suricata
detect-classtype.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements classtype keyword.
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-classtype.h"
35 #include "util-error.h"
36 #include "util-debug.h"
37 #include "util-unittest.h"
38 
39 #define PARSE_REGEX "^\\s*([a-zA-Z][a-zA-Z0-9-_]*)\\s*$"
40 
41 static pcre *regex = NULL;
42 static pcre_extra *regex_study = NULL;
43 
44 static int DetectClasstypeSetup(DetectEngineCtx *, Signature *, const char *);
45 static void DetectClasstypeRegisterTests(void);
46 
47 /**
48  * \brief Registers the handler functions for the "Classtype" keyword.
49  */
51 {
52  sigmatch_table[DETECT_CLASSTYPE].name = "classtype";
53  sigmatch_table[DETECT_CLASSTYPE].desc = "information about the classification of rules and alerts";
54  sigmatch_table[DETECT_CLASSTYPE].url = DOC_URL DOC_VERSION "/rules/meta.html#classtype";
55  sigmatch_table[DETECT_CLASSTYPE].Setup = DetectClasstypeSetup;
56  sigmatch_table[DETECT_CLASSTYPE].RegisterTests = DetectClasstypeRegisterTests;
57 
58  DetectSetupParseRegexes(PARSE_REGEX, &regex, &regex_study);
59 }
60 
61 /**
62  * \brief Parses the raw string supplied with the "Classtype" keyword.
63  *
64  * \param Pointer to the string to be parsed.
65  *
66  * \retval bool success or failure.
67  */
68 static int DetectClasstypeParseRawString(const char *rawstr, char *out, size_t outsize)
69 {
70 #define MAX_SUBSTRINGS 30
71  int ov[MAX_SUBSTRINGS];
72  size_t len = strlen(rawstr);
73 
74  const size_t esize = CLASSTYPE_NAME_MAX_LEN + 8;
75  char e[esize];
76 
77  int ret = pcre_exec(regex, regex_study, rawstr, len, 0, 0, ov, 30);
78  if (ret < 0) {
79  SCLogError(SC_ERR_PCRE_MATCH, "Invalid Classtype in Signature");
80  return -1;
81  }
82 
83  ret = pcre_copy_substring((char *)rawstr, ov, 30, 1, e, esize);
84  if (ret < 0) {
85  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
86  return -1;
87  }
88 
89  if (strlen(e) >= CLASSTYPE_NAME_MAX_LEN) {
90  SCLogError(SC_ERR_INVALID_VALUE, "classtype '%s' is too big: max %d",
91  rawstr, CLASSTYPE_NAME_MAX_LEN - 1);
92  return -1;
93  }
94  (void)strlcpy(out, e, outsize);
95 
96  return 0;
97 }
98 
99 /**
100  * \brief The setup function that would be called when the Signature parsing
101  * module encounters the "Classtype" keyword.
102  *
103  * \param de_ctx Pointer to the Detection Engine Context.
104  * \param s Pointer the current Signature instance that is being parsed.
105  * \param rawstr Pointer to the argument supplied to the classtype keyword.
106  *
107  * \retval 0 On success
108  * \retval -1 On failure
109  */
110 static int DetectClasstypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
111 {
112  char parsed_ct_name[CLASSTYPE_NAME_MAX_LEN] = "";
113 
114  if ((s->class_id > 0) || (s->class_msg != NULL)) {
116  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "duplicated 'classtype' "
117  "keyword detected.");
118  return -1;
119  } else {
120  SCLogWarning(SC_ERR_CONFLICTING_RULE_KEYWORDS, "duplicated 'classtype' "
121  "keyword detected. Using instance with highest priority");
122  }
123  }
124 
125  if (DetectClasstypeParseRawString(rawstr, parsed_ct_name, sizeof(parsed_ct_name)) < 0) {
126  SCLogError(SC_ERR_PCRE_PARSE, "invalid value for classtype keyword: "
127  "\"%s\"", rawstr);
128  return -1;
129  }
130 
131  bool real_ct = true;
132  SCClassConfClasstype *ct = SCClassConfGetClasstype(parsed_ct_name, de_ctx);
133  if (ct == NULL) {
135  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown classtype '%s'",
136  parsed_ct_name);
137  return -1;
138  }
139 
140  if (s->id > 0) {
141  SCLogWarning(SC_ERR_UNKNOWN_VALUE, "signature sid:%u uses "
142  "unknown classtype: \"%s\", using default priority %d. "
143  "This message won't be shown again for this classtype",
144  s->id, parsed_ct_name, DETECT_DEFAULT_PRIO);
145  } else if (de_ctx->rule_file != NULL) {
146  SCLogWarning(SC_ERR_UNKNOWN_VALUE, "signature at %s:%u uses "
147  "unknown classtype: \"%s\", using default priority %d. "
148  "This message won't be shown again for this classtype",
149  de_ctx->rule_file, de_ctx->rule_line,
150  parsed_ct_name, DETECT_DEFAULT_PRIO);
151  } else {
152  SCLogWarning(SC_ERR_UNKNOWN_VALUE, "unknown classtype: \"%s\", "
153  "using default priority %d. "
154  "This message won't be shown again for this classtype",
155  parsed_ct_name, DETECT_DEFAULT_PRIO);
156  }
157 
158  char str[256];
159  snprintf(str, sizeof(str),
160  "config classification: %s,Unknown Classtype,%d\n",
161  parsed_ct_name, DETECT_DEFAULT_PRIO);
162 
163  if (SCClassConfAddClasstype(de_ctx, str, 0) < 0)
164  return -1;
165  ct = SCClassConfGetClasstype(parsed_ct_name, de_ctx);
166  if (ct == NULL)
167  return -1;
168  real_ct = false;
169  }
170 
171  /* set prio only if not already explicitly set by 'priority' keyword.
172  * update classtype in sig, but only if it is 'real' (not undefined)
173  * update sigs classtype if its prio is lower (but not undefined)
174  */
175 
176  bool update_ct = false;
178  /* don't touch Signature::prio */
179  update_ct = true;
180  } else if (s->prio == -1) {
181  s->prio = ct->priority;
182  update_ct = true;
183  } else {
184  if (ct->priority < s->prio) {
185  s->prio = ct->priority;
186  update_ct = true;
187  }
188  }
189 
190  if (real_ct && update_ct) {
191  s->class_id = ct->classtype_id;
192  s->class_msg = ct->classtype_desc;
193  }
194  return 0;
195 }
196 
197 #ifdef UNITTESTS
198 
199 /**
200  * \test undefined classtype
201  */
202 static int DetectClasstypeTest01(void)
203 {
205  FAIL_IF_NULL(de_ctx);
206 
208  FAIL_IF_NULL(fd);
210  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
211  "(msg:\"Classtype test\"; "
212  "Classtype:not_available; sid:1;)");
213  FAIL_IF_NULL(s);
214  FAIL_IF_NOT(s->prio == 3);
215 
216  DetectEngineCtxFree(de_ctx);
217  PASS;
218 }
219 
220 /**
221  * \test Check that both valid and invalid classtypes in a rule are handled
222  * properly, with rules containing invalid classtypes being rejected
223  * and the ones containing valid classtypes parsed and returned.
224  */
225 static int DetectClasstypeTest02(void)
226 {
228  FAIL_IF_NULL(de_ctx);
229 
231  FAIL_IF_NULL(fd);
233 
234  Signature *sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
235  "(Classtype:bad-unknown; sid:1;)");
236  FAIL_IF_NULL(sig);
237 
238  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
239  "(Classtype:not-there; sid:2;)");
240  FAIL_IF_NULL(sig);
241 
242  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
243  "(Classtype:Bad-UnkNown; sid:3;)");
244  FAIL_IF_NULL(sig);
245 
246  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
247  "(Classtype:nothing-wrong; sid:4;)");
248  FAIL_IF_NULL(sig);
249 
250  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
251  "(Classtype:attempted_dos; Classtype:bad-unknown; sid:5;)");
252  FAIL_IF_NULL(sig);
253  FAIL_IF_NOT(sig->prio == 2);
254 
255  /* duplicate test */
256  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
257  "(Classtype:nothing-wrong; Classtype:Bad-UnkNown; sid:6;)");
258  FAIL_IF_NULL(sig);
259  FAIL_IF_NOT(sig->prio == 2);
260 
261  DetectEngineCtxFree(de_ctx);
262  PASS;
263 }
264 
265 /**
266  * \test Check that the signatures are assigned priority based on classtype they
267  * are given.
268  */
269 static int DetectClasstypeTest03(void)
270 {
272  FAIL_IF_NULL(de_ctx);
273 
275  FAIL_IF_NULL(fd);
277 
278  Signature *sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
279  "(msg:\"Classtype test\"; Classtype:bad-unknown; priority:1; sid:1;)");
280  FAIL_IF_NULL(sig);
281  FAIL_IF_NOT(sig->prio == 1);
282 
283  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
284  "(msg:\"Classtype test\"; Classtype:unKnoWn; "
285  "priority:3; sid:2;)");
286  FAIL_IF_NULL(sig);
287  FAIL_IF_NOT(sig->prio == 3);
288 
289  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
290  "Classtype:nothing-wrong; priority:1; sid:3;)");
291  FAIL_IF_NOT(sig->prio == 1);
292 
293  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
294  "(msg:\"Classtype test\"; Classtype:bad-unknown; Classtype:undefined; "
295  "priority:5; sid:4;)");
296  FAIL_IF_NULL(sig);
297  FAIL_IF_NOT(sig->prio == 5);
298 
299  DetectEngineCtxFree(de_ctx);
300  PASS;
301 }
302 
303 #endif /* UNITTESTS */
304 
305 /**
306  * \brief This function registers unit tests for Classification Config API.
307  */
308 static void DetectClasstypeRegisterTests(void)
309 {
310 #ifdef UNITTESTS
311  UtRegisterTest("DetectClasstypeTest01", DetectClasstypeTest01);
312  UtRegisterTest("DetectClasstypeTest02", DetectClasstypeTest02);
313  UtRegisterTest("DetectClasstypeTest03", DetectClasstypeTest03);
314 #endif /* UNITTESTS */
315 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
#define DETECT_DEFAULT_PRIO
Definition: detect.h:62
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SignatureInitData * init_data
Definition: detect.h:591
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
uint32_t id
Definition: detect.h:555
#define PASS
Pass the test.
int SCClassConfAddClasstype(DetectEngineCtx *de_ctx, char *rawstr, uint16_t index)
Parses a line from the classification file and adds it to Classtype hash table in DetectEngineCtx...
int prio
Definition: detect.h:558
#define MAX_SUBSTRINGS
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
main detection engine ctx
Definition: detect.h:761
#define str(s)
char * rule_file
Definition: detect.h:865
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:295
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
const char * desc
Definition: detect.h:1202
char * class_msg
Definition: detect.h:583
uint32_t init_flags
Definition: detect.h:486
const char * url
Definition: detect.h:1203
Container for a Classtype from the Classification.config file.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DOC_URL
Definition: suricata.h:86
SCClassConfClasstype * SCClassConfGetClasstype(const char *ct_name, DetectEngineCtx *de_ctx)
Gets the classtype from the corresponding hash table stored in the Detection Engine Context&#39;s class c...
uint8_t len
#define SIG_FLAG_INIT_PRIO_EXPLICT
Definition: detect.h:264
#define DOC_VERSION
Definition: suricata.h:91
#define CLASSTYPE_NAME_MAX_LEN
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define PARSE_REGEX
FILE * SCClassConfGenerateValidDummyClassConfigFD01(void)
Creates a dummy classification file, with all valid Classtypes, for testing purposes.
void(* RegisterTests)(void)
Definition: detect.h:1192
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
void DetectClasstypeRegister(void)
Registers the handler functions for the "Classtype" keyword.
uint16_t class_id
Definition: detect.h:542
DetectEngineCtx * DetectEngineCtxInit(void)