suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 #include "detect-engine-build.h"
41 #include "app-layer-parser.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "flow-util.h"
47 #include "util-debug.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 #include "detect-dce-iface.h"
53 
54 static int g_dce_stub_data_buffer_id = 0;
55 
56 
57 /**************************************Unittests*******************************/
58 
59 #ifdef UNITTESTS
60 #include "detect-engine-alert.h"
61 
62 /**
63  * \test Test the working of byte_test endianness.
64  */
65 static int DcePayloadTest15(void)
66 {
67  int result = 0;
68 
69  uint8_t request1[] = {
70  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
71  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
72  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
73  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
74  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
75  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
76  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
77  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
78  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
79  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
80  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
81  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
82  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
83  };
84  uint32_t request1_len = sizeof(request1);
85 
86  TcpSession ssn;
87  Packet *p = NULL;
88  ThreadVars tv;
89  DetectEngineCtx *de_ctx = NULL;
90  DetectEngineThreadCtx *det_ctx = NULL;
91  Flow f;
92  int r;
93 
94  const char *sig1 = "alert tcp any any -> any any "
95  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
96  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
97  const char *sig2 = "alert tcp any any -> any any "
98  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
99  "byte_test:2,=,46,5,relative,dce; sid:2;)";
100 
101  Signature *s;
102  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
103 
104  memset(&tv, 0, sizeof(ThreadVars));
105  memset(&f, 0, sizeof(Flow));
106  memset(&ssn, 0, sizeof(TcpSession));
107 
108  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
109  p->flow = &f;
110  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
111  p->flowflags |= FLOW_PKT_TOSERVER;
112  p->flowflags |= FLOW_PKT_ESTABLISHED;
113 
114  FLOW_INITIALIZE(&f);
115  f.protoctx = (void *)&ssn;
116  f.proto = IPPROTO_TCP;
117  f.flags |= FLOW_IPV4;
118  f.alproto = ALPROTO_DCERPC;
119 
120  StreamTcpInitConfig(true);
121 
122  de_ctx = DetectEngineCtxInit();
123  if (de_ctx == NULL)
124  goto end;
125  de_ctx->flags |= DE_QUIET;
126 
127  de_ctx->sig_list = SigInit(de_ctx, sig1);
128  s = de_ctx->sig_list;
129  if (s == NULL)
130  goto end;
131  s->next = SigInit(de_ctx, sig2);
132  if (s->next == NULL)
133  goto end;
134 
135  SigGroupBuild(de_ctx);
136  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
137 
138  /* request 1 */
139  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
140  STREAM_TOSERVER, request1, request1_len);
141  if (r != 0) {
142  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
143  result = 0;
144  goto end;
145  }
146  /* detection phase */
147  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
148  if (!(PacketAlertCheck(p, 1))) {
149  printf("sid 1 didn't match but should have for packet: ");
150  goto end;
151  }
152  if (!(PacketAlertCheck(p, 2))) {
153  printf("sid 2 didn't match but should have for packet: ");
154  goto end;
155  }
156 
157  result = 1;
158 
159 end:
160  if (alp_tctx != NULL)
161  AppLayerParserThreadCtxFree(alp_tctx);
162  if (de_ctx != NULL) {
163  SigGroupCleanup(de_ctx);
164  SigCleanSignatures(de_ctx);
165 
166  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
167  DetectEngineCtxFree(de_ctx);
168  }
169 
170  StreamTcpFreeConfig(true);
171 
172  UTHFreePackets(&p, 1);
173  return result;
174 }
175 
176 /**
177  * \test Test the working of byte_test endianness.
178  */
179 static int DcePayloadTest16(void)
180 {
181  int result = 0;
182 
183  uint8_t request1[] = {
184  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
185  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
186  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
187  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
188  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
189  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
190  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
191  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
192  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
193  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
194  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
195  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
196  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
197  };
198  uint32_t request1_len = sizeof(request1);
199 
200  TcpSession ssn;
201  Packet *p = NULL;
202  ThreadVars tv;
203  DetectEngineCtx *de_ctx = NULL;
204  DetectEngineThreadCtx *det_ctx = NULL;
205  Flow f;
206  int r;
207 
208  const char *sig1 = "alert tcp any any -> any any "
209  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
210  "byte_test:2,=,55,0,relative; sid:1;)";
211  const char *sig2 = "alert tcp any any -> any any "
212  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
213  "byte_test:2,=,11776,5,relative; sid:2;)";
214 
215  Signature *s;
216  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
217 
218  memset(&tv, 0, sizeof(ThreadVars));
219  memset(&f, 0, sizeof(Flow));
220  memset(&ssn, 0, sizeof(TcpSession));
221 
222  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
223  p->flow = &f;
224  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
225  p->flowflags |= FLOW_PKT_TOSERVER;
226  p->flowflags |= FLOW_PKT_ESTABLISHED;
227 
228  FLOW_INITIALIZE(&f);
229  f.protoctx = (void *)&ssn;
230  f.proto = IPPROTO_TCP;
231  f.flags |= FLOW_IPV4;
232  f.alproto = ALPROTO_DCERPC;
233 
234  StreamTcpInitConfig(true);
235 
236  de_ctx = DetectEngineCtxInit();
237  if (de_ctx == NULL)
238  goto end;
239  de_ctx->flags |= DE_QUIET;
240 
241  de_ctx->sig_list = SigInit(de_ctx, sig1);
242  s = de_ctx->sig_list;
243  if (s == NULL)
244  goto end;
245  s->next = SigInit(de_ctx, sig2);
246  if (s->next == NULL)
247  goto end;
248 
249  SigGroupBuild(de_ctx);
250  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
251 
252  /* request 1 */
253  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
254  STREAM_TOSERVER, request1, request1_len);
255  if (r != 0) {
256  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
257  result = 0;
258  goto end;
259  }
260  /* detection phase */
261  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
262  if (!(PacketAlertCheck(p, 1))) {
263  printf("sid 1 didn't match but should have for packet: ");
264  goto end;
265  }
266  if (!(PacketAlertCheck(p, 2))) {
267  printf("sid 2 didn't match but should have for packet: ");
268  goto end;
269  }
270 
271  result = 1;
272 
273 end:
274  if (alp_tctx != NULL)
275  AppLayerParserThreadCtxFree(alp_tctx);
276  if (de_ctx != NULL) {
277  SigGroupCleanup(de_ctx);
278  SigCleanSignatures(de_ctx);
279 
280  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
281  DetectEngineCtxFree(de_ctx);
282  }
283 
284  StreamTcpFreeConfig(true);
285 
286  UTHFreePackets(&p, 1);
287  return result;
288 }
289 
290 /**
291  * \test Test the working of byte_test endianness.
292  */
293 static int DcePayloadTest17(void)
294 {
295  int result = 0;
296 
297  uint8_t request1[] = {
298  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
299  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
300  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
301  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
302  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
303  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
304  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
305  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
306  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
307  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
308  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
309  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
310  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
311  };
312  uint32_t request1_len = sizeof(request1);
313 
314  TcpSession ssn;
315  Packet *p = NULL;
316  ThreadVars tv;
317  DetectEngineCtx *de_ctx = NULL;
318  DetectEngineThreadCtx *det_ctx = NULL;
319  Flow f;
320  int r;
321 
322  const char *sig1 = "alert tcp any any -> any any "
323  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
324  "byte_test:2,=,55,0,relative,big; sid:1;)";
325  const char *sig2 = "alert tcp any any -> any any "
326  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
327  "byte_test:2,=,46,5,relative,little; sid:2;)";
328 
329  Signature *s;
330  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
331 
332  memset(&tv, 0, sizeof(ThreadVars));
333  memset(&f, 0, sizeof(Flow));
334  memset(&ssn, 0, sizeof(TcpSession));
335 
336  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
337  p->flow = &f;
338  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
339  p->flowflags |= FLOW_PKT_TOSERVER;
340  p->flowflags |= FLOW_PKT_ESTABLISHED;
341 
342  FLOW_INITIALIZE(&f);
343  f.protoctx = (void *)&ssn;
344  f.proto = IPPROTO_TCP;
345  f.flags |= FLOW_IPV4;
346  f.alproto = ALPROTO_DCERPC;
347 
348  StreamTcpInitConfig(true);
349 
350  de_ctx = DetectEngineCtxInit();
351  if (de_ctx == NULL)
352  goto end;
353  de_ctx->flags |= DE_QUIET;
354 
355  de_ctx->sig_list = SigInit(de_ctx, sig1);
356  s = de_ctx->sig_list;
357  if (s == NULL)
358  goto end;
359  s->next = SigInit(de_ctx, sig2);
360  if (s->next == NULL)
361  goto end;
362 
363  SigGroupBuild(de_ctx);
364  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
365 
366  /* request 1 */
367  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
368  STREAM_TOSERVER, request1, request1_len);
369  if (r != 0) {
370  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
371  result = 0;
372  goto end;
373  }
374  /* detection phase */
375  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
376  if (!(PacketAlertCheck(p, 1))) {
377  printf("sid 1 didn't match but should have for packet: ");
378  goto end;
379  }
380  if (!(PacketAlertCheck(p, 2))) {
381  printf("sid 2 didn't match but should have for packet: ");
382  goto end;
383  }
384 
385  result = 1;
386 
387 end:
388  if (alp_tctx != NULL)
389  AppLayerParserThreadCtxFree(alp_tctx);
390  if (de_ctx != NULL) {
391  SigGroupCleanup(de_ctx);
392  SigCleanSignatures(de_ctx);
393 
394  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
395  DetectEngineCtxFree(de_ctx);
396  }
397 
398  StreamTcpFreeConfig(true);
399 
400  UTHFreePackets(&p, 1);
401  return result;
402 }
403 
404 /**
405  * \test Test the working of byte_jump endianness.
406  */
407 static int DcePayloadTest18(void)
408 {
409  int result = 0;
410 
411  uint8_t request1[] = {
412  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
413  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
414  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
415  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
416  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
417  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
418  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
419  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
420  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
421  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
422  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
423  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
424  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
425  };
426  uint32_t request1_len = sizeof(request1);
427 
428  TcpSession ssn;
429  Packet *p = NULL;
430  ThreadVars tv;
431  DetectEngineCtx *de_ctx = NULL;
432  DetectEngineThreadCtx *det_ctx = NULL;
433  Flow f;
434  int r;
435 
436  const char *sig1 = "alert tcp any any -> any any "
437  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
438  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
439  const char *sig2 = "alert tcp any any -> any any "
440  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
441  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
442 
443  Signature *s;
444  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
445 
446  memset(&tv, 0, sizeof(ThreadVars));
447  memset(&f, 0, sizeof(Flow));
448  memset(&ssn, 0, sizeof(TcpSession));
449 
450  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
451  p->flow = &f;
452  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
453  p->flowflags |= FLOW_PKT_TOSERVER;
454  p->flowflags |= FLOW_PKT_ESTABLISHED;
455 
456  FLOW_INITIALIZE(&f);
457  f.protoctx = (void *)&ssn;
458  f.proto = IPPROTO_TCP;
459  f.flags |= FLOW_IPV4;
460  f.alproto = ALPROTO_DCERPC;
461 
462  StreamTcpInitConfig(true);
463 
464  de_ctx = DetectEngineCtxInit();
465  if (de_ctx == NULL)
466  goto end;
467  de_ctx->flags |= DE_QUIET;
468 
469  de_ctx->sig_list = SigInit(de_ctx, sig1);
470  s = de_ctx->sig_list;
471  if (s == NULL)
472  goto end;
473  s->next = SigInit(de_ctx, sig2);
474  if (s->next == NULL)
475  goto end;
476 
477  SigGroupBuild(de_ctx);
478  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
479 
480  /* request 1 */
481  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
482  STREAM_TOSERVER, request1, request1_len);
483  if (r != 0) {
484  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
485  result = 0;
486  goto end;
487  }
488  /* detection phase */
489  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
490  if (!(PacketAlertCheck(p, 1))) {
491  printf("sid 1 didn't match but should have for packet: ");
492  goto end;
493  }
494  if (!(PacketAlertCheck(p, 2))) {
495  printf("sid 2 didn't match but should have for packet: ");
496  goto end;
497  }
498 
499  result = 1;
500 
501 end:
502  if (alp_tctx != NULL)
503  AppLayerParserThreadCtxFree(alp_tctx);
504  if (de_ctx != NULL) {
505  SigGroupCleanup(de_ctx);
506  SigCleanSignatures(de_ctx);
507 
508  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
509  DetectEngineCtxFree(de_ctx);
510  }
511 
512  StreamTcpFreeConfig(true);
513 
514  UTHFreePackets(&p, 1);
515  return result;
516 }
517 
518 /**
519  * \test Test the working of byte_jump endianness.
520  */
521 static int DcePayloadTest19(void)
522 {
523  int result = 0;
524 
525  uint8_t request1[] = {
526  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
527  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
528  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
529  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
530  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
531  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
532  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
533  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
534  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
535  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
536  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
537  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
538  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
539  };
540  uint32_t request1_len = sizeof(request1);
541 
542  TcpSession ssn;
543  Packet *p = NULL;
544  ThreadVars tv;
545  DetectEngineCtx *de_ctx = NULL;
546  DetectEngineThreadCtx *det_ctx = NULL;
547  Flow f;
548  int r;
549 
550  const char *sig1 = "alert tcp any any -> any any "
551  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
552  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
553  const char *sig2 = "alert tcp any any -> any any "
554  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
555  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
556 
557  Signature *s;
558  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
559 
560  memset(&tv, 0, sizeof(ThreadVars));
561  memset(&f, 0, sizeof(Flow));
562  memset(&ssn, 0, sizeof(TcpSession));
563 
564  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
565  p->flow = &f;
566  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
567  p->flowflags |= FLOW_PKT_TOSERVER;
568  p->flowflags |= FLOW_PKT_ESTABLISHED;
569 
570  FLOW_INITIALIZE(&f);
571  f.protoctx = (void *)&ssn;
572  f.proto = IPPROTO_TCP;
573  f.flags |= FLOW_IPV4;
574  f.alproto = ALPROTO_DCERPC;
575 
576  StreamTcpInitConfig(true);
577 
578  de_ctx = DetectEngineCtxInit();
579  if (de_ctx == NULL)
580  goto end;
581  de_ctx->flags |= DE_QUIET;
582 
583  de_ctx->sig_list = SigInit(de_ctx, sig1);
584  s = de_ctx->sig_list;
585  if (s == NULL)
586  goto end;
587  s->next = SigInit(de_ctx, sig2);
588  if (s->next == NULL)
589  goto end;
590 
591  SigGroupBuild(de_ctx);
592  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
593 
594  /* request 1 */
595  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
596  STREAM_TOSERVER, request1, request1_len);
597  if (r != 0) {
598  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
599  result = 0;
600  goto end;
601  }
602  /* detection phase */
603  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
604  if (!(PacketAlertCheck(p, 1))) {
605  printf("sid 1 didn't match but should have for packet: ");
606  goto end;
607  }
608  if (!(PacketAlertCheck(p, 2))) {
609  printf("sid 2 didn't match but should have for packet: ");
610  goto end;
611  }
612 
613  result = 1;
614 
615 end:
616  if (alp_tctx != NULL)
617  AppLayerParserThreadCtxFree(alp_tctx);
618  if (de_ctx != NULL) {
619  SigGroupCleanup(de_ctx);
620  SigCleanSignatures(de_ctx);
621 
622  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
623  DetectEngineCtxFree(de_ctx);
624  }
625 
626  StreamTcpFreeConfig(true);
627 
628  UTHFreePackets(&p, 1);
629  return result;
630 }
631 
632 /**
633  * \test Test the working of byte_jump endianness.
634  */
635 static int DcePayloadTest20(void)
636 {
637  int result = 0;
638 
639  uint8_t request1[] = {
640  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
641  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
642  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
643  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
644  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
645  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
646  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
647  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
648  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
649  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
650  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
651  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
652  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
653  };
654  uint32_t request1_len = sizeof(request1);
655 
656  TcpSession ssn;
657  Packet *p = NULL;
658  ThreadVars tv;
659  DetectEngineCtx *de_ctx = NULL;
660  DetectEngineThreadCtx *det_ctx = NULL;
661  Flow f;
662  int r;
663 
664  const char *sig1 = "alert tcp any any -> any any "
665  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
666  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
667  const char *sig2 = "alert tcp any any -> any any "
668  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
669  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
670 
671  Signature *s;
672  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
673 
674  memset(&tv, 0, sizeof(ThreadVars));
675  memset(&f, 0, sizeof(Flow));
676  memset(&ssn, 0, sizeof(TcpSession));
677 
678  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
679  p->flow = &f;
680  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
681  p->flowflags |= FLOW_PKT_TOSERVER;
682  p->flowflags |= FLOW_PKT_ESTABLISHED;
683 
684  FLOW_INITIALIZE(&f);
685  f.protoctx = (void *)&ssn;
686  f.proto = IPPROTO_TCP;
687  f.flags |= FLOW_IPV4;
688  f.alproto = ALPROTO_DCERPC;
689 
690  StreamTcpInitConfig(true);
691 
692  de_ctx = DetectEngineCtxInit();
693  if (de_ctx == NULL)
694  goto end;
695  de_ctx->flags |= DE_QUIET;
696 
697  de_ctx->sig_list = SigInit(de_ctx, sig1);
698  s = de_ctx->sig_list;
699  if (s == NULL)
700  goto end;
701  s->next = SigInit(de_ctx, sig2);
702  if (s->next == NULL)
703  goto end;
704 
705  SigGroupBuild(de_ctx);
706  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
707 
708  /* request 1 */
709  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
710  STREAM_TOSERVER, request1, request1_len);
711  if (r != 0) {
712  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
713  result = 0;
714  goto end;
715  }
716  /* detection phase */
717  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
718  if (!(PacketAlertCheck(p, 1))) {
719  printf("sid 1 didn't match but should have for packet: ");
720  goto end;
721  }
722  if (!(PacketAlertCheck(p, 2))) {
723  printf("sid 2 didn't match but should have for packet: ");
724  goto end;
725  }
726 
727  result = 1;
728 
729 end:
730  if (alp_tctx != NULL)
731  AppLayerParserThreadCtxFree(alp_tctx);
732  if (de_ctx != NULL) {
733  SigGroupCleanup(de_ctx);
734  SigCleanSignatures(de_ctx);
735 
736  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
737  DetectEngineCtxFree(de_ctx);
738  }
739 
740  StreamTcpFreeConfig(true);
741 
742  UTHFreePackets(&p, 1);
743  return result;
744 }
745 
746 #endif /* UNITTESTS */
747 
748 void DcePayloadRegisterTests(void)
749 {
750  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
751 
752 #ifdef UNITTESTS
753  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
754  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
755  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
756  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
757  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
758  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
759 #endif /* UNITTESTS */
760 }
detect-content.h
detect-engine.h
detect-dce-iface.h
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
detect-isdataat.h
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:748
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:306
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1897
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1072
Signature_::next
struct Signature_ * next
Definition: detect.h:668
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
Packet_
Definition: decode.h:437
detect-engine-build.h
detect-bytejump.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:285
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1286
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
detect-byte-extract.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:596
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:59
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
detect-engine-dcepayload.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431