suricata
detect-app-layer-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-engine-build.h"
37 #include "detect-app-layer-event.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "decode-events.h"
44 #include "util-byte.h"
45 #include "util-debug.h"
46 #include "util-enum.h"
47 #include "util-profiling.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "stream-tcp-util.h"
51 
52 #define MAX_ALPROTO_NAME 50
53 
54 typedef struct DetectAppLayerEventData_ {
56  uint8_t event_id;
58 
59 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
60  Packet *p, const Signature *s, const SigMatchCtx *ctx);
61 static int DetectAppLayerEventSetup(DetectEngineCtx *, Signature *, const char *);
62 static void DetectAppLayerEventFree(DetectEngineCtx *, void *);
63 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
64  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
65  uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
66 static int g_applayer_events_list_id = 0;
67 
68 /**
69  * \brief Registers the keyword handlers for the "app-layer-event" keyword.
70  */
72 {
73  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
74  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
75  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
77  DetectAppLayerEventPktMatch;
78  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup;
79  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
80 
82  DetectEngineAptEventInspect, NULL);
84  DetectEngineAptEventInspect, NULL);
85 
86  g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
87 }
88 
89 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
90  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
91  uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
92 {
93  int r = 0;
94  const AppProto alproto = f->alproto;
95  const AppLayerDecoderEvents *decoder_events =
96  AppLayerParserGetEventsByTx(f->proto, alproto, tx);
97  if (decoder_events == NULL) {
98  goto end;
99  }
100  const SigMatchData *smd = engine->smd;
101  while (1) {
102  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)smd->ctx;
104 
105  if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
106  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
107 
108  if (smd->is_last)
109  break;
110  smd++;
111  continue;
112  }
113 
114  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
115  goto end;
116  }
117 
118  r = 1;
119 
120  end:
121  if (r == 1) {
123  } else {
124  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
126  {
128  } else {
130  }
131  }
132 }
133 
134 
135 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
136  Packet *p, const Signature *s, const SigMatchCtx *ctx)
137 {
138  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)ctx;
139 
140  return AppLayerDecoderEventsIsEventSet(p->app_layer_events,
141  aled->event_id);
142 }
143 
144 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
145  AppLayerEventType *event_type)
146 {
147  uint8_t event_id = 0;
148  if (AppLayerGetPktEventInfo(arg, &event_id) != 0) {
149  SCLogError("app-layer-event keyword "
150  "supplied with packet based event - \"%s\" that isn't "
151  "supported yet.",
152  arg);
153  return NULL;
154  }
155 
157  if (unlikely(aled == NULL))
158  return NULL;
159  aled->event_id = (uint8_t)event_id;
160  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
161 
162  return aled;
163 }
164 
165 static bool OutdatedEvent(const char *raw)
166 {
167  if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
168  strcmp(raw, "tls.certificate_unknown_element") == 0 ||
169  strcmp(raw, "tls.certificate_invalid_string") == 0) {
170  return true;
171  }
172  return false;
173 }
174 
175 static AppProto AppLayerEventGetProtoByName(char *alproto_name)
176 {
177  AppProto alproto = AppLayerGetProtoByName(alproto_name);
178  if (alproto == ALPROTO_HTTP) {
179  // app-layer events http refer to http1
180  alproto = ALPROTO_HTTP1;
181  }
182  return alproto;
183 }
184 
185 static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
186 {
187  if (arg == NULL) {
188  SCLogError("app-layer-event keyword supplied "
189  "with no arguments. This keyword needs an argument.");
190  return -1;
191  }
192 
193  while (*arg != '\0' && isspace((unsigned char)*arg))
194  arg++;
195 
196  AppLayerEventType event_type;
197  DetectAppLayerEventData *data = NULL;
198 
199  if (strchr(arg, '.') == NULL) {
200  data = DetectAppLayerEventParsePkt(arg, &event_type);
201  if (data == NULL)
202  return -1;
203  } else {
204  SCLogDebug("parsing %s", arg);
205  char alproto_name[MAX_ALPROTO_NAME];
206  bool needs_detctx = false;
207 
208  const char *p_idx = strchr(arg, '.');
209  if (strlen(arg) > MAX_ALPROTO_NAME) {
210  SCLogError("app-layer-event keyword is too long or malformed");
211  return -1;
212  }
213  const char *event_name = p_idx + 1; // skip .
214  /* + 1 for trailing \0 */
215  strlcpy(alproto_name, arg, p_idx - arg + 1);
216 
217  const AppProto alproto = AppLayerEventGetProtoByName(alproto_name);
218  if (alproto == ALPROTO_UNKNOWN) {
219  if (!strcmp(alproto_name, "file")) {
220  needs_detctx = true;
221  } else {
222  SCLogError("app-layer-event keyword "
223  "supplied with unknown protocol \"%s\"",
224  alproto_name);
225  return -1;
226  }
227  }
228  if (OutdatedEvent(arg)) {
230  SCLogError("app-layer-event keyword no longer supports event \"%s\"", arg);
231  return -1;
232  } else {
233  SCLogWarning("app-layer-event keyword no longer supports event \"%s\"", arg);
234  return -3;
235  }
236  }
237 
238  uint8_t ipproto = 0;
239  if (s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
240  ipproto = IPPROTO_TCP;
241  } else if (s->proto.proto[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
242  ipproto = IPPROTO_UDP;
243  } else {
244  SCLogError("protocol %s is disabled", alproto_name);
245  return -1;
246  }
247 
248  int r;
249  uint8_t event_id = 0;
250  if (!needs_detctx) {
251  r = AppLayerParserGetEventInfo(ipproto, alproto, event_name, &event_id, &event_type);
252  } else {
253  r = DetectEngineGetEventInfo(event_name, &event_id, &event_type);
254  }
255  if (r < 0) {
257  SCLogError("app-layer-event keyword's "
258  "protocol \"%s\" doesn't have event \"%s\" registered",
259  alproto_name, event_name);
260  return -1;
261  } else {
262  SCLogWarning("app-layer-event keyword's "
263  "protocol \"%s\" doesn't have event \"%s\" registered",
264  alproto_name, event_name);
265  return -3;
266  }
267  }
268  data = SCCalloc(1, sizeof(*data));
269  if (unlikely(data == NULL))
270  return -1;
271  data->alproto = alproto;
272  data->event_id = (uint8_t)event_id;
273  }
274  SCLogDebug("data->event_id %u", data->event_id);
275 
276  if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
278  DETECT_SM_LIST_MATCH) == NULL) {
279  goto error;
280  }
281  } else {
282  if (DetectSignatureSetAppProto(s, data->alproto) != 0)
283  goto error;
284 
286  g_applayer_events_list_id) == NULL) {
287  goto error;
288  }
289  s->flags |= SIG_FLAG_APPLAYER;
290  }
291 
292  return 0;
293 
294 error:
295  if (data) {
296  DetectAppLayerEventFree(de_ctx, data);
297  }
298  return -1;
299 }
300 
301 static void DetectAppLayerEventFree(DetectEngineCtx *de_ctx, void *ptr)
302 {
303  SCFree(ptr);
304 }
util-byte.h
DetectAppLayerEventRegister
void DetectAppLayerEventRegister(void)
Registers the keyword handlers for the "app-layer-event" keyword.
Definition: detect-app-layer-event.c:71
DetectEngineAppInspectionEngine_
Definition: detect.h:429
SigTableElmt_::url
const char * url
Definition: detect.h:1312
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1738
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1299
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1309
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAppLayerEventData_::alproto
AppProto alproto
Definition: detect-app-layer-event.c:55
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:838
SigMatchData_::is_last
bool is_last
Definition: detect.h:360
Flow_::proto
uint8_t proto
Definition: flow.h:378
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:81
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1072
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:361
DetectAppLayerEventData
struct DetectAppLayerEventData_ DetectAppLayerEventData
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
DETECT_AL_APP_LAYER_EVENT
@ DETECT_AL_APP_LAYER_EVENT
Definition: detect-engine-register.h:203
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1101
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-event.c:52
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-events.c:167
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:268
SigMatchData_
Data needed for Match()
Definition: detect.h:358
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1294
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:359
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:36
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:601
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:999
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:246
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1094
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:267
detect-app-layer-event.h
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
DetectAppLayerEventData_::event_id
uint8_t event_id
Definition: detect-app-layer-event.c:56
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, uint8_t *event_id)
Definition: app-layer-events.c:80
DetectAppLayerEventData_
Definition: detect-app-layer-event.c:54
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:385
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:36
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:604
Packet_
Definition: decode.h:476
detect-engine-build.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:39
decode-events.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:451
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:622
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:70
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
app-layer-protos.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:240
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
app-layer-smtp.h
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-enum.h
flow-var.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1109
app-layer.h