suricata
detect-entropy.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "detect.h"
21 #include "detect-parse.h"
22 #include "detect-engine.h"
23 #include "detect-engine-buffer.h"
24 
25 #include "detect-entropy.h"
26 #include "util-var-name.h"
27 #include "flow-var.h"
28 
29 #include "rust.h"
30 
31 static int DetectEntropySetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
32 {
33  DetectEntropyData *ded = SCDetectEntropyParse(arg);
34  if (ded == NULL) {
35  goto error;
36  }
37 
38  int sm_list = DETECT_SM_LIST_PMATCH;
39  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
40  /* sticky buffer */
41  if (DetectBufferGetActiveList(de_ctx, s) == -1)
42  goto error;
43 
44  sm_list = s->init_data->list;
45  ded->fv_idx = VarNameStoreRegister(
46  DetectEngineBufferTypeGetNameById(de_ctx, sm_list), VAR_TYPE_FLOW_FLOAT);
47  } else {
48  ded->fv_idx = VarNameStoreRegister("content", VAR_TYPE_FLOW_FLOAT);
49  }
50 
51  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_ENTROPY, (SigMatchCtx *)ded, sm_list) != NULL) {
52  SCReturnInt(0);
53  }
54 
55  /* fall through */
56 
57 error:
58  SCLogDebug("error during entropy setup");
59  if (ded != NULL) {
60  SCDetectEntropyFree(ded);
61  }
62  SCReturnInt(-1);
63 }
64 
65 static void DetectEntropyFree(DetectEngineCtx *de_ctx, void *ptr)
66 {
67  if (ptr) {
68  DetectEntropyData *ded = (DetectEntropyData *)ptr;
69  VarNameStoreUnregister(ded->fv_idx, VAR_TYPE_FLOW_FLOAT);
70  SCDetectEntropyFree(ptr);
71  }
72 }
73 
74 bool DetectEntropyDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
75  const SigMatchCtx *ctx, Flow *flow, const uint8_t *buffer, const uint32_t buffer_len)
76 {
77  double entropy = -1.0;
78  bool rc = SCDetectEntropyMatch(buffer, buffer_len, (const DetectEntropyData *)ctx, &entropy);
79 
80  if (flow && entropy != -1.0) {
81  DetectEntropyData *ded = (DetectEntropyData *)ctx;
82  FlowVarAddFloat(flow, ded->fv_idx, entropy);
83  }
84 
85  return rc;
86 }
87 
88 void DetectEntropyRegister(void)
89 {
90  sigmatch_table[DETECT_ENTROPY].name = "entropy";
91  sigmatch_table[DETECT_ENTROPY].desc = "calculate entropy";
92  sigmatch_table[DETECT_ENTROPY].url = "/rules/payload-keywords.html#entropy";
93  sigmatch_table[DETECT_ENTROPY].Free = DetectEntropyFree;
94  sigmatch_table[DETECT_ENTROPY].Setup = DetectEntropySetup;
95 }
SigTableElmt_::url
const char * url
Definition: detect.h:1460
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
SigTableElmt_::desc
const char * desc
Definition: detect.h:1459
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
detect-entropy.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1444
SigTableElmt_::name
const char * name
Definition: detect.h:1457
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Flow_
Flow data structure.
Definition: flow.h:348
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DETECT_ENTROPY
@ DETECT_ENTROPY
Definition: detect-engine-register.h:96
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1308
util-var-name.h
rust.h
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEntropyDoMatch
bool DetectEntropyDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, Flow *flow, const uint8_t *buffer, const uint32_t buffer_len)
Definition: detect-entropy.c:74
DetectEngineThreadCtx_
Definition: detect.h:1244
SignatureInitData_::list
int list
Definition: detect.h:628
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
VAR_TYPE_FLOW_FLOAT
@ VAR_TYPE_FLOW_FLOAT
Definition: util-var.h:38
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
suricata-common.h
detect-engine-buffer.h
DetectEntropyRegister
void DetectEntropyRegister(void)
Definition: detect-entropy.c:88
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
FlowVarAddFloat
void FlowVarAddFloat(Flow *f, uint32_t idx, double value)
Definition: flow-var.c:142
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:285
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
flow-var.h