suricata
detect-engine-enip.c
Go to the documentation of this file.
1 /* Copyright (C) 2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /** \file
19  *
20  * \author Kevin Wong <kwong@solananetworks.com>
21  *
22  * Based on detect-engine-modbus.c
23  */
24 
25 #include "suricata-common.h"
26 
27 #include "app-layer.h"
28 
29 #include "detect.h"
30 #include "detect-cipservice.h"
31 #include "detect-engine-enip.h"
32 
33 #include "flow.h"
34 
35 #include "util-debug.h"
36 
37 #if 0
38 /**
39  * \brief Print fields from ENIP Packet
40  * @param enip_data
41  */
42 void PrintENIPAL(ENIPTransaction *enip_data)
43 {
44  SCLogDebug("============================================");
45  SCLogDebug("ENCAP HEADER cmd 0x%x, length %d, session 0x%x, status 0x%x",
46  enip_data->header.command, enip_data->header.length,
47  enip_data->header.session, enip_data->header.status);
48  //SCLogDebug("context 0x%x option 0x%x", enip_data->header.context, enip_data->header.option);
49  SCLogDebug("ENCAP DATA HEADER handle 0x%x, timeout %d, count %d",
51  enip_data->encap_data_header.timeout,
52  enip_data->encap_data_header.item_count);
53  SCLogDebug("ENCAP ADDR ITEM type 0x%x, length %d",
54  enip_data->encap_addr_item.type, enip_data->encap_addr_item.length);
55  SCLogDebug("ENCAP DATA ITEM type 0x%x, length %d sequence 0x%x",
56  enip_data->encap_data_item.type, enip_data->encap_data_item.length,
57  enip_data->encap_data_item.sequence_count);
58 
59  CIPServiceEntry *svc = NULL;
60 
61  int count = 0;
62  TAILQ_FOREACH(svc, &enip_data->service_list, next)
63  {
64  //SCLogDebug("CIP Service #%d : 0x%x", count, svc->service);
65  count++;
66  }
67 }
68 #endif
69 
70 /**
71  * \brief Matches the rule to the CIP segment in ENIP Packet
72  * @param svc - the CIP service entry
73  * * @param cipserviced - the CIP service rule
74  */
75 static int CIPPathMatch(CIPServiceEntry *svc, DetectCipServiceData *cipserviced)
76 {
77  uint16_t class = 0;
78  uint16_t attrib = 0;
79  int found_class = 0;
80 
81  SegmentEntry *seg = NULL;
82  TAILQ_FOREACH(seg, &svc->segment_list, next)
83  {
84  switch(seg->segment)
85  {
86  case PATH_CLASS_8BIT:
87  class = seg->value;
88  if (cipserviced->cipclass == class)
89  {
90  if (cipserviced->tokens == 2)
91  {// if rule only has class
92  return 1;
93  } else
94  {
95  found_class = 1;
96  }
97  }
98  break;
99  case PATH_INSTANCE_8BIT:
100  break;
101  case PATH_ATTR_8BIT: //single attribute
102  attrib = seg->value;
103  if ((cipserviced->tokens == 3) &&
104  (cipserviced->cipclass == class) &&
105  (cipserviced->cipattribute == attrib) &&
106  (cipserviced->matchattribute == 1))
107  { // if rule has class & attribute, matched all here
108  return 1;
109  }
110  if ((cipserviced->tokens == 3) &&
111  (cipserviced->cipclass == class) &&
112  (cipserviced->matchattribute == 0))
113  { // for negation rule on attribute
114  return 1;
115  }
116  break;
117  case PATH_CLASS_16BIT:
118  class = seg->value;
119  if (cipserviced->cipclass == class)
120  {
121  if (cipserviced->tokens == 2)
122  {// if rule only has class
123  return 1;
124  } else
125  {
126  found_class = 1;
127  }
128  }
129  break;
130  case PATH_INSTANCE_16BIT:
131  break;
132  default:
133  return 0;
134  }
135  }
136 
137  if (found_class == 0)
138  { // if haven't matched class yet, no need to check attribute
139  return 0;
140  }
141 
142  if ((svc->service == CIP_SET_ATTR_LIST) ||
143  (svc->service == CIP_GET_ATTR_LIST))
144  {
145  AttributeEntry *attr = NULL;
146  TAILQ_FOREACH (attr, &svc->attrib_list, next)
147  {
148  if (cipserviced->cipattribute == attr->attribute)
149  {
150  return 1;
151  }
152  }
153  }
154 
155  return 0;
156 }
157 
158 /**
159  * \brief Matches the rule to the ENIP Transaction
160  * @param enip_data - the ENIP transation
161  * * @param cipserviced - the CIP service rule
162  */
163 
164 static int CIPServiceMatch(ENIPTransaction *enip_data,
165  DetectCipServiceData *cipserviced)
166 {
167  int count = 1;
168  CIPServiceEntry *svc = NULL;
169  //SCLogDebug("CIPServiceMatchAL");
170  TAILQ_FOREACH(svc, &enip_data->service_list, next)
171  {
172  SCLogDebug("CIPServiceMatchAL service #%d : 0x%x dir %d",
173  count, svc->service, svc->direction);
174 
175  if (cipserviced->cipservice == svc->service)
176  { // compare service
177  //SCLogDebug("Rule Match for cip service %d",cipserviced->cipservice );
178 
179  if (cipserviced->tokens > 1)
180  { //if rule params have class and attribute
181 
182 
183  if ((svc->service == CIP_SET_ATTR_LIST) || (svc->service
184  == CIP_SET_ATTR_SINGLE) || (svc->service
185  == CIP_GET_ATTR_LIST) || (svc->service
187  { //decode path
188  if (CIPPathMatch(svc, cipserviced) == 1)
189  {
190  if (svc->direction == 1) return 0; //don't match responses
191 
192  return 1;
193  }
194  }
195  } else
196  {
197  if (svc->direction == 1) return 0; //don't match responses
198 
199  // SCLogDebug("CIPServiceMatchAL found");
200  return 1;
201  }
202  }
203  count++;
204  }
205  return 0;
206 }
207 
208 /** \brief Do the content inspection & validation for a signature
209  *
210  * \param de_ctx Detection engine context
211  * \param det_ctx Detection engine thread context
212  * \param s Signature to inspect ( and sm: SigMatch to inspect)
213  * \param f Flow
214  * \param flags App layer flags
215  * \param alstate App layer state
216  * \param txv Pointer to ENIP Transaction structure
217  *
218  * \retval 0 no match or 1 match
219  */
221  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
222  const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags,
223  void *alstate, void *txv, uint64_t tx_id)
224 {
225  SCEnter();
226 
227 
228  ENIPTransaction *tx = (ENIPTransaction *) txv;
229  DetectCipServiceData *cipserviced = (DetectCipServiceData *) smd->ctx;
230 
231  if (cipserviced == NULL)
232  {
233  SCLogDebug("no cipservice state, no match");
234  SCReturnInt(0);
235  }
236  //SCLogDebug("DetectEngineInspectCIP %d", cipserviced->cipservice);
237 
238  if (CIPServiceMatch(tx, cipserviced) == 1)
239  {
240  //SCLogDebug("DetectCIPServiceMatchAL found");
241  SCReturnInt(1);
242  }
243 
244  SCReturnInt(0);
245 }
246 
247 /** \brief Do the content inspection & validation for a signature
248  *
249  * \param de_ctx Detection engine context
250  * \param det_ctx Detection engine thread context
251  * \param s Signature to inspect ( and sm: SigMatch to inspect)
252  * \param f Flow
253  * \param flags App layer flags
254  * \param alstate App layer state
255  * \param txv Pointer to ENIP Transaction structure
256  *
257  * \retval 0 no match or 1 match
258  */
259 
261  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
262  const Signature *s, const SigMatchData *smd,
263  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
264 {
265  SCEnter();
266 
267  ENIPTransaction *tx = (ENIPTransaction *) txv;
268  DetectEnipCommandData *enipcmdd = (DetectEnipCommandData *) smd->ctx;
269 
270  if (enipcmdd == NULL)
271  {
272  SCLogDebug("no enipcommand state, no match");
273  SCReturnInt(0);
274  }
275 
276  //SCLogDebug("DetectEngineInspectENIP %d, %d", enipcmdd->enipcommand, tx->header.command);
277 
278  if (enipcmdd->enipcommand == tx->header.command)
279  {
280  // SCLogDebug("DetectENIPCommandMatchAL found!");
281  SCReturnInt(1);
282  }
283 
284  SCReturnInt(0);
285 }
286 
287 #ifdef UNITTESTS /* UNITTESTS */
288 #include "app-layer-parser.h"
289 #include "detect-parse.h"
290 #include "detect-engine.h"
291 #include "flow-util.h"
292 #include "stream-tcp.h"
293 #include "util-unittest.h"
294 #include "util-unittest-helper.h"
295 
296 static uint8_t listIdentity[] = {/* List ID */ 0x00, 0x63,
297  /* Length */ 0x00, 0x00,
298  /* Session */ 0x00, 0x00, 0x00, 0x00,
299  /* Status */ 0x00, 0x00, 0x00, 0x00,
300  /* Delay*/ 0x00,
301  /* Context */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
302  /* Quantity of coils */ 0x00, 0x00, 0x00, 0x00,};
303 
304 /** \test Test code function. */
305 static int DetectEngineInspectENIPTest01(void)
306 {
308  DetectEngineThreadCtx *det_ctx = NULL;
309  DetectEngineCtx *de_ctx = NULL;
310  Flow f;
311  Packet *p = NULL;
312  Signature *s = NULL;
313  TcpSession ssn;
314  ThreadVars tv;
315 
316  memset(&tv, 0, sizeof(ThreadVars));
317  memset(&f, 0, sizeof(Flow));
318  memset(&ssn, 0, sizeof(TcpSession));
319 
320  p = UTHBuildPacket(listIdentity, sizeof(listIdentity), IPPROTO_TCP);
321  FAIL_IF_NULL(p);
322 
323  FLOW_INITIALIZE(&f);
324  f.alproto = ALPROTO_ENIP;
325  f.protoctx = (void *)&ssn;
326  f.proto = IPPROTO_TCP;
327  f.flags |= FLOW_IPV4;
328 
329  p->flow = &f;
332 
334 
335  de_ctx = DetectEngineCtxInit();
336  FAIL_IF_NULL(de_ctx);
337 
338  de_ctx->flags |= DE_QUIET;
339  s = de_ctx->sig_list = SigInit(de_ctx, "alert enip any any -> any any "
340  "(msg:\"Testing enip command\"; "
341  "enipcommand:99 ; sid:1;)");
342  FAIL_IF_NULL(s);
343 
344  SigGroupBuild(de_ctx);
345  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
346 
347  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_ENIP, STREAM_TOSERVER,
348  listIdentity, sizeof(listIdentity));
349  FAIL_IF(r != 0);
350 
351  ENIPState *enip_state = f.alstate;
352  FAIL_IF_NULL(enip_state);
353 
354  /* do detect */
355  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
356 
357  FAIL_IF(!(PacketAlertCheck(p, 1)));
358 
359  AppLayerParserThreadCtxFree(alp_tctx);
360  DetectEngineThreadCtxDeinit(&tv, det_ctx);
361  DetectEngineCtxFree(de_ctx);
362 
364  FLOW_DESTROY(&f);
365  UTHFreePacket(p);
366 
367  PASS;
368 }
369 
370 #endif /* UNITTESTS */
371 
373 {
374 #ifdef UNITTESTS
375  UtRegisterTest("DetectEngineInspectENIPTest01", DetectEngineInspectENIPTest01);
376 #endif /* UNITTESTS */
377  return;
378 }
ENIPEncapDataItem encap_data_item
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:443
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
struct HtpBodyChunk_ * next
#define PATH_CLASS_8BIT
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define PATH_INSTANCE_16BIT
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define CIP_GET_ATTR_LIST
Signature * sig_list
Definition: detect.h:730
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
Data needed for Match()
Definition: detect.h:331
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:496
#define TRUE
int DetectEngineInspectENIP(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:724
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void DetectEngineInspectENIPRegisterTests(void)
#define CIP_SET_ATTR_SINGLE
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:296
#define PATH_ATTR_8BIT
ENIPEncapAddresItem encap_addr_item
uint8_t flags
Definition: detect.h:725
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
Per flow ENIP state container.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742
ENIPEncapDataHdr encap_data_header
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:437
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define CIP_GET_ATTR_SINGLE
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define SCReturnInt(x)
Definition: util-debug.h:341
#define CIP_SET_ATTR_LIST
uint16_t tx_id
#define PATH_CLASS_16BIT
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1092
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
int DetectEngineInspectCIP(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
#define PATH_INSTANCE_8BIT
uint32_t flags
Definition: decode.h:441
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1090
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
SigMatchCtx * ctx
Definition: detect.h:334
DetectEngineCtx * DetectEngineCtxInit(void)