suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-engine-build.h"
35 #include "detect-dce-iface.h"
36 
37 #include "flow.h"
38 #include "flow-var.h"
39 #include "flow-util.h"
40 
41 #include "app-layer.h"
42 #include "queue.h"
43 #include "stream-tcp-reassemble.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "stream-tcp.h"
49 
50 #include "rust.h"
51 
52 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,\\s*(<|>|=|!)([0-9]{1,5}))?(?:\\s*,\\s*(any_frag))?\\s*$"
53 
54 static DetectParseRegex parse_regex;
55 
56 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
57  Flow *f, uint8_t flags, void *state, void *txv,
58  const Signature *s, const SigMatchCtx *m);
59 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
60 static void DetectDceIfaceFree(DetectEngineCtx *, void *);
61 static int g_dce_generic_list_id = 0;
62 
63 /**
64  * \brief Registers the keyword handlers for the "dce_iface" keyword.
65  */
67 {
68  sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface";
69  sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface";
70  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
71  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
72  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 
75  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
76 
81 
86 }
87 
88 /**
89  * \brief App layer match function for the "dce_iface" keyword.
90  *
91  * \param t Pointer to the ThreadVars instance.
92  * \param det_ctx Pointer to the DetectEngineThreadCtx.
93  * \param f Pointer to the flow.
94  * \param flags Pointer to the flags indicating the flow direction.
95  * \param state Pointer to the app layer state data.
96  * \param s Pointer to the Signature instance.
97  * \param m Pointer to the SigMatch.
98  *
99  * \retval 1 On Match.
100  * \retval 0 On no match.
101  */
102 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
103  Flow *f, uint8_t flags, void *state, void *txv,
104  const Signature *s, const SigMatchCtx *m)
105 {
106  SCEnter();
107 
108  if (f->alproto == ALPROTO_DCERPC) {
109  // TODO check if state is NULL
110  return SCDcerpcIfaceMatch(txv, state, (void *)m);
111  }
112 
113  int ret = 0;
114 
115  if (rs_smb_tx_get_dce_iface(f->alstate, txv, (void *)m) != 1) {
116  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
117  } else {
118  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
119  ret = 1;
120  // TODO validate frag
121  }
122  SCReturnInt(ret);
123 }
124 
125 /**
126  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
127  * and appends it to the Signature(s).
128  *
129  * \param de_ctx Pointer to the detection engine context.
130  * \param s Pointer to signature for the current Signature being parsed
131  * from the rules.
132  * \param arg Pointer to the string holding the keyword value.
133  *
134  * \retval 0 on success, -1 on failure.
135  */
136 
137 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
138 {
139  SCEnter();
140 
142  return -1;
143 
144  void *did = SCDcerpcIfaceParse(arg);
145  if (did == NULL) {
146  SCLogError("Error parsing dce_iface option in "
147  "signature");
148  return -1;
149  }
150 
151  if (SigMatchAppendSMToList(de_ctx, s, DETECT_DCE_IFACE, did, g_dce_generic_list_id) == NULL) {
152  DetectDceIfaceFree(de_ctx, did);
153  return -1;
154  }
155  return 0;
156 }
157 
158 static void DetectDceIfaceFree(DetectEngineCtx *de_ctx, void *ptr)
159 {
160  SCEnter();
161  if (ptr != NULL) {
162  SCDcerpcIfaceFree(ptr);
163  }
164  SCReturn;
165 }
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1870
detect-engine.h
detect-dce-iface.h
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:153
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1316
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1326
stream-tcp.h
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectDceIfaceRegister
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
Definition: detect-dce-iface.c:66
Flow_
Flow data structure.
Definition: flow.h:354
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:860
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1297
rust.h
stream-tcp-reassemble.h
m
SCMutex m
Definition: flow-hash.h:6
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:270
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1311
util-unittest.h
util-unittest-helper.h
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:269
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1116
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3002
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
SCReturn
#define SCReturn
Definition: util-debug.h:273
detect-engine-build.h
DETECT_DCE_IFACE
@ DETECT_DCE_IFACE
Definition: detect-engine-register.h:216
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-iface.c:52
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1050
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1327
suricata-common.h
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2152
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
Flow_::alstate
void * alstate
Definition: flow.h:477
detect-parse.h
Signature_
Signature container.
Definition: detect.h:618
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:245
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:462
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:448
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
app-layer.h