suricata
detect-engine-uint.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Philippe Antoine <p.antoine@catenacyber.fr>
22  *
23  */
24 
25 #include "suricata-common.h"
26 
27 #include "util-byte.h"
28 #include "detect-parse.h"
29 #include "detect-engine-uint.h"
30 
31 /**
32  * \brief Regex for parsing our options
33  */
34 #define PARSE_REGEX "^\\s*([0-9]*)?\\s*([<>=-]+)?\\s*([0-9]+)?\\s*$"
35 
36 static DetectParseRegex uint_pcre;
37 
38 
39 int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
40 {
41  switch (du32->mode) {
42  case DETECT_UINT_EQ:
43  if (parg == du32->arg1) {
44  return 1;
45  }
46  return 0;
47  case DETECT_UINT_LT:
48  if (parg < du32->arg1) {
49  return 1;
50  }
51  return 0;
52  case DETECT_UINT_GT:
53  if (parg > du32->arg1) {
54  return 1;
55  }
56  return 0;
57  case DETECT_UINT_RA:
58  if (parg > du32->arg1 && parg < du32->arg2) {
59  return 1;
60  }
61  return 0;
62  default:
63  BUG_ON("unknown mode");
64  }
65  return 0;
66 }
67 
68 
69 /**
70  * \brief This function is used to parse u32 options passed via some u32 keyword
71  *
72  * \param u32str Pointer to the user provided u32 options
73  *
74  * \retval DetectU32Data pointer to DetectU32Data on success
75  * \retval NULL on failure
76  */
77 
78 DetectU32Data *DetectU32Parse (const char *u32str)
79 {
80  DetectU32Data u32da;
81  DetectU32Data *u32d = NULL;
82  char arg1[16] = "";
83  char arg2[16] = "";
84  char arg3[16] = "";
85 
86 #define MAX_SUBSTRINGS 30
87  int ret = 0, res = 0;
88  int ov[MAX_SUBSTRINGS];
89 
90  ret = DetectParsePcreExec(&uint_pcre, u32str, 0, 0, ov, MAX_SUBSTRINGS);
91  if (ret < 2 || ret > 4) {
92  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
93  return NULL;
94  }
95 
96  res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 1, arg1, sizeof(arg1));
97  if (res < 0) {
98  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
99  return NULL;
100  }
101  SCLogDebug("Arg1 \"%s\"", arg1);
102 
103  if (ret >= 3) {
104  res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 2, arg2, sizeof(arg2));
105  if (res < 0) {
106  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
107  return NULL;
108  }
109  SCLogDebug("Arg2 \"%s\"", arg2);
110 
111  if (ret >= 4) {
112  res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 3, arg3, sizeof(arg3));
113  if (res < 0) {
114  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
115  return NULL;
116  }
117  SCLogDebug("Arg3 \"%s\"", arg3);
118  }
119  }
120 
121  if (strlen(arg2) > 0) {
122  /*set the values*/
123  switch(arg2[0]) {
124  case '<':
125  case '>':
126  if (strlen(arg3) == 0)
127  return NULL;
128 
129  if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg3), arg3) < 0) {
130  SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
131  return NULL;
132  }
133 
134  SCLogDebug("u32 is %"PRIu32"",u32da.arg1);
135  if (strlen(arg1) > 0)
136  return NULL;
137 
138  if (arg2[0] == '<') {
139  u32da.mode = DETECT_UINT_LT;
140  } else { // arg2[0] == '>'
141  u32da.mode = DETECT_UINT_GT;
142  }
143  break;
144  case '-':
145  if (strlen(arg1)== 0)
146  return NULL;
147  if (strlen(arg3)== 0)
148  return NULL;
149 
150  u32da.mode = DETECT_UINT_RA;
151  if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
152  SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
153  return NULL;
154  }
155  if (ByteExtractStringUint32(&u32da.arg2, 10, strlen(arg3), arg3) < 0) {
156  SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
157  return NULL;
158  }
159 
160  SCLogDebug("u32 is %"PRIu32" to %"PRIu32"", u32da.arg1, u32da.arg2);
161  if (u32da.arg1 >= u32da.arg2) {
162  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid u32 range. ");
163  return NULL;
164  }
165  break;
166  default:
167  u32da.mode = DETECT_UINT_EQ;
168 
169  if (strlen(arg2) > 0 ||
170  strlen(arg3) > 0 ||
171  strlen(arg1) == 0)
172  return NULL;
173 
174  if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
175  SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
176  return NULL;
177  }
178  }
179  } else {
180  u32da.mode = DETECT_UINT_EQ;
181 
182  if (strlen(arg3) > 0 ||
183  strlen(arg1) == 0)
184  return NULL;
185 
186  if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
187  SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
188  return NULL;
189  }
190  }
191  u32d = SCCalloc(1, sizeof (DetectU32Data));
192  if (unlikely(u32d == NULL))
193  return NULL;
194  u32d->arg1 = u32da.arg1;
195  u32d->arg2 = u32da.arg2;
196  u32d->mode = u32da.mode;
197 
198  return u32d;
199 }
200 
201 void
203 {
204  const DetectU32Data *a = smctx;
205  v->u8[0] = a->mode;
206  v->u32[1] = a->arg1;
207  v->u32[2] = a->arg2;
208 }
209 
210 bool
212 {
213  const DetectU32Data *a = smctx;
214  if (v.u8[0] == a->mode &&
215  v.u32[1] == a->arg1 &&
216  v.u32[2] == a->arg2)
217  return true;
218  return false;
219 }
220 
221 static bool g_detect_u32_registered = false;
222 
224 {
225  if (g_detect_u32_registered == false) {
226  // register only once
228  g_detect_u32_registered = true;
229  }
230 }
util-byte.h
detect-engine-uint.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PrefilterPacketU32Set
void PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:202
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our options.
Definition: detect-engine-uint.c:34
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:22
DetectU32Parse
DetectU32Data * DetectU32Parse(const char *u32str)
This function is used to parse u32 options passed via some u32 keyword.
Definition: detect-engine-uint.c:78
DetectU32Match
int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
Definition: detect-engine-uint.c:39
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
SC_ERR_PCRE_COPY_SUBSTRING
@ SC_ERR_PCRE_COPY_SUBSTRING
Definition: util-error.h:358
PrefilterPacketHeaderValue::u32
uint32_t u32[4]
Definition: detect-engine-prefilter-common.h:24
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
SC_ERR_BYTE_EXTRACT_FAILED
@ SC_ERR_BYTE_EXTRACT_FAILED
Definition: util-error.h:158
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
DETECT_UINT_EQ
@ DETECT_UINT_EQ
Definition: detect-engine-uint.h:31
DetectU32Register
void DetectU32Register(void)
Definition: detect-engine-uint.c:223
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
PrefilterPacketU32Compare
bool PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:211
DETECT_UINT_LT
@ DETECT_UINT_LT
Definition: detect-engine-uint.h:30
DetectU32Data_::arg2
uint32_t arg2
Definition: detect-engine-uint.h:38
suricata-common.h
DetectU32Data_::mode
DetectUintMode mode
Definition: detect-engine-uint.h:40
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectU32Data_
Definition: detect-engine-uint.h:36
DETECT_UINT_GT
@ DETECT_UINT_GT
Definition: detect-engine-uint.h:32
detect-parse.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
DETECT_UINT_RA
@ DETECT_UINT_RA
Definition: detect-engine-uint.h:33
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectU32Data_::arg1
uint32_t arg1
Definition: detect-engine-uint.h:37
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53