suricata
detect-app-layer-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <vjulien@oisf.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-engine-build.h"
37 #include "detect-app-layer-state.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "decode-events.h"
44 #include "util-byte.h"
45 #include "util-debug.h"
46 #include "util-enum.h"
47 #include "util-profiling.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "stream-tcp-util.h"
51 
52 typedef struct DetectAppLayerStateData_ {
53  uint8_t progress;
54  int8_t mode;
56 
57 static int DetectAppLayerStateSetup(DetectEngineCtx *, Signature *, const char *);
58 static void DetectAppLayerStateFree(DetectEngineCtx *, void *);
59 static uint8_t DetectEngineAptStateInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
60  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
61  uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
62 static int g_applayer_state_list_id = 0;
63 
65 {
66  sigmatch_table[DETECT_APP_LAYER_STATE].name = "app-layer-state";
68  "match on events generated by the App Layer Parsers and the protocol detection engine";
69  sigmatch_table[DETECT_APP_LAYER_STATE].url = "/rules/app-layer.html#app-layer-event";
70  sigmatch_table[DETECT_APP_LAYER_STATE].Setup = DetectAppLayerStateSetup;
71  sigmatch_table[DETECT_APP_LAYER_STATE].Free = DetectAppLayerStateFree;
72 
74  DetectEngineAptStateInspect, NULL);
76  DetectEngineAptStateInspect, NULL);
77 
78  g_applayer_state_list_id = DetectBufferTypeGetByName("app-layer-state");
79 }
80 
81 static uint8_t DetectEngineAptStateInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
82  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
83  uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
84 {
85  int r = 0;
86  const AppProto alproto = f->alproto;
87  const uint8_t tx_progress =
88  (uint8_t)AppLayerParserGetStateProgress(f->proto, alproto, tx, flags);
89 
90  const SigMatchData *smd = engine->smd;
91  while (1) {
92  const DetectAppLayerStateData *data = (const DetectAppLayerStateData *)smd->ctx;
94 
95  bool match = false;
96  if (data->mode == -1) {
97  SCLogDebug("sid:%u tx_progress %u < keyword progress %u ?", s->id, tx_progress,
98  data->progress);
99  if (tx_progress < data->progress) {
100  match = true;
101  }
102  } else if (data->mode == 1) {
103  SCLogDebug("sid:%u tx_progress %u > keyword progress %u ?", s->id, tx_progress,
104  data->progress);
105  if (tx_progress > data->progress) {
106  match = true;
107  }
108  } else {
109  BUG_ON(1);
110  }
111 
112  if (match) {
113  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
114 
115  if (smd->is_last)
116  break;
117  smd++;
118  continue;
119  }
120 
121  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
122  goto end;
123  }
124  r = 1;
125 
126 end:
127  if (r == 1) {
128  SCLogDebug("DETECT_ENGINE_INSPECT_SIG_MATCH");
130  } else {
131  AppLayerTxData *txd = AppLayerParserGetTxData(f->proto, alproto, tx);
132  uint8_t tx_end_state;
133  if (txd->tx_type == 0) {
134  tx_end_state = (uint8_t)AppLayerParserGetStateProgressCompletionStatus(alproto, flags);
135  } else {
136  if (flags & STREAM_TOSERVER)
137  tx_end_state = txd->tx_type_eop_ts;
138  else
139  tx_end_state = txd->tx_type_eop_tc;
140  }
141  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) == tx_end_state) {
142  SCLogDebug("DETECT_ENGINE_INSPECT_SIG_CANT_MATCH");
144  } else {
145  SCLogDebug("DETECT_ENGINE_INSPECT_SIG_NO_MATCH");
147  }
148  }
149 }
150 
151 // TODO dedup with detect-parse.c
152 static SignatureHook SetAppHook(const AppProto alproto, uint8_t progress)
153 {
154  SignatureHook h = {
156  .t.app.alproto = alproto,
157  .t.app.app_progress = progress,
158  };
159  return h;
160 }
161 
162 static int DetectAppLayerStateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
163 {
164  if (s->alproto == ALPROTO_UNKNOWN) {
165  return -1;
166  }
167 
168  int mode = 0;
169 
170  if (strlen(arg) > 0) {
171  if (arg[0] == '<') {
172  mode = -1;
173  arg++;
174  } else if (arg[0] == '>') {
175  mode = 1;
176  arg++;
177  }
178  }
179 
180  if (mode == 0) {
181  const char *h = arg;
182 
183  const int progress_ts = AppLayerParserGetStateIdByName(
184  IPPROTO_TCP /* TODO */, s->alproto, h, STREAM_TOSERVER);
185  if (progress_ts >= 0) {
186  s->flags |= SIG_FLAG_TOSERVER;
187  s->init_data->hook = SetAppHook(s->alproto, (uint8_t)progress_ts);
188  } else {
189  const int progress_tc = AppLayerParserGetStateIdByName(
190  IPPROTO_TCP /* TODO */, s->alproto, h, STREAM_TOCLIENT);
191  if (progress_tc < 0) {
192  return -1;
193  }
194  s->flags |= SIG_FLAG_TOCLIENT;
195  s->init_data->hook = SetAppHook(s->alproto, (uint8_t)progress_tc);
196  }
197  SCLogDebug("hook %u", s->init_data->hook.t.app.app_progress);
198  return 0;
199  }
200 
201  int progress = 0;
202  const char *h = arg;
203  const int progress_ts =
204  AppLayerParserGetStateIdByName(IPPROTO_TCP /* TODO */, s->alproto, h, STREAM_TOSERVER);
205  if (progress_ts >= 0) {
206  s->flags |= SIG_FLAG_TOSERVER;
207  progress = progress_ts;
208  } else {
209  const int progress_tc = AppLayerParserGetStateIdByName(
210  IPPROTO_TCP /* TODO */, s->alproto, h, STREAM_TOCLIENT);
211  if (progress_tc < 0) {
212  return -1;
213  }
214  s->flags |= SIG_FLAG_TOCLIENT;
215  progress = progress_tc;
216  }
217 
218  DetectAppLayerStateData *data = SCCalloc(1, sizeof(*data));
219  if (data == NULL)
220  return -1;
221 
222  data->progress = (uint8_t)progress;
223  data->mode = (int8_t)mode;
224 
226  g_applayer_state_list_id) == NULL) {
227  SCFree(data);
228  return -1;
229  }
230  s->flags |= SIG_FLAG_APPLAYER;
231 
232  return 0;
233 }
234 
235 static void DetectAppLayerStateFree(DetectEngineCtx *de_ctx, void *ptr)
236 {
237  SCFree(ptr);
238 }
util-byte.h
DetectEngineAppInspectionEngine_
Definition: detect.h:416
SigTableElmt_::url
const char * url
Definition: detect.h:1521
detect-engine.h
SignatureHook_
Definition: detect.h:576
SigTableElmt_::desc
const char * desc
Definition: detect.h:1520
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
DETECT_APP_LAYER_STATE
@ DETECT_APP_LAYER_STATE
Definition: detect-engine-register.h:205
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1505
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1518
AppLayerTxData::tx_type
uint8_t tx_type
Definition: app-layer-parser.h:209
Signature_::alproto
AppProto alproto
Definition: detect.h:687
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
SignatureHook_::app
struct SignatureHook_::@87::@88 app
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
AppLayerParserGetStateProgressCompletionStatus
uint8_t AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1252
SignatureHook_::t
union SignatureHook_::@87 t
threads.h
Flow_
Flow data structure.
Definition: flow.h:354
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:981
AppLayerParserGetStateIdByName
int AppLayerParserGetStateIdByName(uint8_t ipproto, AppProto alproto, const char *name, const uint8_t direction)
Definition: app-layer-parser.c:1858
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
SigMatchData_
Data needed for Match()
Definition: detect.h:365
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1500
AppLayerTxData::tx_type_eop_ts
uint8_t tx_type_eop_ts
Definition: app-layer-parser.h:213
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:366
util-unittest.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, uint8_t progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:276
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:248
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1455
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
SIGNATURE_HOOK_TYPE_APP
@ SIGNATURE_HOOK_TYPE_APP
Definition: detect.h:551
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
decode.h
util-debug.h
AppLayerTxData
Definition: app-layer-parser.h:166
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
DetectEngineThreadCtx_
Definition: detect.h:1300
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:387
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:41
DetectAppLayerStateData_::progress
uint8_t progress
Definition: detect-app-layer-state.c:53
app-layer-parser.h
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:597
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *tx, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1225
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:683
detect-engine-build.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:761
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:42
DetectAppLayerStateData
struct DetectAppLayerStateData_ DetectAppLayerStateData
decode-events.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:440
DetectAppLayerStateRegister
void DetectAppLayerStateRegister(void)
Definition: detect-app-layer-state.c:64
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:577
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1446
AppLayerTxData::tx_type_eop_tc
uint8_t tx_type_eop_tc
toclient end of tx progress value
Definition: app-layer-parser.h:215
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:40
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:727
detect-parse.h
Signature_
Signature container.
Definition: detect.h:682
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
app-layer-protos.h
app-layer-smtp.h
detect-app-layer-state.h
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-enum.h
flow-var.h
app-layer.h
DetectAppLayerStateData_::mode
int8_t mode
Definition: detect-app-layer-state.c:54
DetectAppLayerStateData_
Definition: detect-app-layer-state.c:52