suricata
detect-engine-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  *
23  * Implements the decode-event keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "flow-var.h"
33 #include "decode-events.h"
34 
35 #include "util-debug.h"
36 
37 #include "stream-tcp.h"
38 
39 
40 /* Need to get the DEvents[] array */
41 
42 #include "detect-engine-event.h"
43 #include "util-unittest.h"
44 
45 #define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
46 
47 static DetectParseRegex parse_regex;
48 
49 static int DetectEngineEventMatch (DetectEngineThreadCtx *,
50  Packet *, const Signature *, const SigMatchCtx *);
51 static int DetectEngineEventSetup (DetectEngineCtx *, Signature *, const char *);
52 static int DetectDecodeEventSetup (DetectEngineCtx *, Signature *, const char *);
53 static int DetectStreamEventSetup (DetectEngineCtx *, Signature *, const char *);
54 static void DetectEngineEventFree (DetectEngineCtx *, void *);
55 #ifdef UNITTESTS
56 void EngineEventRegisterTests(void);
57 #endif
58 
59 /**
60  * \brief Registration function for decode-event: keyword
61  */
63 {
64  sigmatch_table[DETECT_ENGINE_EVENT].name = "engine-event";
65  sigmatch_table[DETECT_ENGINE_EVENT].Match = DetectEngineEventMatch;
66  sigmatch_table[DETECT_ENGINE_EVENT].Setup = DetectEngineEventSetup;
67  sigmatch_table[DETECT_ENGINE_EVENT].Free = DetectEngineEventFree;
68 #ifdef UNITTESTS
70 #endif
71 
72  sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event";
73  sigmatch_table[DETECT_DECODE_EVENT].Match = DetectEngineEventMatch;
74  sigmatch_table[DETECT_DECODE_EVENT].Setup = DetectDecodeEventSetup;
75  sigmatch_table[DETECT_DECODE_EVENT].Free = DetectEngineEventFree;
77 
78  sigmatch_table[DETECT_STREAM_EVENT].name = "stream-event";
79  sigmatch_table[DETECT_STREAM_EVENT].Match = DetectEngineEventMatch;
80  sigmatch_table[DETECT_STREAM_EVENT].Setup = DetectStreamEventSetup;
81  sigmatch_table[DETECT_STREAM_EVENT].Free = DetectEngineEventFree;
82 
83  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
84 }
85 
86 /**
87  * \brief This function is used to match decoder event flags set on a packet with those passed via decode-event:
88  *
89  * \param t pointer to thread vars
90  * \param det_ctx pointer to the pattern matcher thread
91  * \param p pointer to the current packet
92  * \param s pointer to the Signature
93  * \param m pointer to the sigmatch
94  *
95  * \retval 0 no match
96  * \retval 1 match
97  */
98 static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
99  Packet *p, const Signature *s, const SigMatchCtx *ctx)
100 {
101  SCEnter();
102 
103  const DetectEngineEventData *de = (const DetectEngineEventData *)ctx;
104 
105  if (ENGINE_ISSET_EVENT(p, de->event)) {
106  SCLogDebug("de->event matched %u", de->event);
107  SCReturnInt(1);
108  }
109 
110  SCReturnInt(0);
111 }
112 
113 static bool OutdatedEvent(const char *raw)
114 {
115  if (strcmp(raw, "decoder.udp.hlen_invalid") == 0) {
116  return true;
117  }
118  return false;
119 }
120 
121 /**
122  * \brief This function is used to parse decoder events options passed via decode-event: keyword
123  *
124  * \param rawstr Pointer to the user provided decode-event options
125  *
126  * \retval de pointer to DetectFlowData on success
127  * \retval NULL on failure
128  */
129 static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
130 {
131  int i;
132  DetectEngineEventData *de = NULL;
133  int ret = 0, res = 0, found = 0;
134  size_t pcre2len;
135 
136  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
137  if (ret < 1) {
138  SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
139  goto error;
140  }
141 
142  char copy_str[128] = "";
143  pcre2len = sizeof(copy_str);
144  res = pcre2_substring_copy_bynumber(parse_regex.match, 0, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
145 
146  if (res < 0) {
147  SCLogError("pcre2_substring_copy_bynumber failed");
148  goto error;
149  }
150 
151  for (i = 0; DEvents[i].event_name != NULL; i++) {
152  if (strcasecmp(DEvents[i].event_name,copy_str) == 0) {
153  found = 1;
154  break;
155  }
156  }
157 
158  if (found == 0) {
159  SCLogError("unknown decode event \"%s\"", copy_str);
160  goto error;
161  }
162 
163  de = SCMalloc(sizeof(DetectEngineEventData));
164  if (unlikely(de == NULL))
165  goto error;
166 
167  de->event = DEvents[i].code;
168 
171  }
172 
173  if (OutdatedEvent(rawstr)) {
175  SCLogError("decode-event keyword no longer supports event \"%s\"", rawstr);
176  goto error;
177  } else {
178  SCLogWarning("decode-event keyword no longer supports event \"%s\"", rawstr);
179  }
180  }
181 
182  return de;
183 
184 error:
185  if (de)
186  SCFree(de);
187  return NULL;
188 }
189 
190 /**
191  * \brief this function is used to add the parsed decode-event into the current signature
192  *
193  * \param de_ctx pointer to the Detection Engine Context
194  * \param s pointer to the Current Signature
195  * \param rawstr pointer to the user provided decode-event options
196  *
197  * \retval 0 on Success
198  * \retval -1 on Failure
199  */
200 static int DetectEngineEventSetupDo(
201  DetectEngineCtx *de_ctx, Signature *s, const char *rawstr, uint16_t smtype)
202 {
203  DetectEngineEventData *de = DetectEngineEventParse(rawstr);
204  if (de == NULL)
205  return -1;
206 
207  SCLogDebug("rawstr %s %u", rawstr, de->event);
208 
209  SigMatch *sm = SigMatchAlloc();
210  if (sm == NULL) {
211  SCFree(de);
212  return -1;
213  }
214 
215  sm->type = smtype;
216  sm->ctx = (SigMatchCtx *)de;
217 
219  return 0;
220 }
221 
222 
223 static int DetectEngineEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
224 {
225  return DetectEngineEventSetupDo (de_ctx, s, rawstr, DETECT_ENGINE_EVENT);
226 }
227 
228 /**
229  * \brief this function will free memory associated with DetectEngineEventData
230  *
231  * \param de pointer to DetectEngineEventData
232  */
233 static void DetectEngineEventFree(DetectEngineCtx *de_ctx, void *ptr)
234 {
236  if (de)
237  SCFree(de);
238 }
239 
240 
241 /**
242  * \brief this function Setup the 'decode-event' keyword by setting the correct
243  * signature type
244 */
245 static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
246 {
247  char drawstr[64] = "decoder.";
248 
249  /* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */
250  strlcat(drawstr, rawstr, sizeof(drawstr));
251 
252  return DetectEngineEventSetupDo(de_ctx, s, drawstr, DETECT_DECODE_EVENT);
253 }
254 
255 /**
256  * \brief this function Setup the 'stream-event' keyword by resolving the alias
257 */
258 static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
259 {
260  char srawstr[64] = "stream.";
261 
262  if (strcmp(rawstr, "est_synack_resend_with_different_ack") == 0) {
263  rawstr = "est_synack_resend_with_diff_ack";
264  } else if (strcmp(rawstr, "3whs_synack_resend_with_different_ack") == 0) {
265  rawstr = "3whs_synack_resend_with_diff_ack";
266  }
267 
268  /* stream:$EVENT alias command develop as decode-event:stream.$EVENT */
269  strlcat(srawstr, rawstr, sizeof(srawstr));
270 
271  return DetectEngineEventSetup(de_ctx, s, srawstr);
272 }
273 
274 /*
275  * ONLY TESTS BELOW THIS COMMENT
276  */
277 #ifdef UNITTESTS
278 
279 /**
280  * \test EngineEventTestParse01 is a test for a valid decode-event value
281  */
282 static int EngineEventTestParse01 (void)
283 {
284  DetectEngineEventData *de = DetectEngineEventParse("decoder.ipv4.pkt_too_small");
285 
286  FAIL_IF_NULL(de);
287 
288  DetectEngineEventFree(NULL, de);
289 
290  PASS;
291 }
292 
293 
294 /**
295  * \test EngineEventTestParse02 is a test for a valid upper + lower case decode-event value
296  */
297 static int EngineEventTestParse02 (void)
298 {
299  DetectEngineEventData *de = DetectEngineEventParse("decoder.PPP.pkt_too_small");
300 
301  FAIL_IF_NULL(de);
302 
303  DetectEngineEventFree(NULL, de);
304 
305  PASS;
306 }
307 
308 /**
309  * \test EngineEventTestParse03 is a test for a valid upper case decode-event value
310  */
311 static int EngineEventTestParse03 (void)
312 {
313  DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL");
314 
315  FAIL_IF_NULL(de);
316 
317  DetectEngineEventFree(NULL, de);
318 
319  PASS;
320 }
321 
322 /**
323  * \test EngineEventTestParse04 is a test for an invalid upper case decode-event value
324  */
325 static int EngineEventTestParse04 (void)
326 {
327  DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT");
328 
330 
331  DetectEngineEventFree(NULL, de);
332 
333  PASS;
334 }
335 
336 /**
337  * \test EngineEventTestParse05 is a test for an invalid char into the decode-event value
338  */
339 static int EngineEventTestParse05 (void)
340 {
341  DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR");
342 
344 
345  DetectEngineEventFree(NULL, de);
346 
347  PASS;
348 }
349 
350 /**
351  * \test EngineEventTestParse06 is a test for match function with valid decode-event value
352  */
353 static int EngineEventTestParse06 (void)
354 {
355  Packet *p = PacketGetFromAlloc();
356  FAIL_IF_NULL(p);
357 
358  ThreadVars tv;
359 
360  memset(&tv, 0, sizeof(ThreadVars));
361 
363 
364  DetectEngineEventData *de = DetectEngineEventParse("decoder.ppp.pkt_too_small");
365  FAIL_IF_NULL(de);
366 
367  de->event = PPP_PKT_TOO_SMALL;
368 
369  SigMatch *sm = SigMatchAlloc();
370  FAIL_IF_NULL(sm);
371 
373  sm->ctx = (SigMatchCtx *)de;
374 
375  FAIL_IF_NOT(DetectEngineEventMatch(NULL, p, NULL, sm->ctx));
376 
377  SCFree(p);
378  SCFree(de);
379  SCFree(sm);
380 
381  PASS;
382 }
383 
384 /**
385  * \brief this function registers unit tests for EngineEvent
386  */
388 {
389  UtRegisterTest("EngineEventTestParse01", EngineEventTestParse01);
390  UtRegisterTest("EngineEventTestParse02", EngineEventTestParse02);
391  UtRegisterTest("EngineEventTestParse03", EngineEventTestParse03);
392  UtRegisterTest("EngineEventTestParse04", EngineEventTestParse04);
393  UtRegisterTest("EngineEventTestParse05", EngineEventTestParse05);
394  UtRegisterTest("EngineEventTestParse06", EngineEventTestParse06);
395 }
396 #endif /* UNITTESTS */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:887
EngineEventRegisterTests
void EngineEventRegisterTests(void)
this function registers unit tests for EngineEvent
Definition: detect-engine-event.c:387
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1238
stream-tcp.h
detect-engine-event.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:902
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_DECODE_EVENT
@ DETECT_DECODE_EVENT
Definition: detect-engine-register.h:104
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
StreamTcpReassembleConfigEnableOverlapCheck
void StreamTcpReassembleConfigEnableOverlapCheck(void)
Definition: stream-tcp-list.c:40
SIGMATCH_DEONLY_COMPAT
#define SIGMATCH_DEONLY_COMPAT
Definition: detect.h:1427
PPP_PKT_TOO_SMALL
@ PPP_PKT_TOO_SMALL
Definition: decode-events.h:115
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
@ STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
Definition: decode-events.h:290
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-engine-event.c:45
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
DEvents
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
de
uint8_t de
Definition: app-layer-htp.c:576
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2609
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_ENGINE_EVENT
@ DETECT_ENGINE_EVENT
Definition: detect-engine-register.h:202
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:302
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
Packet_
Definition: decode.h:428
DecodeEvents_::code
uint8_t code
Definition: decode-events.h:304
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
DecodeEvents_::event_name
const char * event_name
Definition: decode-events.h:303
decode-events.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
DetectEngineEventRegister
void DetectEngineEventRegister(void)
Registration function for decode-event: keyword.
Definition: detect-engine-event.c:62
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_STREAM_EVENT
@ DETECT_STREAM_EVENT
Definition: detect-engine-register.h:203
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectEngineEventData_
Definition: detect-engine-event.h:28
suricata.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230