suricata
detect-bsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the bsize generic buffer length keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "util-unittest.h"
28 #include "util-unittest-helper.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-content.h"
34 #include "detect-engine-uint.h"
35 
36 #include "detect-bsize.h"
37 
38 #include "util-misc.h"
39 
40 /*prototypes*/
41 static int DetectBsizeSetup (DetectEngineCtx *, Signature *, const char *);
42 static void DetectBsizeFree (DetectEngineCtx *, void *);
43 #ifdef UNITTESTS
44 static void DetectBsizeRegisterTests (void);
45 #endif
46 
47 /**
48  * \brief Registration function for bsize: keyword
49  */
50 
52 {
53  sigmatch_table[DETECT_BSIZE].name = "bsize";
54  sigmatch_table[DETECT_BSIZE].desc = "match on the length of a buffer";
55  sigmatch_table[DETECT_BSIZE].url = "/rules/payload-keywords.html#bsize";
57  sigmatch_table[DETECT_BSIZE].Setup = DetectBsizeSetup;
58  sigmatch_table[DETECT_BSIZE].Free = DetectBsizeFree;
59 #ifdef UNITTESTS
60  sigmatch_table[DETECT_BSIZE].RegisterTests = DetectBsizeRegisterTests;
61 #endif
62 }
63 
64 /** \brief bsize match function
65  *
66  * \param ctx match ctx
67  * \param buffer_size size of the buffer
68  * \param eof is the buffer closed?
69  *
70  * \retval r 1 match, 0 no match, -1 can't match
71  */
72 int DetectBsizeMatch(const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
73 {
74  const DetectU64Data *bsz = (const DetectU64Data *)ctx;
75  if (DetectU64Match(buffer_size, bsz)) {
76  return 1;
77  }
78  switch (bsz->mode) {
79  case DETECT_UINT_LTE:
80  return -1;
81  case DETECT_UINT_LT:
82  return -1;
83 
84  case DETECT_UINT_GTE:
85  // fallthrough
86  case DETECT_UINT_GT:
87  if (eof) {
88  return -1;
89  }
90  return 0;
91 
92  case DETECT_UINT_EQ:
93  if (buffer_size > bsz->arg1) {
94  return -1;
95  } else if (eof) {
96  return -1;
97  } else {
98  return 0;
99  }
100 
101  case DETECT_UINT_RA:
102  if (buffer_size <= bsz->arg1 && eof) {
103  return -1;
104  } else if (buffer_size <= bsz->arg1) {
105  return 0;
106  } else if (buffer_size >= bsz->arg2) {
107  return -1;
108  }
109  }
110  return 0;
111 }
112 
113 /**
114  * \brief This function is used to parse bsize options passed via bsize: keyword
115  *
116  * \param bsizestr Pointer to the user provided bsize options
117  *
118  * \retval bsized pointer to DetectU64Data on success
119  * \retval NULL on failure
120  */
121 
122 static DetectU64Data *DetectBsizeParse(const char *str)
123 {
124  return DetectU64Parse(str);
125 }
126 
127 /**
128  * \brief this function is used to parse bsize data into the current signature
129  *
130  * \param de_ctx pointer to the Detection Engine Context
131  * \param s pointer to the Current Signature
132  * \param bsizestr pointer to the user provided bsize options
133  *
134  * \retval 0 on Success
135  * \retval -1 on Failure
136  */
137 static int DetectBsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *sizestr)
138 {
139  SCEnter();
140  SigMatch *sm = NULL;
141 
142  if (DetectBufferGetActiveList(de_ctx, s) == -1)
143  SCReturnInt(-1);
144 
145  int list = s->init_data->list;
146  if (list == DETECT_SM_LIST_NOTSET)
147  SCReturnInt(-1);
148 
149  DetectU64Data *bsz = DetectBsizeParse(sizestr);
150  if (bsz == NULL)
151  goto error;
152  sm = SigMatchAlloc();
153  if (sm == NULL)
154  goto error;
155  sm->type = DETECT_BSIZE;
156  sm->ctx = (void *)bsz;
157 
158  SigMatchAppendSMToList(s, sm, list);
159 
160  SCReturnInt(0);
161 
162 error:
163  DetectBsizeFree(de_ctx, bsz);
164  SCReturnInt(-1);
165 }
166 
167 /**
168  * \brief this function will free memory associated with DetectU64Data
169  *
170  * \param ptr pointer to DetectU64Data
171  */
172 void DetectBsizeFree(DetectEngineCtx *de_ctx, void *ptr)
173 {
174  if (ptr == NULL)
175  return;
176 
177  DetectU64Data *bsz = (DetectU64Data *)ptr;
178  rs_detect_u64_free(bsz);
179 }
180 
181 #ifdef UNITTESTS
182 #include "tests/detect-bsize.c"
183 #endif
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1248
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1235
SigTableElmt_::name
const char * name
Definition: detect.h:1245
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
detect-bsize.c
detect-bsize.h
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:1313
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
util-unittest.h
util-unittest-helper.h
DetectBsizeRegister
void DetectBsizeRegister(void)
Registration function for bsize: keyword.
Definition: detect-bsize.c:51
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBsizeMatch
int DetectBsizeMatch(const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
bsize match function
Definition: detect-bsize.c:72
DETECT_BSIZE
@ DETECT_BSIZE
Definition: detect-engine-register.h:106
SignatureInitData_::list
int list
Definition: detect.h:517
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1213
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:309
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:106
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:315
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectU64Parse
DetectUintData_u64 * DetectU64Parse(const char *u64str)
Definition: detect-engine-uint.c:147
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:272
DetectU64Data
DetectUintData_u64 DetectU64Data
Definition: detect-engine-uint.h:40
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
DetectU64Match
int DetectU64Match(const uint64_t parg, const DetectUintData_u64 *du64)
Definition: detect-engine-uint.c:142
util-misc.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237