suricata
detect-base64-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-engine.h"
21 #include "detect-engine-content-inspection.h"
22 #include "detect-parse.h"
23 #include "detect-base64-data.h"
24 #include "detect-engine-build.h"
25 
26 #include "util-unittest.h"
27 
28 static int DetectBase64DataSetup(DetectEngineCtx *, Signature *, const char *);
29 #ifdef UNITTESTS
30 static void DetectBase64DataRegisterTests(void);
31 #endif
32 
33 void DetectBase64DataRegister(void)
34 {
35  sigmatch_table[DETECT_BASE64_DATA].name = "base64_data";
36  sigmatch_table[DETECT_BASE64_DATA].desc =
37  "Content match base64 decoded data.";
38  sigmatch_table[DETECT_BASE64_DATA].url =
39  "/rules/base64-keywords.html#base64-data";
40  sigmatch_table[DETECT_BASE64_DATA].Setup = DetectBase64DataSetup;
41 #ifdef UNITTESTS
42  sigmatch_table[DETECT_BASE64_DATA].RegisterTests =
43  DetectBase64DataRegisterTests;
44 #endif
45  sigmatch_table[DETECT_BASE64_DATA].flags |= SIGMATCH_NOOPT;
46 }
47 
48 static int DetectBase64DataSetup(DetectEngineCtx *de_ctx, Signature *s,
49  const char *str)
50 {
51  SigMatch *pm = NULL;
52 
53  /* Check for a preceding base64_decode. */
54  pm = DetectGetLastSMFromLists(s, DETECT_BASE64_DECODE, -1);
55  if (pm == NULL) {
56  SCLogError("\"base64_data\" keyword seen without preceding base64_decode.");
57  return -1;
58  }
59 
60  s->init_data->list = DETECT_SM_LIST_BASE64_DATA;
61  return 0;
62 }
63 
64 #ifdef UNITTESTS
65 
66 static int g_file_data_buffer_id = 0;
67 
68 static int DetectBase64DataSetupTest01(void)
69 {
70  DetectEngineCtx *de_ctx = NULL;
71  SigMatch *sm;
72  int retval = 0;
73 
74  de_ctx = DetectEngineCtxInit();
75  if (de_ctx == NULL) {
76  goto end;
77  }
78 
79  de_ctx->flags |= DE_QUIET;
80  de_ctx->sig_list = SigInit(de_ctx,
81  "alert smtp any any -> any any (msg:\"DetectBase64DataSetupTest\"; "
82  "base64_decode; base64_data; content:\"content\"; sid:1; rev:1;)");
83  if (de_ctx->sig_list == NULL) {
84  printf("SigInit failed: ");
85  goto end;
86  }
87 
88  sm = de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH];
89  if (sm == NULL) {
90  printf("DETECT_SM_LIST_PMATCH should not be NULL: ");
91  goto end;
92  }
93  if (sm->type != DETECT_BASE64_DECODE) {
94  printf("sm->type should be DETECT_BASE64_DECODE: ");
95  goto end;
96  }
97 
98  if (de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_BASE64_DATA] == NULL) {
99  printf("DETECT_SM_LIST_BASE64_DATA should not be NULL: ");
100  goto end;
101  }
102 
103  retval = 1;
104 end:
105  if (de_ctx != NULL) {
106  SigGroupCleanup(de_ctx);
107  SigCleanSignatures(de_ctx);
108  DetectEngineCtxFree(de_ctx);
109  }
110  return retval;
111 }
112 
113 /**
114  * \test Test that the list can be changed to post-detection lists
115  * after the base64 keyword.
116  */
117 static int DetectBase64DataSetupTest04(void)
118 {
119  DetectEngineCtx *de_ctx = NULL;
120  int retval = 0;
121 
122  de_ctx = DetectEngineCtxInit();
123  if (de_ctx == NULL) {
124  goto end;
125  }
126 
127  de_ctx->flags |= DE_QUIET;
128  de_ctx->sig_list = SigInit(de_ctx,
129  "alert tcp any any -> any any (msg:\"some b64thing\"; flow:established,from_server; file_data; content:\"sometext\"; fast_pattern; base64_decode:relative; base64_data; content:\"foobar\"; nocase; tag:session,120,seconds; sid:1111111; rev:1;)");
130  if (de_ctx->sig_list == NULL) {
131  printf("SigInit failed: ");
132  goto end;
133  }
134 
135  retval = 1;
136 end:
137  if (de_ctx != NULL) {
138  SigGroupCleanup(de_ctx);
139  SigCleanSignatures(de_ctx);
140  DetectEngineCtxFree(de_ctx);
141  }
142  return retval;
143 }
144 
145 static void DetectBase64DataRegisterTests(void)
146 {
147  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
148 
149  UtRegisterTest("DetectBase64DataSetupTest01", DetectBase64DataSetupTest01);
150  UtRegisterTest("DetectBase64DataSetupTest04", DetectBase64DataSetupTest04);
151 }
152 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1431
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:118
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:644
SigTableElmt_::desc
const char * desc
Definition: detect.h:1430
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
SigTableElmt_::name
const char * name
Definition: detect.h:1428
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1422
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:931
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2674
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
DETECT_BASE64_DATA
@ DETECT_BASE64_DATA
Definition: detect-engine-register.h:89
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1413
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1157
detect-base64-data.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition: detect.h:123
SignatureInitData_::list
int list
Definition: detect.h:630
detect.h
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2200
detect-engine-build.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:749
detect-engine-content-inspection.h
DetectBase64DataRegister
void DetectBase64DataRegister(void)
Definition: detect-base64-data.c:33
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:940
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
detect-parse.h
Signature_
Signature container.
Definition: detect.h:670
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2635
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:88
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1620
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:640
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:933
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1420