suricata
detect-bsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the bsize generic buffer length keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "util-unittest.h"
28 #include "util-unittest-helper.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-content.h"
34 #include "detect-engine-uint.h"
35 
36 #include "detect-bsize.h"
37 
38 #include "util-misc.h"
39 
40 /*prototypes*/
41 static int DetectBsizeSetup (DetectEngineCtx *, Signature *, const char *);
42 static void DetectBsizeFree (DetectEngineCtx *, void *);
43 static int SigParseGetMaxBsize(const DetectU64Data *bsz);
44 #ifdef UNITTESTS
45 static void DetectBsizeRegisterTests (void);
46 #endif
47 
49 {
50  int bsize = -1;
51  const DetectU64Data *bsz;
52  for (const SigMatch *sm = b->head; sm != NULL; sm = sm->next) {
53  if (sm->type == DETECT_BSIZE) {
54  bsz = (const DetectU64Data *)sm->ctx;
55  bsize = SigParseGetMaxBsize(bsz);
56  break;
57  }
58  }
59 
60  if (bsize == -1) {
61  return true;
62  }
63 
64  uint64_t needed;
65  if (bsize >= 0) {
66  int len, offset;
67  SigParseRequiredContentSize(s, bsize, b->head, &len, &offset);
68  SCLogDebug("bsize: %d; len: %d; offset: %d [%s]", bsize, len, offset, s->sig_str);
69  needed = len;
70  if (len > bsize) {
71  goto value_error;
72  }
73  if ((len + offset) > bsize) {
74  needed += offset;
75  goto value_error;
76  }
77  }
78 
79  return true;
80 value_error:
81  if (bsz->mode == DETECT_UINT_RA) {
82  SCLogError("signature can't match as required content length %" PRIu64
83  " exceeds bsize range: %" PRIu64 "-%" PRIu64,
84  needed, bsz->arg1, bsz->arg2);
85  } else {
86  SCLogError("signature can't match as required content length %" PRIu64
87  " exceeds bsize value: "
88  "%" PRIu64,
89  needed, bsz->arg1);
90  }
91  return false;
92 }
93 
94 /**
95  * \brief Registration function for bsize: keyword
96  */
97 
99 {
100  sigmatch_table[DETECT_BSIZE].name = "bsize";
101  sigmatch_table[DETECT_BSIZE].desc = "match on the length of a buffer";
102  sigmatch_table[DETECT_BSIZE].url = "/rules/payload-keywords.html#bsize";
104  sigmatch_table[DETECT_BSIZE].Setup = DetectBsizeSetup;
105  sigmatch_table[DETECT_BSIZE].Free = DetectBsizeFree;
107 #ifdef UNITTESTS
108  sigmatch_table[DETECT_BSIZE].RegisterTests = DetectBsizeRegisterTests;
109 #endif
110 }
111 
112 /** \brief bsize match function
113  *
114  * \param ctx match ctx
115  * \param buffer_size size of the buffer
116  * \param eof is the buffer closed?
117  *
118  * \retval r 1 match, 0 no match, -1 can't match
119  */
120 int DetectBsizeMatch(const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
121 {
122  const DetectU64Data *bsz = (const DetectU64Data *)ctx;
123  if (DetectU64Match(buffer_size, bsz)) {
124  return 1;
125  }
126  switch (bsz->mode) {
127  case DETECT_UINT_LTE:
128  return -1;
129  case DETECT_UINT_LT:
130  return -1;
131 
132  case DETECT_UINT_GTE:
133  // fallthrough
134  case DETECT_UINT_GT:
135  if (eof) {
136  return -1;
137  }
138  return 0;
139 
140  case DETECT_UINT_EQ:
141  if (buffer_size > bsz->arg1) {
142  return -1;
143  } else if (eof) {
144  return -1;
145  } else {
146  return 0;
147  }
148 
149  case DETECT_UINT_RA:
150  if (buffer_size <= bsz->arg1 && eof) {
151  return -1;
152  } else if (buffer_size <= bsz->arg1) {
153  return 0;
154  } else if (buffer_size >= bsz->arg2) {
155  return -1;
156  }
157  }
158  return 0;
159 }
160 
161 static int SigParseGetMaxBsize(const DetectU64Data *bsz)
162 {
163  switch (bsz->mode) {
164  case DETECT_UINT_LT:
165  case DETECT_UINT_EQ:
166  return bsz->arg1;
167  case DETECT_UINT_RA:
168  return bsz->arg2;
169  case DETECT_UINT_GT:
170  default:
171  SCReturnInt(-2);
172  }
173  SCReturnInt(-1);
174 }
175 
176 /**
177  * \brief this function is used to parse bsize data into the current signature
178  *
179  * \param de_ctx pointer to the Detection Engine Context
180  * \param s pointer to the Current Signature
181  * \param sizestr pointer to the user provided bsize options
182  *
183  * \retval 0 on Success
184  * \retval -1 on Failure
185  */
186 static int DetectBsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *sizestr)
187 {
188  SCEnter();
189 
190  if (DetectBufferGetActiveList(de_ctx, s) == -1)
191  SCReturnInt(-1);
192 
193  int list = s->init_data->list;
194  if (list == DETECT_SM_LIST_NOTSET)
195  SCReturnInt(-1);
196 
197  DetectU64Data *bsz = DetectU64Parse(sizestr);
198  if (bsz == NULL)
199  SCReturnInt(-1);
200 
201  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BSIZE, (SigMatchCtx *)bsz, list) == NULL) {
202  goto error;
203  }
204 
205  SCReturnInt(0);
206 
207 error:
208  DetectBsizeFree(de_ctx, bsz);
209  SCReturnInt(-1);
210 }
211 
212 /**
213  * \brief this function will free memory associated with DetectU64Data
214  *
215  * \param ptr pointer to DetectU64Data
216  */
217 void DetectBsizeFree(DetectEngineCtx *de_ctx, void *ptr)
218 {
219  if (ptr == NULL)
220  return;
221 
222  DetectU64Data *bsz = (DetectU64Data *)ptr;
223  SCDetectU64Free(bsz);
224 }
225 
226 #ifdef UNITTESTS
227 #include "tests/detect-bsize.c"
228 #endif
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1405
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:547
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1404
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
Signature_::sig_str
char * sig_str
Definition: detect.h:746
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1392
SigTableElmt_::name
const char * name
Definition: detect.h:1402
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectBsizeValidateContentCallback
bool DetectBsizeValidateContentCallback(Signature *s, const SignatureInitDataBuffer *b)
Definition: detect-bsize.c:48
detect-bsize.c
detect-bsize.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1396
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:920
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect.h:1622
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:1502
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1387
util-unittest.h
util-unittest-helper.h
DetectBsizeRegister
void DetectBsizeRegister(void)
Registration function for bsize: keyword.
Definition: detect-bsize.c:98
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectBsizeMatch
int DetectBsizeMatch(const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
bsize match function
Definition: detect-bsize.c:120
DETECT_BSIZE
@ DETECT_BSIZE
Definition: detect-engine-register.h:90
SignatureInitData_::list
int list
Definition: detect.h:629
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
Definition: detect-content.c:409
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:748
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1370
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:143
suricata-common.h
DetectU64Parse
DetectUintData_u64 * DetectU64Parse(const char *u64str)
Definition: detect-engine-uint.c:147
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
DetectU64Data
DetectUintData_u64 DetectU64Data
Definition: detect-engine-uint.h:40
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
detect-parse.h
Signature_
Signature container.
Definition: detect.h:669
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectU64Match
int DetectU64Match(const uint64_t parg, const DetectUintData_u64 *du64)
Definition: detect-engine-uint.c:142
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:464
util-misc.h
SignatureInitDataBuffer_
Definition: detect.h:537
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1394