suricata
detect-engine-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "detect.h"
21 #include "detect-engine-alert.h"
23 #include "detect-engine-tag.h"
24 
25 #include "decode.h"
26 
27 #include "flow.h"
28 #include "flow-private.h"
29 
30 #include "util-profiling.h"
31 
32 /** tag signature we use for tag alerts */
33 static Signature g_tag_signature;
34 /** tag packet alert structure for tag alerts */
35 static PacketAlert g_tag_pa;
36 
38 {
39  memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
40 
41  g_tag_signature.id = TAG_SIG_ID;
42  g_tag_signature.gid = TAG_SIG_GEN;
43  g_tag_signature.num = TAG_SIG_ID;
44  g_tag_signature.rev = 1;
45  g_tag_signature.prio = 2;
46 
47  memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
48 
49  g_tag_pa.action = ACTION_ALERT;
50  g_tag_pa.s = &g_tag_signature;
51 }
52 
54 {
55  return &g_tag_pa;
56 }
57 
58 /**
59  * \brief Handle a packet and check if needs a threshold logic
60  * Also apply rule action if necessary.
61  *
62  * \param de_ctx Detection Context
63  * \param sig Signature pointer
64  * \param p Packet structure
65  *
66  * \retval 1 alert is not suppressed
67  * \retval 0 alert is suppressed
68  */
69 static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
70  const Signature *s, Packet *p, PacketAlert *pa)
71 {
72  SCEnter();
73  int ret = 1;
74  const DetectThresholdData *td = NULL;
75  const SigMatchData *smd;
76 
77  if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
78  SCReturnInt(1);
79  }
80 
81  /* handle suppressions first */
82  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
84  smd = NULL;
85  do {
87  if (td != NULL) {
88  SCLogDebug("td %p", td);
89 
90  /* PacketAlertThreshold returns 2 if the alert is suppressed but
91  * we do need to apply rule actions to the packet. */
93  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
94  if (ret == 0 || ret == 2) {
96  /* It doesn't match threshold, remove it */
97  SCReturnInt(ret);
98  }
100  }
101  } while (smd != NULL);
102  }
103 
104  /* if we're still here, consider thresholding */
105  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
107  smd = NULL;
108  do {
110  if (td != NULL) {
111  SCLogDebug("td %p", td);
112 
113  /* PacketAlertThreshold returns 2 if the alert is suppressed but
114  * we do need to apply rule actions to the packet. */
116  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
117  if (ret == 0 || ret == 2) {
119  /* It doesn't match threshold, remove it */
120  SCReturnInt(ret);
121  }
123  }
124  } while (smd != NULL);
125  }
126  SCReturnInt(1);
127 }
128 
129 
130 /**
131  * \brief Check if a certain sid alerted, this is used in the test functions
132  *
133  * \param p Packet on which we want to check if the signature alerted or not
134  * \param sid Signature id of the signature that thas to be checked for a match
135  *
136  * \retval match A value > 0 on a match; 0 on no match
137  */
138 int PacketAlertCheck(Packet *p, uint32_t sid)
139 {
140  uint16_t i = 0;
141  int match = 0;
142 
143  for (i = 0; i < p->alerts.cnt; i++) {
144  if (p->alerts.alerts[i].s == NULL)
145  continue;
146 
147  if (p->alerts.alerts[i].s->id == sid)
148  match++;
149  }
150 
151  return match;
152 }
153 
154 /**
155  * \brief Remove alert from the p->alerts.alerts array at pos
156  * \param p Pointer to the Packet
157  * \param pos Position in the array
158  * \retval 0 if the number of alerts is less than pos
159  * 1 if all goes well
160  */
161 int PacketAlertRemove(Packet *p, uint16_t pos)
162 {
163  uint16_t i = 0;
164  int match = 0;
165 
166  if (pos > p->alerts.cnt) {
167  SCLogDebug("removing %u failed, pos > cnt %u", pos, p->alerts.cnt);
168  return 0;
169  }
170 
171  for (i = pos; i <= p->alerts.cnt - 1; i++) {
172  memcpy(&p->alerts.alerts[i], &p->alerts.alerts[i + 1], sizeof(PacketAlert));
173  }
174 
175  // Update it, since we removed 1
176  p->alerts.cnt--;
177 
178  return match;
179 }
180 
181 /** \brief append a signature match to a packet
182  *
183  * \param det_ctx thread detection engine ctx
184  * \param s the signature that matched
185  * \param p packet
186  * \param flags alert flags
187  */
189  Packet *p, uint64_t tx_id, uint8_t flags)
190 {
191  int i = 0;
192 
193  if (p->alerts.cnt == PACKET_ALERT_MAX)
194  return 0;
195 
196  SCLogDebug("sid %"PRIu32"", s->id);
197 
198  /* It should be usually the last, so check it before iterating */
199  if (p->alerts.cnt == 0 || (p->alerts.cnt > 0 &&
200  p->alerts.alerts[p->alerts.cnt - 1].num < s->num)) {
201  /* We just add it */
202  p->alerts.alerts[p->alerts.cnt].num = s->num;
203  p->alerts.alerts[p->alerts.cnt].action = s->action;
204  p->alerts.alerts[p->alerts.cnt].flags = flags;
205  p->alerts.alerts[p->alerts.cnt].s = s;
206  p->alerts.alerts[p->alerts.cnt].tx_id = tx_id;
207  } else {
208  /* We need to make room for this s->num
209  (a bit ugly with memcpy but we are planning changes here)*/
210  for (i = p->alerts.cnt - 1; i >= 0 && p->alerts.alerts[i].num > s->num; i--) {
211  memcpy(&p->alerts.alerts[i + 1], &p->alerts.alerts[i], sizeof(PacketAlert));
212  }
213 
214  i++; /* The right place to store the alert */
215 
216  p->alerts.alerts[i].num = s->num;
217  p->alerts.alerts[i].action = s->action;
218  p->alerts.alerts[i].flags = flags;
219  p->alerts.alerts[i].s = s;
220  p->alerts.alerts[i].tx_id = tx_id;
221  }
222 
223  /* Update the count */
224  p->alerts.cnt++;
225 
226  return 0;
227 }
228 
229 /**
230  * \brief Check the threshold of the sigs that match, set actions, break on pass action
231  * This function iterate the packet alerts array, removing those that didn't match
232  * the threshold, and those that match after a signature with the action "pass".
233  * The array is sorted by action priority/order
234  * \param de_ctx detection engine context
235  * \param det_ctx detection engine thread context
236  * \param p pointer to the packet
237  */
239 {
240  SCEnter();
241  int i = 0;
242 
243  while (i < p->alerts.cnt) {
244  SCLogDebug("Sig->num: %"PRIu32, p->alerts.alerts[i].num);
245  const Signature *s = de_ctx->sig_array[p->alerts.alerts[i].num];
246 
247  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, &p->alerts.alerts[i]);
248  if (res > 0) {
249  /* Now, if we have an alert, we have to check if we want
250  * to tag this session or src/dst host */
251  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
254  while (1) {
255  /* tags are set only for alerts */
257  sigmatch_table[smd->type].Match(NULL, det_ctx, p, (Signature *)s, smd->ctx);
258  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
259  if (smd->is_last)
260  break;
261  smd++;
262  }
263  }
264 
265  if (s->flags & SIG_FLAG_IPONLY) {
268  SCLogDebug("testing against \"ip-only\" signatures");
269 
270  if (p->flow != NULL) {
271  /* Update flow flags for iponly */
273 
274  if (s->action & ACTION_DROP)
275  p->flow->flags |= FLOW_ACTION_DROP;
276  if (s->action & ACTION_REJECT)
277  p->flow->flags |= FLOW_ACTION_DROP;
278  if (s->action & ACTION_REJECT_DST)
279  p->flow->flags |= FLOW_ACTION_DROP;
280  if (s->action & ACTION_REJECT_BOTH)
281  p->flow->flags |= FLOW_ACTION_DROP;
282  if (s->action & ACTION_PASS) {
283  FlowSetNoPacketInspectionFlag(p->flow);
284  }
285  }
286  }
287  }
288 
289  /* set actions on packet */
291 
293  /* Ok, reset the alert cnt to end in the previous of pass
294  * so we ignore the rest with less prio */
295  p->alerts.cnt = i;
296  break;
297 
298  /* if the signature wants to drop, check if the
299  * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
300  } else if ((PACKET_TEST_ACTION(p, ACTION_DROP)) &&
302  (s->flags & SIG_FLAG_APPLAYER))
303  && p->flow != NULL)
304  {
305  /* This will apply only on IPS mode (check StreamTcpPacket) */
306  p->flow->flags |= FLOW_ACTION_DROP; // XXX API?
307  }
308  }
309 
310  /* Thresholding removes this alert */
311  if (res == 0 || res == 2) {
312  PacketAlertRemove(p, i);
313 
314  if (p->alerts.cnt == 0)
315  break;
316  } else {
317  i++;
318  }
319  }
320 
321  /* At this point, we should have all the new alerts. Now check the tag
322  * keyword context for sessions and hosts */
323  if (!(p->flags & PKT_PSEUDO_STREAM_END))
324  TagHandlePacket(de_ctx, det_ctx, p);
325 
326  /* Set flag on flow to indicate that it has alerts */
327  if (p->flow != NULL && p->alerts.cnt > 0) {
329  }
330 
331 }
332 
333 
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
Signature ** sig_array
Definition: detect.h:739
struct Flow_ * flow
Definition: decode.h:443
#define KEYWORD_PROFILING_END(ctx, type, m)
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define ACTION_REJECT_DST
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:860
uint32_t flags
Definition: detect.h:497
#define PACKET_ALERT_MAX
Definition: decode.h:288
uint32_t id
Definition: detect.h:529
uint8_t is_last
Definition: detect.h:333
void FlowSetIPOnlyFlag(Flow *f, int direction)
Set the IPOnly scanned flag for &#39;direction&#39;.
Definition: flow.c:186
#define TAG_SIG_ID
int prio
Definition: detect.h:532
#define ACTION_REJECT
uint8_t action
Definition: decode.h:269
#define FLOW_ACTION_DROP
Definition: flow.h:64
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, Packet *p, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
#define PKT_IS_IPV6(p)
Definition: decode.h:250
Data needed for Match()
Definition: detect.h:331
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
Definition: flow.c:197
#define PACKET_ALERT_FLAG_DROP_FLOW
Definition: decode.h:278
Signature container.
Definition: detect.h:496
void TagHandlePacket(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
uint8_t action
Definition: detect.h:509
#define SIG_FLAG_APPLAYER
Definition: detect.h:223
#define PKT_IS_IPV4(p)
Definition: decode.h:249
SigIntId num
Definition: decode.h:268
SigIntId num
Definition: detect.h:506
main detection engine ctx
Definition: detect.h:724
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:292
const struct Signature_ * s
Definition: decode.h:271
#define KEYWORD_PROFILING_START
PacketAlert * PacketAlertGetTag(void)
#define SIG_FLAG_IPONLY
Definition: detect.h:224
#define ACTION_REJECT_BOTH
#define SCEnter(...)
Definition: util-debug.h:337
uint8_t flowflags
Definition: decode.h:437
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:548
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t alert_flags)
Apply action(s) and Set &#39;drop&#39; sig info, if applicable.
Definition: detect.c:1591
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1093
uint32_t gid
Definition: detect.h:530
#define SCReturnInt(x)
Definition: util-debug.h:341
uint64_t tx_id
Definition: decode.h:272
#define ACTION_ALERT
int PacketAlertRemove(Packet *p, uint16_t pos)
Remove alert from the p->alerts.alerts array at pos.
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
uint8_t type
Definition: detect.h:332
PoolThreadReserved res
uint16_t tx_id
#define FLOW_PKT_TOSERVER_IPONLY_SET
Definition: flow.h:204
uint8_t flags
Definition: decode.h:270
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1133
#define TAG_SIG_GEN
uint32_t rev
Definition: detect.h:531
PacketAlerts alerts
Definition: decode.h:555
int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t flags)
append a signature match to a packet
#define ACTION_PASS
uint16_t cnt
Definition: decode.h:291
void PacketAlertTagInit(void)
#define FLOW_PKT_TOCLIENT_IPONLY_SET
Definition: flow.h:205
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
#define ACTION_DROP
uint32_t flags
Definition: decode.h:441
uint32_t flags
Definition: flow.h:379
SigMatchCtx * ctx
Definition: detect.h:334