suricata
detect-bsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the bsize generic buffer length keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "util-unittest.h"
28 #include "util-unittest-helper.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-engine-buffer.h"
34 #include "detect-content.h"
35 #include "detect-engine-uint.h"
36 
37 #include "detect-bsize.h"
38 
39 #include "util-misc.h"
40 
41 /*prototypes*/
42 static int DetectBsizeSetup (DetectEngineCtx *, Signature *, const char *);
43 static void DetectBsizeFree (DetectEngineCtx *, void *);
44 static int SigParseGetMaxBsize(const DetectU64Data *bsz, uint64_t *bsize);
45 #ifdef UNITTESTS
46 static void DetectBsizeRegisterTests (void);
47 #endif
48 
50 {
51  uint64_t bsize;
52  int retval = -1;
53  const DetectU64Data *bsz;
54  for (const SigMatch *sm = b->head; sm != NULL; sm = sm->next) {
55  if (sm->type == DETECT_BSIZE) {
56  bsz = (const DetectU64Data *)sm->ctx;
57  retval = SigParseGetMaxBsize(bsz, &bsize);
58  break;
59  }
60  }
61 
62  if (retval == -1) {
63  return true;
64  }
65 
66  uint64_t needed;
67  if (retval == 0) {
68  int len, offset;
69  SigParseRequiredContentSize(s, bsize, b->head, &len, &offset);
70  SCLogDebug("bsize: %" PRIu64 "; len: %d; offset: %d [%s]", bsize, len, offset, s->sig_str);
71  needed = len;
72  if ((uint64_t)len > bsize) {
73  goto value_error;
74  }
75  if ((uint64_t)(len + offset) > bsize) {
76  needed += offset;
77  goto value_error;
78  }
79  }
80 
81  return true;
82 value_error:
83  if (bsz->mode == DETECT_UINT_RA) {
84  SCLogError("signature can't match as required content length %" PRIu64
85  " exceeds bsize range: %" PRIu64 "-%" PRIu64,
86  needed, bsz->arg1, bsz->arg2);
87  } else {
88  SCLogError("signature can't match as required content length %" PRIu64
89  " exceeds bsize value: "
90  "%" PRIu64,
91  needed, bsz->arg1);
92  }
93  return false;
94 }
95 
96 /**
97  * \brief Registration function for bsize: keyword
98  */
99 
101 {
102  sigmatch_table[DETECT_BSIZE].name = "bsize";
103  sigmatch_table[DETECT_BSIZE].desc = "match on the length of a buffer";
104  sigmatch_table[DETECT_BSIZE].url = "/rules/payload-keywords.html#bsize";
106  sigmatch_table[DETECT_BSIZE].Setup = DetectBsizeSetup;
107  sigmatch_table[DETECT_BSIZE].Free = DetectBsizeFree;
109 #ifdef UNITTESTS
110  sigmatch_table[DETECT_BSIZE].RegisterTests = DetectBsizeRegisterTests;
111 #endif
112 }
113 
114 /** \brief bsize match function
115  *
116  * \param ctx match ctx
117  * \param buffer_size size of the buffer
118  * \param eof is the buffer closed?
119  *
120  * \retval r 1 match, 0 no match, -1 can't match
121  */
122 int DetectBsizeMatch(const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
123 {
124  const DetectU64Data *bsz = (const DetectU64Data *)ctx;
125  if (DetectU64Match(buffer_size, bsz)) {
126  return 1;
127  }
128  switch (bsz->mode) {
129  case DETECT_UINT_LTE:
130  return -1;
131  case DETECT_UINT_LT:
132  return -1;
133 
134  case DETECT_UINT_GTE:
135  // fallthrough
136  case DETECT_UINT_GT:
137  if (eof) {
138  return -1;
139  }
140  return 0;
141 
142  case DETECT_UINT_EQ:
143  if (buffer_size > bsz->arg1) {
144  return -1;
145  } else if (eof) {
146  return -1;
147  } else {
148  return 0;
149  }
150 
151  case DETECT_UINT_RA:
152  if (buffer_size <= bsz->arg1 && eof) {
153  return -1;
154  } else if (buffer_size <= bsz->arg1) {
155  return 0;
156  } else if (buffer_size >= bsz->arg2) {
157  return -1;
158  }
159  }
160  return 0;
161 }
162 
163 static int SigParseGetMaxBsize(const DetectU64Data *bsz, uint64_t *bsize)
164 {
165  switch (bsz->mode) {
166  case DETECT_UINT_LT:
167  case DETECT_UINT_EQ:
168  *bsize = bsz->arg1;
169  SCReturnInt(0);
170  case DETECT_UINT_RA:
171  *bsize = bsz->arg2;
172  SCReturnInt(0);
173  case DETECT_UINT_GT:
174  default:
175  SCReturnInt(-2);
176  }
177  SCReturnInt(-1);
178 }
179 
180 /**
181  * \brief this function is used to parse bsize data into the current signature
182  *
183  * \param de_ctx pointer to the Detection Engine Context
184  * \param s pointer to the Current Signature
185  * \param sizestr pointer to the user provided bsize options
186  *
187  * \retval 0 on Success
188  * \retval -1 on Failure
189  */
190 static int DetectBsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *sizestr)
191 {
192  SCEnter();
193 
194  if (DetectBufferGetActiveList(de_ctx, s) == -1)
195  SCReturnInt(-1);
196 
197  int list = s->init_data->list;
198  if (list == DETECT_SM_LIST_NOTSET)
199  SCReturnInt(-1);
200 
201  DetectU64Data *bsz = DetectU64Parse(sizestr);
202  if (bsz == NULL)
203  SCReturnInt(-1);
204 
205  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BSIZE, (SigMatchCtx *)bsz, list) == NULL) {
206  goto error;
207  }
208 
209  SCReturnInt(0);
210 
211 error:
212  DetectBsizeFree(de_ctx, bsz);
213  SCReturnInt(-1);
214 }
215 
216 /**
217  * \brief this function will free memory associated with DetectU64Data
218  *
219  * \param ptr pointer to DetectU64Data
220  */
221 void DetectBsizeFree(DetectEngineCtx *de_ctx, void *ptr)
222 {
223  if (ptr == NULL)
224  return;
225 
226  DetectU64Data *bsz = (DetectU64Data *)ptr;
227  SCDetectU64Free(bsz);
228 }
229 
230 #ifdef UNITTESTS
231 #include "tests/detect-bsize.c"
232 #endif
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1431
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:548
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1430
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
Signature_::sig_str
char * sig_str
Definition: detect.h:747
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1418
SigTableElmt_::name
const char * name
Definition: detect.h:1428
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectBsizeValidateContentCallback
bool DetectBsizeValidateContentCallback(Signature *s, const SignatureInitDataBuffer *b)
Definition: detect-bsize.c:49
detect-bsize.c
detect-bsize.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1422
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:931
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect.h:1651
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1413
util-unittest.h
util-unittest-helper.h
DetectBsizeRegister
void DetectBsizeRegister(void)
Registration function for bsize: keyword.
Definition: detect-bsize.c:100
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectBsizeMatch
int DetectBsizeMatch(const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
bsize match function
Definition: detect-bsize.c:122
DETECT_BSIZE
@ DETECT_BSIZE
Definition: detect-engine-register.h:90
SignatureInitData_::list
int list
Definition: detect.h:630
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const uint64_t max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
Definition: detect-content.c:410
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:749
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1396
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:143
suricata-common.h
detect-engine-buffer.h
DetectU64Parse
DetectUintData_u64 * DetectU64Parse(const char *u64str)
Definition: detect-engine-uint.c:147
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
DetectU64Data
DetectUintData_u64 DetectU64Data
Definition: detect-engine-uint.h:40
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
detect-parse.h
Signature_
Signature container.
Definition: detect.h:670
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectU64Match
int DetectU64Match(const uint64_t parg, const DetectUintData_u64 *du64)
Definition: detect-engine-uint.c:142
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:464
util-misc.h
SignatureInitDataBuffer_
Definition: detect.h:538
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1420