-layer-event" keyword.
70  */
72 {
73  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
74  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
75  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
77  DetectAppLayerEventPktMatch;
78  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup;
79  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
80 
82  DetectEngineAptEventInspect, NULL);
84  DetectEngineAptEventInspect, NULL);
85 
86  g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
87 }
88 
89 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
90  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
91  uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
92 {
93  int r = 0;
94  const AppProto alproto = f->alproto;
95  AppLayerDecoderEvents *decoder_events =
96  AppLayerParserGetEventsByTx(f->proto, alproto, tx);
97  if (decoder_events == NULL) {
98  goto end;
99  }
100  SigMatchData *smd = engine->smd;
101  while (1) {
104 
105  if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
106  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
107 
108  if (smd->is_last)
109  break;
110  smd++;
111  continue;
112  }
113 
114  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
115  goto end;
116  }
117 
118  r = 1;
119 
120  end:
121  if (r == 1) {
123  } else {
124  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
126  {
128  } else {
130  }
131  }
132 }
133 
134 
135 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
136  Packet *p, const Signature *s, const SigMatchCtx *ctx)
137 {
138  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)ctx;
139 
140  return AppLayerDecoderEventsIsEventSet(p->app_layer_events,
141  aled->event_id);
142 }
143 
144 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
145  AppLayerEventType *event_type)
146 {
147  int event_id = 0;
148  int r = AppLayerGetPktEventInfo(arg, &event_id);
149  if (r < 0 || r > UINT8_MAX) {
150  SCLogError("app-layer-event keyword "
151  "supplied with packet based event - \"%s\" that isn't "
152  "supported yet.",
153  arg);
154  return NULL;
155  }
156 
158  if (unlikely(aled == NULL))
159  return NULL;
160  aled->event_id = (uint8_t)event_id;
161  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
162 
163  return aled;
164 }
165 
166 static bool OutdatedEvent(const char *raw)
167 {
168  if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
169  strcmp(raw, "tls.certificate_unknown_element") == 0 ||
170  strcmp(raw, "tls.certificate_invalid_string") == 0) {
171  return true;
172  }
173  return false;
174 }
175 
176 static AppProto AppLayerEventGetProtoByName(char *alproto_name)
177 {
178  AppProto alproto = AppLayerGetProtoByName(alproto_name);
179  if (alproto == ALPROTO_HTTP) {
180  // app-layer events http refer to http1
181  alproto = ALPROTO_HTTP1;
182  }
183  return alproto;
184 }
185 
186 static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
187 {
188  if (arg == NULL) {
189  SCLogError("app-layer-event keyword supplied "
190  "with no arguments. This keyword needs an argument.");
191  return -1;
192  }
193 
194  while (*arg != '\0' && isspace((unsigned char)*arg))
195  arg++;
196 
197  AppLayerEventType event_type;
198  DetectAppLayerEventData *data = NULL;
199 
200  if (strchr(arg, '.') == NULL) {
201  data = DetectAppLayerEventParsePkt(arg, &event_type);
202  if (data == NULL)
203  return -1;
204  } else {
205  SCLogDebug("parsing %s", arg);
206  char alproto_name[MAX_ALPROTO_NAME];
207  bool needs_detctx = false;
208 
209  const char *p_idx = strchr(arg, '.');
210  if (strlen(arg) > MAX_ALPROTO_NAME) {
211  SCLogError("app-layer-event keyword is too long or malformed");
212  return -1;
213  }
214  const char *event_name = p_idx + 1; // skip .
215  /* + 1 for trailing \0 */
216  strlcpy(alproto_name, arg, p_idx - arg + 1);
217 
218  const AppProto alproto = AppLayerEventGetProtoByName(alproto_name);
219  if (alproto == ALPROTO_UNKNOWN) {
220  if (!strcmp(alproto_name, "file")) {
221  needs_detctx = true;
222  } else {
223  SCLogError("app-layer-event keyword "
224  "supplied with unknown protocol \"%s\"",
225  alproto_name);
226  return -1;
227  }
228  }
229  if (OutdatedEvent(arg)) {
231  SCLogError("app-layer-event keyword no longer supports event \"%s\"", arg);
232  return -1;
233  } else {
234  SCLogWarning("app-layer-event keyword no longer supports event \"%s\"", arg);
235  return -3;
236  }
237  }
238 
239  uint8_t ipproto = 0;
240  if (s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
241  ipproto = IPPROTO_TCP;
242  } else if (s->proto.proto[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
243  ipproto = IPPROTO_UDP;
244  } else {
245  SCLogError("protocol %s is disabled", alproto_name);
246  return -1;
247  }
248 
249  int r;
250  int event_id = 0;
251  if (!needs_detctx) {
252  r = AppLayerParserGetEventInfo(ipproto, alproto, event_name, &event_id, &event_type);
253  } else {
254  r = DetectEngineGetEventInfo(event_name, &event_id, &event_type);
255  }
256  if (r < 0) {
258  SCLogError("app-layer-event keyword's "
259  "protocol \"%s\" doesn't have event \"%s\" registered",
260  alproto_name, event_name);
261  return -1;
262  } else {
263  SCLogWarning("app-layer-event keyword's "
264  "protocol \"%s\" doesn't have event \"%s\" registered",
265  alproto_name, event_name);
266  return -3;
267  }
268  }
269  if (event_id > UINT8_MAX) {
270  SCLogWarning("app-layer-event keyword's id has invalid value");
271  return -4;
272  }
273  data = SCCalloc(1, sizeof(*data));
274  if (unlikely(data == NULL))
275  return -1;
276  data->alproto = alproto;
277  data->event_id = (uint8_t)event_id;
278  }
279  SCLogDebug("data->event_id %u", data->event_id);
280 
281  SigMatch *sm = SigMatchAlloc();
282  if (sm == NULL)
283  goto error;
284 
286  sm->ctx = (SigMatchCtx *)data;
287 
288  if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
290  } else {
291  if (DetectSignatureSetAppProto(s, data->alproto) != 0)
292  goto error;
293 
294  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
295  s->flags |= SIG_FLAG_APPLAYER;
296  }
297 
298  return 0;
299 
300 error:
301  if (data) {
302  DetectAppLayerEventFree(de_ctx, data);
303  }
304  if (sm) {
305  sm->ctx = NULL;
306  SigMatchFree(de_ctx, sm);
307  }
308  return -1;
309 }
310 
311 static void DetectAppLayerEventFree(DetectEngineCtx *de_ctx, void *ptr)
312 {
313  SCFree(ptr);
314 }
util-byte.h
DetectAppLayerEventRegister
void DetectAppLayerEventRegister(void)
Registers the keyword handlers for the "app-layer-event" keyword.
Definition: detect-app-layer-event.c:71
DetectEngineAppInspectionEngine_
Definition: detect.h:418
SigTableElmt_::url
const char * url
Definition: detect.h:1271
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1627
detect-engine.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:382
SigTableElmt_::desc
const char * desc
Definition: detect.h:1270
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:282
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1258
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1268
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAppLayerEventData_::alproto
AppProto alproto
Definition: detect-app-layer-event.c:55
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:874
Flow_::proto
uint8_t proto
Definition: flow.h:365
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1105
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
DetectAppLayerEventData
struct DetectAppLayerEventData_ DetectAppLayerEventData
threads.h
Flow_
Flow data structure.
Definition: flow.h:343
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
DETECT_AL_APP_LAYER_EVENT
@ DETECT_AL_APP_LAYER_EVENT
Definition: detect-engine-register.h:181
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1134
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-event.c:52
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:257
SigMatchData_
Data needed for Match()
Definition: detect.h:350
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1253
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:351
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:601
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:932
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:239
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1147
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
APP_LAYER_EVENT_TYPE_PACKET
@ APP_LAYER_EVENT_TYPE_PACKET
Definition: app-layer-events.h:58
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:256
detect-app-layer-event.h
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1058
DetectAppLayerEventData_::event_id
uint8_t event_id
Definition: detect-app-layer-event.c:56
DetectAppLayerEventData_
Definition: detect-app-layer-event.c:54
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:330
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:109
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:344
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:583
Packet_
Definition: decode.h:429
detect-engine-build.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:239
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1236
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:267
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
decode-events.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:336
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:435
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: detect-engine.c:4832
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:601
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:352
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:342
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:77
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:582
SigMatch_
a single match condition for a signature
Definition: detect.h:341
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
Definition: app-layer-events.c:68
app-layer-protos.h
app-layer-smtp.h
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-enum.h
flow-var.h
app-layer.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1142