Go to the documentation of this file.
34 static int g_dnp3_match_buffer_id = 0;
35 static int g_dnp3_data_buffer_id = 0;
62 {
"device_restart", 0x8000},
63 {
"device_trouble", 0x4000},
64 {
"local_control", 0x2000},
65 {
"need_time", 0x1000},
66 {
"class_3_events", 0x0800},
67 {
"class_2_events", 0x0400},
68 {
"class_1_events", 0x0200},
69 {
"all_stations", 0x0100},
71 {
"reserved_1", 0x0080},
72 {
"reserved_2", 0x0040},
73 {
"config_corrupt", 0x0020},
74 {
"already_executing", 0x0010},
75 {
"event_buffer_overflow", 0x0008},
76 {
"parameter_error", 0x0004},
77 {
"object_unknown", 0x0002},
78 {
"no_func_code_support", 0x0001},
92 {
"direct_operate", 5},
93 {
"direct_operate_nr", 6},
95 {
"immed_freeze_nr", 8},
97 {
"freeze_clear_nr", 10},
98 {
"freeze_at_time", 11},
99 {
"freeze_at_time_nr", 12},
100 {
"cold_restart", 13},
101 {
"warm_restart", 14},
102 {
"initialize_data", 15},
103 {
"initialize_appl", 16},
107 {
"enable_unsolicited", 20},
108 {
"disable_unsolicited", 21},
109 {
"assign_class", 22},
110 {
"delay_measure", 23},
111 {
"record_current_time", 24},
115 {
"get_file_info", 28},
116 {
"authenticate_file", 29},
118 {
"activate_config", 31},
119 {
"authenticate_req", 32},
120 {
"authenticate_err", 33},
122 {
"unsolicited_response", 130},
123 {
"authenticate_resp", 131}
127 static void DetectDNP3FuncRegisterTests(
void);
128 static void DetectDNP3IndRegisterTests(
void);
129 static void DetectDNP3ObjRegisterTests(
void);
136 static char *TrimString(
char *
str)
138 char *end =
str + strlen(
str) - 1;
139 while (isspace(*
str)) {
142 while (end >
str && isspace(*end)) {
151 Flow *_f,
const uint8_t flow_flags,
152 void *txv,
const int list_id)
160 if ((flow_flags & STREAM_TOSERVER && !tx->
is_request) ||
161 (flow_flags & STREAM_TOCLIENT && tx->
is_request)) {
187 static int DetectDNP3FuncParseFunctionCode(
const char *
str, uint8_t *fc)
215 SCLogError(
"Invalid argument \"%s\" supplied to dnp3_func keyword.",
str);
238 static int DetectDNP3IndParseByName(
const char *
str, uint16_t *
flags)
240 char tmp[strlen(
str) + 1];
241 char *p, *last = NULL;
245 for ((p = strtok_r(tmp,
",", &last)); p; (p = strtok_r(NULL,
",", &last))) {
259 SCLogError(
"Bad argument \"%s\" supplied to dnp3.ind keyword.", p);
267 static int DetectDNP3IndParse(
const char *
str, uint16_t *
flags)
276 if (DetectDNP3IndParseByName(
str,
flags)) {
292 if (!DetectDNP3IndParse(
str, &
flags)) {
293 SCLogError(
"Invalid argument \"%s\" supplied to dnp3.ind keyword.",
str);
310 if (detect != NULL) {
325 static int DetectDNP3ObjParse(
const char *
str, uint8_t *
group, uint8_t *var)
327 size_t size = strlen(
str) + 1;
328 char groupstr[size], *varstr, *sep;
331 sep = strchr(groupstr,
',');
363 detect =
SCCalloc(1,
sizeof(*detect));
377 if (detect != NULL) {
415 DNP3ObjectList *objects = NULL;
423 if (objects != NULL) {
443 if (
flags & STREAM_TOCLIENT) {
453 static void DetectDNP3FuncRegister(
void)
460 "match on the application function code found in DNP3 request and responses";
472 static void DetectDNP3IndRegister(
void)
479 "match on the DNP3 internal indicator flags in the response application header";
491 static void DetectDNP3ObjRegister(
void)
521 static void DetectDNP3DataRegister(
void)
528 "make the following content options to match on the re-assembled application buffer";
549 DetectDNP3DataRegister();
551 DetectDNP3FuncRegister();
552 DetectDNP3IndRegister();
553 DetectDNP3ObjRegister();
573 static int DetectDNP3FuncParseFunctionCodeTest(
void)
578 FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode(
"0", &fc));
581 FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode(
"1", &fc));
584 FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode(
"254", &fc));
587 FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode(
"255", &fc));
590 FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode(
"confirm", &fc));
593 FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode(
"CONFIRM", &fc));
597 FAIL_IF(DetectDNP3FuncParseFunctionCode(
"", &fc));
598 FAIL_IF(DetectDNP3FuncParseFunctionCode(
"-1", &fc));
599 FAIL_IF(DetectDNP3FuncParseFunctionCode(
"-2", &fc));
600 FAIL_IF(DetectDNP3FuncParseFunctionCode(
"256", &fc));
601 FAIL_IF(DetectDNP3FuncParseFunctionCode(
"unknown_function_code", &fc));
606 static int DetectDNP3FuncTest01(
void)
612 "(msg:\"SURICATA DNP3 Write request\"; "
613 "dnp3_func:2; sid:5000009; rev:1;)");
627 static int DetectDNP3IndTestParseAsInteger(
void)
651 static int DetectDNP3IndTestParseByName(
void)
657 FAIL_IF(!DetectDNP3IndParse(
"class_1_events , class_2_events", &
flags));
667 static int DetectDNP3ObjSetupTest(
void)
673 "(msg:\"SURICATA DNP3 Object Test\"; "
674 "dnp3_obj:99,99; sid:1; rev:1;)");
689 static int DetectDNP3ObjParseTest(
void)
707 static void DetectDNP3FuncRegisterTests(
void)
710 DetectDNP3FuncParseFunctionCodeTest);
714 static void DetectDNP3IndRegisterTests(
void)
717 DetectDNP3IndTestParseAsInteger);
719 DetectDNP3IndTestParseByName);
722 static void DetectDNP3ObjRegisterTests(
void)
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define SIGMATCH_INFO_STICKY_BUFFER
SigTableElmt * sigmatch_table
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void(* Free)(DetectEngineCtx *, void *)
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectDNP3Register(void)
struct HtpBodyChunk_ * next
Struct to hold the list of decoded objects.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
#define TAILQ_FOREACH(var, head, field)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int DetectBufferTypeGetByName(const char *name)
size_t strlcpy(char *dst, const char *src, size_t siz)
DNP3Mapping DNP3IndicatorsMap[]
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
#define SIG_FLAG_TOSERVER
#define PASS
Pass the test.
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectBufferTypeRegister(const char *name)
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
#define SCLogError(...)
Macro used to log ERROR messages.
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
struct DetectDNP3_ DetectDNP3
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
DNP3Mapping DNP3FunctionNameMap[]
void(* RegisterTests)(void)