suricata
detect-entropy.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "detect.h"
21 #include "detect-parse.h"
22 #include "detect-engine.h"
23 #include "detect-engine-buffer.h"
24 
25 #include "detect-entropy.h"
26 #include "util-var-name.h"
27 #include "flow-var.h"
28 
29 #include "rust.h"
30 
31 static int DetectEntropySetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
32 {
33  DetectEntropyData *ded = SCDetectEntropyParse(arg);
34  if (ded == NULL) {
35  goto error;
36  }
37 
38  int sm_list = DETECT_SM_LIST_PMATCH;
39  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
40  if (DetectBufferGetActiveList(de_ctx, s) == -1)
41  goto error;
42 
43  sm_list = s->init_data->list;
44  ded->fv_idx = VarNameStoreRegister(
45  DetectEngineBufferTypeGetNameById(de_ctx, sm_list), VAR_TYPE_FLOW_FLOAT);
46  }
47 
48  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_ENTROPY, (SigMatchCtx *)ded, sm_list) != NULL) {
49  SCReturnInt(0);
50  }
51 
52  /* fall through */
53 
54 error:
55  SCLogDebug("error during entropy setup");
56  if (ded != NULL) {
57  SCDetectEntropyFree(ded);
58  }
59  SCReturnInt(-1);
60 }
61 
62 static void DetectEntropyFree(DetectEngineCtx *de_ctx, void *ptr)
63 {
64  if (ptr) {
65  DetectEntropyData *ded = (DetectEntropyData *)ptr;
66  VarNameStoreUnregister(ded->fv_idx, VAR_TYPE_FLOW_FLOAT);
67  SCDetectEntropyFree(ptr);
68  }
69 }
70 
71 bool DetectEntropyDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
72  const SigMatchCtx *ctx, const uint8_t *buffer, const uint32_t buffer_len)
73 {
74  double entropy = -1.0;
75  bool rc = SCDetectEntropyMatch(buffer, buffer_len, (const DetectEntropyData *)ctx, &entropy);
76 
77  if (entropy != -1.0) {
78  DetectEntropyData *ded = (DetectEntropyData *)ctx;
79  FlowVarAddFloat(det_ctx->p->flow, ded->fv_idx, entropy);
80  }
81 
82  return rc;
83 }
84 
85 void DetectEntropyRegister(void)
86 {
87  sigmatch_table[DETECT_ENTROPY].name = "entropy";
88  sigmatch_table[DETECT_ENTROPY].desc = "calculate entropy";
89  sigmatch_table[DETECT_ENTROPY].url = "/rules/payload-keywords.html#entropy";
90  sigmatch_table[DETECT_ENTROPY].Free = DetectEntropyFree;
91  sigmatch_table[DETECT_ENTROPY].Setup = DetectEntropySetup;
92 }
SigTableElmt_::url
const char * url
Definition: detect.h:1462
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
detect-entropy.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
SigTableElmt_::name
const char * name
Definition: detect.h:1459
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
DetectEntropyDoMatch
bool DetectEntropyDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, const uint8_t *buffer, const uint32_t buffer_len)
Definition: detect-entropy.c:71
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DETECT_ENTROPY
@ DETECT_ENTROPY
Definition: detect-engine-register.h:96
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1324
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1309
util-var-name.h
rust.h
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
SignatureInitData_::list
int list
Definition: detect.h:628
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
VAR_TYPE_FLOW_FLOAT
@ VAR_TYPE_FLOW_FLOAT
Definition: util-var.h:38
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
suricata-common.h
detect-engine-buffer.h
DetectEntropyRegister
void DetectEntropyRegister(void)
Definition: detect-entropy.c:85
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
FlowVarAddFloat
void FlowVarAddFloat(Flow *f, uint32_t idx, double value)
Definition: flow-var.c:142
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:281
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
flow-var.h