suricata
detect-engine-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  *
23  * Implements the decode-event keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "flow-var.h"
33 #include "decode-events.h"
34 
35 #include "util-debug.h"
36 
37 #include "stream-tcp.h"
38 
39 
40 /* Need to get the DEvents[] array */
41 
42 #include "detect-engine-event.h"
43 #include "util-unittest.h"
44 
45 #define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
46 
47 static DetectParseRegex parse_regex;
48 
49 static int DetectEngineEventMatch (DetectEngineThreadCtx *,
50  Packet *, const Signature *, const SigMatchCtx *);
51 static int DetectEngineEventSetup (DetectEngineCtx *, Signature *, const char *);
52 static int DetectDecodeEventSetup (DetectEngineCtx *, Signature *, const char *);
53 static int DetectStreamEventSetup (DetectEngineCtx *, Signature *, const char *);
54 static void DetectEngineEventFree (DetectEngineCtx *, void *);
55 #ifdef UNITTESTS
56 void EngineEventRegisterTests(void);
57 #endif
58 
59 /**
60  * \brief Registration function for decode-event: keyword
61  */
63 {
64  sigmatch_table[DETECT_ENGINE_EVENT].name = "engine-event";
65  sigmatch_table[DETECT_ENGINE_EVENT].Match = DetectEngineEventMatch;
66  sigmatch_table[DETECT_ENGINE_EVENT].Setup = DetectEngineEventSetup;
67  sigmatch_table[DETECT_ENGINE_EVENT].Free = DetectEngineEventFree;
68 #ifdef UNITTESTS
70 #endif
71 
72  sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event";
73  sigmatch_table[DETECT_DECODE_EVENT].Match = DetectEngineEventMatch;
74  sigmatch_table[DETECT_DECODE_EVENT].Setup = DetectDecodeEventSetup;
75  sigmatch_table[DETECT_DECODE_EVENT].Free = DetectEngineEventFree;
77 
78  sigmatch_table[DETECT_STREAM_EVENT].name = "stream-event";
79  sigmatch_table[DETECT_STREAM_EVENT].Match = DetectEngineEventMatch;
80  sigmatch_table[DETECT_STREAM_EVENT].Setup = DetectStreamEventSetup;
81  sigmatch_table[DETECT_STREAM_EVENT].Free = DetectEngineEventFree;
82 
83  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
84 }
85 
86 /**
87  * \brief This function is used to match decoder event flags set on a packet with those passed via decode-event:
88  *
89  * \param t pointer to thread vars
90  * \param det_ctx pointer to the pattern matcher thread
91  * \param p pointer to the current packet
92  * \param s pointer to the Signature
93  * \param m pointer to the sigmatch
94  *
95  * \retval 0 no match
96  * \retval 1 match
97  */
98 static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
99  Packet *p, const Signature *s, const SigMatchCtx *ctx)
100 {
101  SCEnter();
102 
103  const DetectEngineEventData *de = (const DetectEngineEventData *)ctx;
104 
105  if (ENGINE_ISSET_EVENT(p, de->event)) {
106  SCLogDebug("de->event matched %u", de->event);
107  SCReturnInt(1);
108  }
109 
110  SCReturnInt(0);
111 }
112 
113 /**
114  * \brief This function is used to parse decoder events options passed via decode-event: keyword
115  *
116  * \param rawstr Pointer to the user provided decode-event options
117  *
118  * \retval de pointer to DetectFlowData on success
119  * \retval NULL on failure
120  */
121 static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
122 {
123  int i;
124  DetectEngineEventData *de = NULL;
125  int ret = 0, res = 0, found = 0;
126  int ov[MAX_SUBSTRINGS];
127 
128  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
129  if (ret < 1) {
130  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32
131  ", string %s", ret, rawstr);
132  goto error;
133  }
134 
135  char copy_str[128] = "";
136  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 0,
137  copy_str, sizeof(copy_str));
138 
139  if (res < 0) {
140  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
141  goto error;
142  }
143 
144  for (i = 0; DEvents[i].event_name != NULL; i++) {
145  if (strcasecmp(DEvents[i].event_name,copy_str) == 0) {
146  found = 1;
147  break;
148  }
149  }
150 
151  if (found == 0) {
152  SCLogError(SC_ERR_UNKNOWN_DECODE_EVENT, "unknown decode event \"%s\"",
153  copy_str);
154  goto error;
155  }
156 
157  de = SCMalloc(sizeof(DetectEngineEventData));
158  if (unlikely(de == NULL))
159  goto error;
160 
161  de->event = DEvents[i].code;
162 
165  }
166  return de;
167 
168 error:
169  if (de)
170  SCFree(de);
171  return NULL;
172 }
173 
174 /**
175  * \brief this function is used to add the parsed decode-event into the current signature
176  *
177  * \param de_ctx pointer to the Detection Engine Context
178  * \param s pointer to the Current Signature
179  * \param rawstr pointer to the user provided decode-event options
180  *
181  * \retval 0 on Success
182  * \retval -1 on Failure
183  */
184 static int DetectEngineEventSetupDo (DetectEngineCtx *de_ctx, Signature *s,
185  const char *rawstr, int smtype)
186 {
187  DetectEngineEventData *de = DetectEngineEventParse(rawstr);
188  if (de == NULL)
189  return -1;
190 
191  SCLogDebug("rawstr %s %u", rawstr, de->event);
192 
193  SigMatch *sm = SigMatchAlloc();
194  if (sm == NULL) {
195  SCFree(de);
196  return -1;
197  }
198 
199  sm->type = smtype;
200  sm->ctx = (SigMatchCtx *)de;
201 
203  return 0;
204 }
205 
206 
207 static int DetectEngineEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
208 {
209  return DetectEngineEventSetupDo (de_ctx, s, rawstr, DETECT_ENGINE_EVENT);
210 }
211 
212 /**
213  * \brief this function will free memory associated with DetectEngineEventData
214  *
215  * \param de pointer to DetectEngineEventData
216  */
217 static void DetectEngineEventFree(DetectEngineCtx *de_ctx, void *ptr)
218 {
220  if (de)
221  SCFree(de);
222 }
223 
224 
225 /**
226  * \brief this function Setup the 'decode-event' keyword by setting the correct
227  * signature type
228 */
229 static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
230 {
231  char drawstr[64] = "decoder.";
232 
233  /* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */
234  strlcat(drawstr, rawstr, sizeof(drawstr));
235 
236  return DetectEngineEventSetupDo(de_ctx, s, drawstr, DETECT_DECODE_EVENT);
237 }
238 
239 /**
240  * \brief this function Setup the 'stream-event' keyword by resolving the alias
241 */
242 static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
243 {
244  char srawstr[64] = "stream.";
245 
246  if (strcmp(rawstr, "est_synack_resend_with_different_ack") == 0) {
247  rawstr = "est_synack_resend_with_diff_ack";
248  } else if (strcmp(rawstr, "3whs_synack_resend_with_different_ack") == 0) {
249  rawstr = "3whs_synack_resend_with_diff_ack";
250  }
251 
252  /* stream:$EVENT alias command develop as decode-event:stream.$EVENT */
253  strlcat(srawstr, rawstr, sizeof(srawstr));
254 
255  return DetectEngineEventSetup(de_ctx, s, srawstr);
256 }
257 
258 /*
259  * ONLY TESTS BELOW THIS COMMENT
260  */
261 #ifdef UNITTESTS
262 
263 /**
264  * \test EngineEventTestParse01 is a test for a valid decode-event value
265  */
266 static int EngineEventTestParse01 (void)
267 {
268  DetectEngineEventData *de = NULL;
269  de = DetectEngineEventParse("decoder.ipv4.pkt_too_small");
270  if (de) {
271  DetectEngineEventFree(NULL, de);
272  return 1;
273  }
274 
275  return 0;
276 }
277 
278 
279 /**
280  * \test EngineEventTestParse02 is a test for a valid upper + lower case decode-event value
281  */
282 static int EngineEventTestParse02 (void)
283 {
284  DetectEngineEventData *de = NULL;
285  de = DetectEngineEventParse("decoder.PPP.pkt_too_small");
286  if (de) {
287  DetectEngineEventFree(NULL, de);
288  return 1;
289  }
290 
291  return 0;
292 }
293 
294 /**
295  * \test EngineEventTestParse03 is a test for a valid upper case decode-event value
296  */
297 static int EngineEventTestParse03 (void)
298 {
299  DetectEngineEventData *de = NULL;
300  de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL");
301  if (de) {
302  DetectEngineEventFree(NULL, de);
303  return 1;
304  }
305 
306  return 0;
307 }
308 
309 /**
310  * \test EngineEventTestParse04 is a test for an invalid upper case decode-event value
311  */
312 static int EngineEventTestParse04 (void)
313 {
314  DetectEngineEventData *de = NULL;
315  de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT");
316  if (de) {
317  DetectEngineEventFree(NULL, de);
318  return 0;
319  }
320 
321  return 1;
322 }
323 
324 /**
325  * \test EngineEventTestParse05 is a test for an invalid char into the decode-event value
326  */
327 static int EngineEventTestParse05 (void)
328 {
329  DetectEngineEventData *de = NULL;
330  de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR");
331  if (de) {
332  DetectEngineEventFree(NULL, de);
333  return 0;
334  }
335 
336  return 1;
337 }
338 
339 /**
340  * \test EngineEventTestParse06 is a test for match function with valid decode-event value
341  */
342 static int EngineEventTestParse06 (void)
343 {
345  if (unlikely(p == NULL))
346  return 0;
347  ThreadVars tv;
348  int ret = 0;
349  DetectEngineEventData *de = NULL;
350  SigMatch *sm = NULL;
351 
352 
353  memset(&tv, 0, sizeof(ThreadVars));
354  memset(p, 0, SIZE_OF_PACKET);
355 
357 
358  de = DetectEngineEventParse("decoder.ppp.pkt_too_small");
359  if (de == NULL)
360  goto error;
361 
362  de->event = PPP_PKT_TOO_SMALL;
363 
364  sm = SigMatchAlloc();
365  if (sm == NULL)
366  goto error;
367 
369  sm->ctx = (SigMatchCtx *)de;
370 
371  ret = DetectEngineEventMatch(NULL,p,NULL,sm->ctx);
372 
373  if(ret) {
374  SCFree(p);
375  return 1;
376  }
377 
378 error:
379  if (de) SCFree(de);
380  if (sm) SCFree(sm);
381  SCFree(p);
382  return 0;
383 }
384 
385 /**
386  * \brief this function registers unit tests for EngineEvent
387  */
389 {
390  UtRegisterTest("EngineEventTestParse01", EngineEventTestParse01);
391  UtRegisterTest("EngineEventTestParse02", EngineEventTestParse02);
392  UtRegisterTest("EngineEventTestParse03", EngineEventTestParse03);
393  UtRegisterTest("EngineEventTestParse04", EngineEventTestParse04);
394  UtRegisterTest("EngineEventTestParse05", EngineEventTestParse05);
395  UtRegisterTest("EngineEventTestParse06", EngineEventTestParse06);
396 }
397 #endif /* UNITTESTS */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:1003
EngineEventRegisterTests
void EngineEventRegisterTests(void)
this function registers unit tests for EngineEvent
Definition: detect-engine-event.c:388
STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
@ STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
Definition: decode-events.h:268
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
detect-engine-event.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1018
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DETECT_DECODE_EVENT
@ DETECT_DECODE_EVENT
Definition: detect-engine-register.h:101
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
StreamTcpReassembleConfigEnableOverlapCheck
void StreamTcpReassembleConfigEnableOverlapCheck(void)
Definition: stream-tcp-list.c:38
SIGMATCH_DEONLY_COMPAT
#define SIGMATCH_DEONLY_COMPAT
Definition: detect.h:1384
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-engine-event.c:45
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
SC_ERR_UNKNOWN_DECODE_EVENT
@ SC_ERR_UNKNOWN_DECODE_EVENT
Definition: util-error.h:218
DetectEngineThreadCtx_
Definition: detect.h:1010
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
DEvents
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
de
int de
Definition: app-layer-htp.c:575
DETECT_ENGINE_EVENT
@ DETECT_ENGINE_EVENT
Definition: detect-engine-register.h:192
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:627
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
DecodeEvents_::code
uint8_t code
Definition: decode-events.h:281
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DecodeEvents_::event_name
const char * event_name
Definition: decode-events.h:280
decode-events.h
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
DetectEngineEventRegister
void DetectEngineEventRegister(void)
Registration function for decode-event: keyword.
Definition: detect-engine-event.c:62
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_STREAM_EVENT
@ DETECT_STREAM_EVENT
Definition: detect-engine-register.h:193
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
DetectEngineEventData_
Definition: detect-engine-event.h:29
suricata.h
PPP_PKT_TOO_SMALL
@ PPP_PKT_TOO_SMALL
Definition: decode-events.h:114
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203