suricata
detect-engine-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "detect.h"
21 #include "detect-engine-alert.h"
22 #include "detect-engine-threshold.h"
23 #include "detect-engine-tag.h"
24 
25 #include "decode.h"
26 
27 #include "flow.h"
28 #include "flow-private.h"
29 
30 #include "util-profiling.h"
31 
32 /** tag signature we use for tag alerts */
33 static Signature g_tag_signature;
34 /** tag packet alert structure for tag alerts */
35 static PacketAlert g_tag_pa;
36 
37 void PacketAlertTagInit(void)
38 {
39  memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
40 
41  g_tag_signature.id = TAG_SIG_ID;
42  g_tag_signature.gid = TAG_SIG_GEN;
43  g_tag_signature.num = TAG_SIG_ID;
44  g_tag_signature.rev = 1;
45  g_tag_signature.prio = 2;
46 
47  memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
48 
49  g_tag_pa.action = ACTION_ALERT;
50  g_tag_pa.s = &g_tag_signature;
51 }
52 
53 PacketAlert *PacketAlertGetTag(void)
54 {
55  return &g_tag_pa;
56 }
57 
58 /**
59  * \brief Handle a packet and check if needs a threshold logic
60  * Also apply rule action if necessary.
61  *
62  * \param de_ctx Detection Context
63  * \param sig Signature pointer
64  * \param p Packet structure
65  *
66  * \retval 1 alert is not suppressed
67  * \retval 0 alert is suppressed
68  */
69 static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
70  const Signature *s, Packet *p, PacketAlert *pa)
71 {
72  SCEnter();
73  int ret = 1;
74  const DetectThresholdData *td = NULL;
75  const SigMatchData *smd;
76 
77  if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
78  SCReturnInt(1);
79  }
80 
81  /* handle suppressions first */
82  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
83  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_SUPPRESS);
84  smd = NULL;
85  do {
86  td = SigGetThresholdTypeIter(s, p, &smd, DETECT_SM_LIST_SUPPRESS);
87  if (td != NULL) {
88  SCLogDebug("td %p", td);
89 
90  /* PacketAlertThreshold returns 2 if the alert is suppressed but
91  * we do need to apply rule actions to the packet. */
92  KEYWORD_PROFILING_START;
93  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
94  if (ret == 0 || ret == 2) {
95  KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 0);
96  /* It doesn't match threshold, remove it */
97  SCReturnInt(ret);
98  }
99  KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1);
100  }
101  } while (smd != NULL);
102  }
103 
104  /* if we're still here, consider thresholding */
105  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
106  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_THRESHOLD);
107  smd = NULL;
108  do {
109  td = SigGetThresholdTypeIter(s, p, &smd, DETECT_SM_LIST_THRESHOLD);
110  if (td != NULL) {
111  SCLogDebug("td %p", td);
112 
113  /* PacketAlertThreshold returns 2 if the alert is suppressed but
114  * we do need to apply rule actions to the packet. */
115  KEYWORD_PROFILING_START;
116  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
117  if (ret == 0 || ret == 2) {
118  KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD ,0);
119  /* It doesn't match threshold, remove it */
120  SCReturnInt(ret);
121  }
122  KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1);
123  }
124  } while (smd != NULL);
125  }
126  SCReturnInt(1);
127 }
128 
129 
130 /**
131  * \brief Check if a certain sid alerted, this is used in the test functions
132  *
133  * \param p Packet on which we want to check if the signature alerted or not
134  * \param sid Signature id of the signature that thas to be checked for a match
135  *
136  * \retval match A value > 0 on a match; 0 on no match
137  */
138 int PacketAlertCheck(Packet *p, uint32_t sid)
139 {
140  uint16_t i = 0;
141  int match = 0;
142 
143  for (i = 0; i < p->alerts.cnt; i++) {
144  if (p->alerts.alerts[i].s == NULL)
145  continue;
146 
147  if (p->alerts.alerts[i].s->id == sid)
148  match++;
149  }
150 
151  return match;
152 }
153 
154 /**
155  * \brief Remove alert from the p->alerts.alerts array at pos
156  * \param p Pointer to the Packet
157  * \param pos Position in the array
158  * \retval 0 if the number of alerts is less than pos
159  * 1 if all goes well
160  */
161 int PacketAlertRemove(Packet *p, uint16_t pos)
162 {
163  uint16_t i = 0;
164  int match = 0;
165 
166  if (pos > p->alerts.cnt) {
167  SCLogDebug("removing %u failed, pos > cnt %u", pos, p->alerts.cnt);
168  return 0;
169  }
170 
171  for (i = pos; i <= p->alerts.cnt - 1; i++) {
172  memcpy(&p->alerts.alerts[i], &p->alerts.alerts[i + 1], sizeof(PacketAlert));
173  }
174 
175  // Update it, since we removed 1
176  p->alerts.cnt--;
177 
178  return match;
179 }
180 
181 /** \brief append a signature match to a packet
182  *
183  * \param det_ctx thread detection engine ctx
184  * \param s the signature that matched
185  * \param p packet
186  * \param flags alert flags
187  */
188 int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s,
189  Packet *p, uint64_t tx_id, uint8_t flags)
190 {
191  int i = 0;
192 
193  if (p->alerts.cnt == PACKET_ALERT_MAX)
194  return 0;
195 
196  SCLogDebug("sid %"PRIu32"", s->id);
197 
198  /* It should be usually the last, so check it before iterating */
199  if (p->alerts.cnt == 0 || (p->alerts.cnt > 0 &&
200  p->alerts.alerts[p->alerts.cnt - 1].num < s->num)) {
201  /* We just add it */
202  p->alerts.alerts[p->alerts.cnt].num = s->num;
203  p->alerts.alerts[p->alerts.cnt].action = s->action;
204  p->alerts.alerts[p->alerts.cnt].flags = flags;
205  p->alerts.alerts[p->alerts.cnt].s = s;
206  p->alerts.alerts[p->alerts.cnt].tx_id = tx_id;
207  } else {
208  /* We need to make room for this s->num
209  (a bit ugly with memcpy but we are planning changes here)*/
210  for (i = p->alerts.cnt - 1; i >= 0 && p->alerts.alerts[i].num > s->num; i--) {
211  memcpy(&p->alerts.alerts[i + 1], &p->alerts.alerts[i], sizeof(PacketAlert));
212  }
213 
214  i++; /* The right place to store the alert */
215 
216  p->alerts.alerts[i].num = s->num;
217  p->alerts.alerts[i].action = s->action;
218  p->alerts.alerts[i].flags = flags;
219  p->alerts.alerts[i].s = s;
220  p->alerts.alerts[i].tx_id = tx_id;
221  }
222 
223  /* Update the count */
224  p->alerts.cnt++;
225 
226  return 0;
227 }
228 
229 static inline void RuleActionToFlow(const uint8_t action, Flow *f)
230 {
231  if (action & ACTION_DROP)
232  f->flags |= FLOW_ACTION_DROP;
233 
234  if (action & ACTION_REJECT_ANY)
235  f->flags |= FLOW_ACTION_DROP;
236 
237  if (action & ACTION_PASS) {
238  FlowSetNoPacketInspectionFlag(f);
239  }
240 }
241 
242 /**
243  * \brief Check the threshold of the sigs that match, set actions, break on pass action
244  * This function iterate the packet alerts array, removing those that didn't match
245  * the threshold, and those that match after a signature with the action "pass".
246  * The array is sorted by action priority/order
247  * \param de_ctx detection engine context
248  * \param det_ctx detection engine thread context
249  * \param p pointer to the packet
250  */
251 void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
252 {
253  SCEnter();
254  int i = 0;
255 
256  while (i < p->alerts.cnt) {
257  SCLogDebug("Sig->num: %"PRIu32, p->alerts.alerts[i].num);
258  const Signature *s = de_ctx->sig_array[p->alerts.alerts[i].num];
259 
260  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, &p->alerts.alerts[i]);
261  if (res > 0) {
262  /* Now, if we have an alert, we have to check if we want
263  * to tag this session or src/dst host */
264  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
265  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_TMATCH);
266  SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_TMATCH];
267  while (1) {
268  /* tags are set only for alerts */
269  KEYWORD_PROFILING_START;
270  sigmatch_table[smd->type].Match(det_ctx, p, (Signature *)s, smd->ctx);
271  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
272  if (smd->is_last)
273  break;
274  smd++;
275  }
276  }
277 
278  /* IP-only and PD-only matches should apply to the flow */
279  if (s->flags & (SIG_FLAG_IPONLY | SIG_FLAG_PDONLY)) {
280  if (p->flow != NULL) {
281  RuleActionToFlow(s->action, p->flow);
282  }
283  }
284 
285  /* set actions on packet */
286  DetectSignatureApplyActions(p, p->alerts.alerts[i].s, p->alerts.alerts[i].flags);
287 
288  if (PACKET_TEST_ACTION(p, ACTION_PASS)) {
289  /* Ok, reset the alert cnt to end in the previous of pass
290  * so we ignore the rest with less prio */
291  p->alerts.cnt = i;
292  break;
293 
294  /* if the signature wants to drop, check if the
295  * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
296  } else if ((PACKET_TEST_ACTION(p, ACTION_DROP)) &&
297  ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
298  (s->flags & SIG_FLAG_APPLAYER))
299  && p->flow != NULL)
300  {
301  /* This will apply only on IPS mode (check StreamTcpPacket) */
302  p->flow->flags |= FLOW_ACTION_DROP; // XXX API?
303  }
304  }
305 
306  /* Thresholding removes this alert */
307  if (res == 0 || res == 2) {
308  PacketAlertRemove(p, i);
309 
310  if (p->alerts.cnt == 0)
311  break;
312  } else {
313  i++;
314  }
315  }
316 
317  /* At this point, we should have all the new alerts. Now check the tag
318  * keyword context for sessions and hosts */
319  if (!(p->flags & PKT_PSEUDO_STREAM_END))
320  TagHandlePacket(de_ctx, det_ctx, p);
321 
322  /* Set flag on flow to indicate that it has alerts */
323  if (p->flow != NULL && p->alerts.cnt > 0) {
324  FlowSetHasAlertsFlag(p->flow);
325  }
326 
327 }
328 
329 
FlowSetHasAlertsFlag
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
Definition: flow.c:169
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:281
SIG_FLAG_PDONLY
#define SIG_FLAG_PDONLY
Definition: detect.h:247
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:260
Signature_::num
SigIntId num
Definition: detect.h:525
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:65
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlerts_::alerts
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:302
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:301
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
Packet_::flags
uint32_t flags
Definition: decode.h:451
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:350
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
TAG_SIG_ID
#define TAG_SIG_ID
Definition: detect-engine-tag.h:43
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:755
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:68
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:568
SigMatchData_
Data needed for Match()
Definition: detect.h:329
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:69
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:568
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:83
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:282
PacketAlert_::action
uint8_t action
Definition: decode.h:279
Signature_::gid
uint32_t gid
Definition: detect.h:549
PacketAlertGetTag
PacketAlert * PacketAlertGetTag(void)
Definition: detect-engine-alert.c:53
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:999
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, Packet *p, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:115
PacketAlert_::num
SigIntId num
Definition: decode.h:278
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:55
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1130
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
SigMatchData_::type
uint8_t type
Definition: detect.h:330
detect-engine-tag.h
Signature_::action
uint8_t action
Definition: detect.h:528
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:516
PACKET_ALERT_FLAG_DROP_FLOW
#define PACKET_ALERT_FLAG_DROP_FLOW
Definition: decode.h:288
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:416
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:219
detect-engine-alert.h
PacketAlertRemove
int PacketAlertRemove(Packet *p, uint16_t pos)
Remove alert from the p->alerts.alerts array at pos.
Definition: detect-engine-alert.c:161
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1168
DetectSignatureApplyActions
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t alert_flags)
Apply action(s) and Set 'drop' sig info, if applicable.
Definition: detect.c:1537
PacketAlertThreshold
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:607
PacketAlert_::flags
uint8_t flags
Definition: decode.h:280
Packet_::flow
struct Flow_ * flow
Definition: decode.h:453
flags
uint8_t flags
Definition: decode-gre.h:0
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:331
suricata-common.h
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
Signature_::rev
uint32_t rev
Definition: detect.h:550
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:100
Signature_::prio
int prio
Definition: detect.h:551
TagHandlePacket
void TagHandlePacket(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
Definition: detect-engine-tag.c:502
PACKET_ALERT_MAX
#define PACKET_ALERT_MAX
Definition: decode.h:298
PacketAlertFinalize
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:251
Signature_::id
uint32_t id
Definition: detect.h:548
Flow_::flags
uint32_t flags
Definition: flow.h:428
Signature_
Signature container.
Definition: detect.h:515
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:37
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:770
PacketAlert_
Definition: decode.h:277
PacketAlertAppend
int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t flags)
append a signature match to a packet
Definition: detect-engine-alert.c:188
TAG_SIG_GEN
#define TAG_SIG_GEN
Definition: detect-engine-tag.h:42
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:259
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:103
detect-engine-threshold.h
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:887