suricata
detect-classtype.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements classtype keyword.
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-classtype.h"
35 #include "util-error.h"
36 #include "util-debug.h"
37 #include "util-unittest.h"
38 
39 #define PARSE_REGEX "^\\s*([a-zA-Z][a-zA-Z0-9-_]*)\\s*$"
40 
41 static DetectParseRegex parse_regex;
42 
43 static int DetectClasstypeSetup(DetectEngineCtx *, Signature *, const char *);
44 static void DetectClasstypeRegisterTests(void);
45 
46 /**
47  * \brief Registers the handler functions for the "Classtype" keyword.
48  */
50 {
51  sigmatch_table[DETECT_CLASSTYPE].name = "classtype";
52  sigmatch_table[DETECT_CLASSTYPE].desc = "information about the classification of rules and alerts";
53  sigmatch_table[DETECT_CLASSTYPE].url = "/rules/meta.html#classtype";
54  sigmatch_table[DETECT_CLASSTYPE].Setup = DetectClasstypeSetup;
55  sigmatch_table[DETECT_CLASSTYPE].RegisterTests = DetectClasstypeRegisterTests;
56 
57  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
58 }
59 
60 /**
61  * \brief Parses the raw string supplied with the "Classtype" keyword.
62  *
63  * \param Pointer to the string to be parsed.
64  *
65  * \retval bool success or failure.
66  */
67 static int DetectClasstypeParseRawString(const char *rawstr, char *out, size_t outsize)
68 {
69  int ov[MAX_SUBSTRINGS];
70 
71  const size_t esize = CLASSTYPE_NAME_MAX_LEN + 8;
72  char e[esize];
73 
74  int ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
75  if (ret < 0) {
76  SCLogError(SC_ERR_PCRE_MATCH, "Invalid Classtype in Signature");
77  return -1;
78  }
79 
80  ret = pcre_copy_substring((char *)rawstr, ov, 30, 1, e, esize);
81  if (ret < 0) {
82  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
83  return -1;
84  }
85 
86  if (strlen(e) >= CLASSTYPE_NAME_MAX_LEN) {
87  SCLogError(SC_ERR_INVALID_VALUE, "classtype '%s' is too big: max %d",
88  rawstr, CLASSTYPE_NAME_MAX_LEN - 1);
89  return -1;
90  }
91  (void)strlcpy(out, e, outsize);
92 
93  return 0;
94 }
95 
96 /**
97  * \brief The setup function that would be called when the Signature parsing
98  * module encounters the "Classtype" keyword.
99  *
100  * \param de_ctx Pointer to the Detection Engine Context.
101  * \param s Pointer the current Signature instance that is being parsed.
102  * \param rawstr Pointer to the argument supplied to the classtype keyword.
103  *
104  * \retval 0 On success
105  * \retval -1 On failure
106  */
107 static int DetectClasstypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
108 {
109  char parsed_ct_name[CLASSTYPE_NAME_MAX_LEN] = "";
110 
111  if ((s->class_id > 0) || (s->class_msg != NULL)) {
113  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "duplicated 'classtype' "
114  "keyword detected.");
115  return -1;
116  } else {
117  SCLogWarning(SC_ERR_CONFLICTING_RULE_KEYWORDS, "duplicated 'classtype' "
118  "keyword detected. Using instance with highest priority");
119  }
120  }
121 
122  if (DetectClasstypeParseRawString(rawstr, parsed_ct_name, sizeof(parsed_ct_name)) < 0) {
123  SCLogError(SC_ERR_PCRE_PARSE, "invalid value for classtype keyword: "
124  "\"%s\"", rawstr);
125  return -1;
126  }
127 
128  bool real_ct = true;
129  SCClassConfClasstype *ct = SCClassConfGetClasstype(parsed_ct_name, de_ctx);
130  if (ct == NULL) {
132  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown classtype '%s'",
133  parsed_ct_name);
134  return -1;
135  }
136 
137  if (s->id > 0) {
138  SCLogWarning(SC_ERR_UNKNOWN_VALUE, "signature sid:%u uses "
139  "unknown classtype: \"%s\", using default priority %d. "
140  "This message won't be shown again for this classtype",
141  s->id, parsed_ct_name, DETECT_DEFAULT_PRIO);
142  } else if (de_ctx->rule_file != NULL) {
143  SCLogWarning(SC_ERR_UNKNOWN_VALUE, "signature at %s:%u uses "
144  "unknown classtype: \"%s\", using default priority %d. "
145  "This message won't be shown again for this classtype",
147  parsed_ct_name, DETECT_DEFAULT_PRIO);
148  } else {
149  SCLogWarning(SC_ERR_UNKNOWN_VALUE, "unknown classtype: \"%s\", "
150  "using default priority %d. "
151  "This message won't be shown again for this classtype",
152  parsed_ct_name, DETECT_DEFAULT_PRIO);
153  }
154 
155  char str[256];
156  snprintf(str, sizeof(str),
157  "config classification: %s,Unknown Classtype,%d\n",
158  parsed_ct_name, DETECT_DEFAULT_PRIO);
159 
160  if (SCClassConfAddClasstype(de_ctx, str, 0) < 0)
161  return -1;
162  ct = SCClassConfGetClasstype(parsed_ct_name, de_ctx);
163  if (ct == NULL)
164  return -1;
165  real_ct = false;
166  }
167 
168  /* set prio only if not already explicitly set by 'priority' keyword.
169  * update classtype in sig, but only if it is 'real' (not undefined)
170  * update sigs classtype if its prio is lower (but not undefined)
171  */
172 
173  bool update_ct = false;
175  /* don't touch Signature::prio */
176  update_ct = true;
177  } else if (s->prio == -1) {
178  s->prio = ct->priority;
179  update_ct = true;
180  } else {
181  if (ct->priority < s->prio) {
182  s->prio = ct->priority;
183  update_ct = true;
184  }
185  }
186 
187  if (real_ct && update_ct) {
188  s->class_id = ct->classtype_id;
189  s->class_msg = ct->classtype_desc;
190  }
191  return 0;
192 }
193 
194 #ifdef UNITTESTS
195 
196 /**
197  * \test undefined classtype
198  */
199 static int DetectClasstypeTest01(void)
200 {
203 
205  FAIL_IF_NULL(fd);
207  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
208  "(msg:\"Classtype test\"; "
209  "Classtype:not_available; sid:1;)");
210  FAIL_IF_NULL(s);
211  FAIL_IF_NOT(s->prio == 3);
212 
214  PASS;
215 }
216 
217 /**
218  * \test Check that both valid and invalid classtypes in a rule are handled
219  * properly, with rules containing invalid classtypes being rejected
220  * and the ones containing valid classtypes parsed and returned.
221  */
222 static int DetectClasstypeTest02(void)
223 {
226 
228  FAIL_IF_NULL(fd);
230 
231  Signature *sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
232  "(Classtype:bad-unknown; sid:1;)");
233  FAIL_IF_NULL(sig);
234 
235  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
236  "(Classtype:not-there; sid:2;)");
237  FAIL_IF_NULL(sig);
238 
239  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
240  "(Classtype:Bad-UnkNown; sid:3;)");
241  FAIL_IF_NULL(sig);
242 
243  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
244  "(Classtype:nothing-wrong; sid:4;)");
245  FAIL_IF_NULL(sig);
246 
247  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
248  "(Classtype:attempted_dos; Classtype:bad-unknown; sid:5;)");
249  FAIL_IF_NULL(sig);
250  FAIL_IF_NOT(sig->prio == 2);
251 
252  /* duplicate test */
253  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
254  "(Classtype:nothing-wrong; Classtype:Bad-UnkNown; sid:6;)");
255  FAIL_IF_NULL(sig);
256  FAIL_IF_NOT(sig->prio == 2);
257 
259  PASS;
260 }
261 
262 /**
263  * \test Check that the signatures are assigned priority based on classtype they
264  * are given.
265  */
266 static int DetectClasstypeTest03(void)
267 {
270 
272  FAIL_IF_NULL(fd);
274 
275  Signature *sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
276  "(msg:\"Classtype test\"; Classtype:bad-unknown; priority:1; sid:1;)");
277  FAIL_IF_NULL(sig);
278  FAIL_IF_NOT(sig->prio == 1);
279 
280  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
281  "(msg:\"Classtype test\"; Classtype:unKnoWn; "
282  "priority:3; sid:2;)");
283  FAIL_IF_NULL(sig);
284  FAIL_IF_NOT(sig->prio == 3);
285 
286  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
287  "Classtype:nothing-wrong; priority:1; sid:3;)");
288  FAIL_IF_NOT(sig->prio == 1);
289 
290  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
291  "(msg:\"Classtype test\"; Classtype:bad-unknown; Classtype:undefined; "
292  "priority:5; sid:4;)");
293  FAIL_IF_NULL(sig);
294  FAIL_IF_NOT(sig->prio == 5);
295 
297  PASS;
298 }
299 
300 #endif /* UNITTESTS */
301 
302 /**
303  * \brief This function registers unit tests for Classification Config API.
304  */
305 static void DetectClasstypeRegisterTests(void)
306 {
307 #ifdef UNITTESTS
308  UtRegisterTest("DetectClasstypeTest01", DetectClasstypeTest01);
309  UtRegisterTest("DetectClasstypeTest02", DetectClasstypeTest02);
310  UtRegisterTest("DetectClasstypeTest03", DetectClasstypeTest03);
311 #endif /* UNITTESTS */
312 }
SigTableElmt_::url
const char * url
Definition: detect.h:1212
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::name
const char * name
Definition: detect.h:1209
DetectEngineCtx_::rule_file
char * rule_file
Definition: detect.h:870
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCClassConfLoadClassficationConfigFile
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
Definition: util-classification-config.c:527
detect-classtype.h
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:492
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
decode.h
Signature_::class_id
uint16_t class_id
Definition: detect.h:547
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
SCClassConfClasstype_
Container for a Classtype from the Classification.config file.
Definition: util-classification-config.h:33
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
detect.h
SCClassConfClasstype_::classtype_id
uint16_t classtype_id
Definition: util-classification-config.h:35
SCClassConfAddClasstype
int SCClassConfAddClasstype(DetectEngineCtx *de_ctx, char *rawstr, uint16_t index)
Parses a line from the classification file and adds it to Classtype hash table in DetectEngineCtx,...
Definition: util-classification-config.c:243
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:298
SCClassConfGetClasstype
SCClassConfClasstype * SCClassConfGetClasstype(const char *ct_name, DetectEngineCtx *de_ctx)
Gets the classtype from the corresponding hash table stored in the Detection Engine Context's class c...
Definition: util-classification-config.c:558
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
SIG_FLAG_INIT_PRIO_EXPLICT
#define SIG_FLAG_INIT_PRIO_EXPLICT
Definition: detect.h:264
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
Signature_::class_msg
char * class_msg
Definition: detect.h:588
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2326
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
util-classification-config.h
Signature_::prio
int prio
Definition: detect.h:563
SCClassConfClasstype_::priority
int priority
Definition: util-classification-config.h:38
DETECT_CLASSTYPE
@ DETECT_CLASSTYPE
Definition: detect-engine-register.h:31
str
#define str(s)
Definition: suricata-common.h:273
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-classtype.c:39
Signature_::id
uint32_t id
Definition: detect.h:560
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
CLASSTYPE_NAME_MAX_LEN
#define CLASSTYPE_NAME_MAX_LEN
Definition: util-classification-config.h:27
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
SCClassConfClasstype_::classtype_desc
char * classtype_desc
Definition: util-classification-config.h:45
SCClassConfGenerateValidDummyClassConfigFD01
FILE * SCClassConfGenerateValidDummyClassConfigFD01(void)
Creates a dummy classification file, with all valid Classtypes, for testing purposes.
Definition: util-classification-config.c:584
DETECT_DEFAULT_PRIO
#define DETECT_DEFAULT_PRIO
Definition: detect.h:62
DetectEngineCtx_::rule_line
int rule_line
Definition: detect.h:871
DetectClasstypeRegister
void DetectClasstypeRegister(void)
Registers the handler functions for the "Classtype" keyword.
Definition: detect-classtype.c:49
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171