suricata
detect-engine-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "detect.h"
21 #include "detect-engine-alert.h"
23 #include "detect-engine-tag.h"
24 
25 #include "decode.h"
26 
27 #include "flow.h"
28 #include "flow-private.h"
29 
30 #include "util-profiling.h"
31 
32 /** tag signature we use for tag alerts */
33 static Signature g_tag_signature;
34 /** tag packet alert structure for tag alerts */
35 static PacketAlert g_tag_pa;
36 
38 {
39  memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
40 
41  g_tag_signature.id = TAG_SIG_ID;
42  g_tag_signature.gid = TAG_SIG_GEN;
43  g_tag_signature.num = TAG_SIG_ID;
44  g_tag_signature.rev = 1;
45  g_tag_signature.prio = 2;
46 
47  memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
48 
49  g_tag_pa.action = ACTION_ALERT;
50  g_tag_pa.s = &g_tag_signature;
51 }
52 
54 {
55  return &g_tag_pa;
56 }
57 
58 /**
59  * \brief Handle a packet and check if needs a threshold logic
60  * Also apply rule action if necessary.
61  *
62  * \param de_ctx Detection Context
63  * \param sig Signature pointer
64  * \param p Packet structure
65  *
66  * \retval 1 alert is not suppressed
67  * \retval 0 alert is suppressed
68  */
69 static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
70  const Signature *s, Packet *p, PacketAlert *pa)
71 {
72  SCEnter();
73  int ret = 1;
74  const DetectThresholdData *td = NULL;
75  const SigMatchData *smd;
76 
77  if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
78  SCReturnInt(1);
79  }
80 
81  /* handle suppressions first */
82  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
84  smd = NULL;
85  do {
87  if (td != NULL) {
88  SCLogDebug("td %p", td);
89 
90  /* PacketAlertThreshold returns 2 if the alert is suppressed but
91  * we do need to apply rule actions to the packet. */
93  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
94  if (ret == 0 || ret == 2) {
96  /* It doesn't match threshold, remove it */
97  SCReturnInt(ret);
98  }
100  }
101  } while (smd != NULL);
102  }
103 
104  /* if we're still here, consider thresholding */
105  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
107  smd = NULL;
108  do {
110  if (td != NULL) {
111  SCLogDebug("td %p", td);
112 
113  /* PacketAlertThreshold returns 2 if the alert is suppressed but
114  * we do need to apply rule actions to the packet. */
116  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
117  if (ret == 0 || ret == 2) {
119  /* It doesn't match threshold, remove it */
120  SCReturnInt(ret);
121  }
123  }
124  } while (smd != NULL);
125  }
126  SCReturnInt(1);
127 }
128 
129 
130 /**
131  * \brief Check if a certain sid alerted, this is used in the test functions
132  *
133  * \param p Packet on which we want to check if the signature alerted or not
134  * \param sid Signature id of the signature that thas to be checked for a match
135  *
136  * \retval match A value > 0 on a match; 0 on no match
137  */
138 int PacketAlertCheck(Packet *p, uint32_t sid)
139 {
140  uint16_t i = 0;
141  int match = 0;
142 
143  for (i = 0; i < p->alerts.cnt; i++) {
144  if (p->alerts.alerts[i].s == NULL)
145  continue;
146 
147  if (p->alerts.alerts[i].s->id == sid)
148  match++;
149  }
150 
151  return match;
152 }
153 
154 /**
155  * \brief Remove alert from the p->alerts.alerts array at pos
156  * \param p Pointer to the Packet
157  * \param pos Position in the array
158  * \retval 0 if the number of alerts is less than pos
159  * 1 if all goes well
160  */
161 int PacketAlertRemove(Packet *p, uint16_t pos)
162 {
163  uint16_t i = 0;
164  int match = 0;
165 
166  if (pos > p->alerts.cnt) {
167  SCLogDebug("removing %u failed, pos > cnt %u", pos, p->alerts.cnt);
168  return 0;
169  }
170 
171  for (i = pos; i <= p->alerts.cnt - 1; i++) {
172  memcpy(&p->alerts.alerts[i], &p->alerts.alerts[i + 1], sizeof(PacketAlert));
173  }
174 
175  // Update it, since we removed 1
176  p->alerts.cnt--;
177 
178  return match;
179 }
180 
181 /** \brief append a signature match to a packet
182  *
183  * \param det_ctx thread detection engine ctx
184  * \param s the signature that matched
185  * \param p packet
186  * \param flags alert flags
187  */
189  Packet *p, uint64_t tx_id, uint8_t flags)
190 {
191  int i = 0;
192 
193  if (p->alerts.cnt == PACKET_ALERT_MAX)
194  return 0;
195 
196  SCLogDebug("sid %"PRIu32"", s->id);
197 
198  /* It should be usually the last, so check it before iterating */
199  if (p->alerts.cnt == 0 || (p->alerts.cnt > 0 &&
200  p->alerts.alerts[p->alerts.cnt - 1].num < s->num)) {
201  /* We just add it */
202  p->alerts.alerts[p->alerts.cnt].num = s->num;
203  p->alerts.alerts[p->alerts.cnt].action = s->action;
204  p->alerts.alerts[p->alerts.cnt].flags = flags;
205  p->alerts.alerts[p->alerts.cnt].s = s;
206  p->alerts.alerts[p->alerts.cnt].tx_id = tx_id;
207  } else {
208  /* We need to make room for this s->num
209  (a bit ugly with memcpy but we are planning changes here)*/
210  for (i = p->alerts.cnt - 1; i >= 0 && p->alerts.alerts[i].num > s->num; i--) {
211  memcpy(&p->alerts.alerts[i + 1], &p->alerts.alerts[i], sizeof(PacketAlert));
212  }
213 
214  i++; /* The right place to store the alert */
215 
216  p->alerts.alerts[i].num = s->num;
217  p->alerts.alerts[i].action = s->action;
218  p->alerts.alerts[i].flags = flags;
219  p->alerts.alerts[i].s = s;
220  p->alerts.alerts[i].tx_id = tx_id;
221  }
222 
223  /* Update the count */
224  p->alerts.cnt++;
225 
226  return 0;
227 }
228 
229 /**
230  * \brief Check the threshold of the sigs that match, set actions, break on pass action
231  * This function iterate the packet alerts array, removing those that didn't match
232  * the threshold, and those that match after a signature with the action "pass".
233  * The array is sorted by action priority/order
234  * \param de_ctx detection engine context
235  * \param det_ctx detection engine thread context
236  * \param p pointer to the packet
237  */
239 {
240  SCEnter();
241  int i = 0;
242 
243  while (i < p->alerts.cnt) {
244  SCLogDebug("Sig->num: %"PRIu32, p->alerts.alerts[i].num);
245  const Signature *s = de_ctx->sig_array[p->alerts.alerts[i].num];
246 
247  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, &p->alerts.alerts[i]);
248  if (res > 0) {
249  /* Now, if we have an alert, we have to check if we want
250  * to tag this session or src/dst host */
251  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
254  while (1) {
255  /* tags are set only for alerts */
257  sigmatch_table[smd->type].Match(det_ctx, p, (Signature *)s, smd->ctx);
258  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
259  if (smd->is_last)
260  break;
261  smd++;
262  }
263  }
264 
265  if (s->flags & SIG_FLAG_IPONLY) {
268  SCLogDebug("testing against \"ip-only\" signatures");
269 
270  if (p->flow != NULL) {
271  /* Update flow flags for iponly */
273 
274  if (s->action & ACTION_DROP)
275  p->flow->flags |= FLOW_ACTION_DROP;
276  if (s->action & ACTION_REJECT)
277  p->flow->flags |= FLOW_ACTION_DROP;
278  if (s->action & ACTION_REJECT_DST)
279  p->flow->flags |= FLOW_ACTION_DROP;
280  if (s->action & ACTION_REJECT_BOTH)
281  p->flow->flags |= FLOW_ACTION_DROP;
282  if (s->action & ACTION_PASS) {
283  FlowSetNoPacketInspectionFlag(p->flow);
284  }
285  }
286  }
287  }
288 
289  /* set actions on packet */
291 
293  /* Ok, reset the alert cnt to end in the previous of pass
294  * so we ignore the rest with less prio */
295  p->alerts.cnt = i;
296  break;
297 
298  /* if the signature wants to drop, check if the
299  * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
300  } else if ((PACKET_TEST_ACTION(p, ACTION_DROP)) &&
302  (s->flags & SIG_FLAG_APPLAYER))
303  && p->flow != NULL)
304  {
305  /* This will apply only on IPS mode (check StreamTcpPacket) */
306  p->flow->flags |= FLOW_ACTION_DROP; // XXX API?
307  }
308  }
309 
310  /* Thresholding removes this alert */
311  if (res == 0 || res == 2) {
312  PacketAlertRemove(p, i);
313 
314  if (p->alerts.cnt == 0)
315  break;
316  } else {
317  i++;
318  }
319  }
320 
321  /* At this point, we should have all the new alerts. Now check the tag
322  * keyword context for sessions and hosts */
323  if (!(p->flags & PKT_PSEUDO_STREAM_END))
324  TagHandlePacket(de_ctx, det_ctx, p);
325 
326  /* Set flag on flow to indicate that it has alerts */
327  if (p->flow != NULL && p->alerts.cnt > 0) {
329  }
330 
331 }
332 
333 
FlowSetHasAlertsFlag
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
Definition: flow.c:213
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:276
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:255
Signature_::num
SigIntId num
Definition: detect.h:537
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:65
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlerts_::alerts
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:297
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:296
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:331
Packet_::flags
uint32_t flags
Definition: decode.h:446
flow-private.h
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
TAG_SIG_ID
#define TAG_SIG_ID
Definition: detect-engine-tag.h:43
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:64
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:580
FLOW_PKT_TOCLIENT_IPONLY_SET
#define FLOW_PKT_TOCLIENT_IPONLY_SET
Definition: flow.h:222
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
SigMatchData_
Data needed for Match()
Definition: detect.h:328
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:69
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:558
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:83
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:277
PacketAlert_::action
uint8_t action
Definition: decode.h:274
Signature_::gid
uint32_t gid
Definition: detect.h:561
PacketAlertGetTag
PacketAlert * PacketAlertGetTag(void)
Definition: detect-engine-alert.c:53
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, Packet *p, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:115
PacketAlert_::num
SigIntId num
Definition: decode.h:273
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:54
FLOW_PKT_TOSERVER_IPONLY_SET
#define FLOW_PKT_TOSERVER_IPONLY_SET
Definition: flow.h:221
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1088
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
SigMatchData_::type
uint8_t type
Definition: detect.h:329
detect-engine-tag.h
Signature_::action
uint8_t action
Definition: detect.h:540
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:528
PACKET_ALERT_FLAG_DROP_FLOW
#define PACKET_ALERT_FLAG_DROP_FLOW
Definition: decode.h:283
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:411
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:219
detect-engine-alert.h
PacketAlertRemove
int PacketAlertRemove(Packet *p, uint16_t pos)
Remove alert from the p->alerts.alerts array at pos.
Definition: detect-engine-alert.c:161
FlowSetIPOnlyFlag
void FlowSetIPOnlyFlag(Flow *f, int direction)
Set the IPOnly scanned flag for 'direction'.
Definition: flow.c:202
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
DetectSignatureApplyActions
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t alert_flags)
Apply action(s) and Set 'drop' sig info, if applicable.
Definition: detect.c:1517
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
PacketAlertThreshold
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:607
PacketAlert_::flags
uint8_t flags
Definition: decode.h:275
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
flags
uint8_t flags
Definition: decode-gre.h:0
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:330
suricata-common.h
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
Signature_::rev
uint32_t rev
Definition: detect.h:562
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:100
Signature_::prio
int prio
Definition: detect.h:563
TagHandlePacket
void TagHandlePacket(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
Definition: detect-engine-tag.c:504
PACKET_ALERT_MAX
#define PACKET_ALERT_MAX
Definition: decode.h:293
PacketAlertFinalize
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:238
Signature_::id
uint32_t id
Definition: detect.h:560
Flow_::flags
uint32_t flags
Definition: flow.h:396
Signature_
Signature container.
Definition: detect.h:527
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:37
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:781
PacketAlert_
Definition: decode.h:272
PacketAlertAppend
int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t flags)
append a signature match to a packet
Definition: detect-engine-alert.c:188
TAG_SIG_GEN
#define TAG_SIG_GEN
Definition: detect-engine-tag.h:42
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:254
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:103
detect-engine-threshold.h
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:850