suricata
detect-flowvar.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Simple flowvar content match part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-content.h"
33 #include "threads.h"
34 #include "flow.h"
35 #include "flow-var.h"
36 #include "pkt-var.h"
37 #include "detect-flowvar.h"
38 
39 #include "util-spm.h"
40 #include "util-var-name.h"
41 #include "util-debug.h"
42 #include "util-print.h"
43 
44 #define PARSE_REGEX "(.*),(.*)"
45 static pcre *parse_regex;
46 static pcre_extra *parse_regex_study;
47 
49  const Signature *, const SigMatchCtx *);
50 static int DetectFlowvarSetup (DetectEngineCtx *, Signature *, const char *);
51 static int DetectFlowvarPostMatch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
52  Packet *p, const Signature *s, const SigMatchCtx *ctx);
53 static void DetectFlowvarDataFree(void *ptr);
54 
56 {
57  sigmatch_table[DETECT_FLOWVAR].name = "flowvar";
59  sigmatch_table[DETECT_FLOWVAR].Setup = DetectFlowvarSetup;
60  sigmatch_table[DETECT_FLOWVAR].Free = DetectFlowvarDataFree;
62 
63  /* post-match for flowvar storage */
64  sigmatch_table[DETECT_FLOWVAR_POSTMATCH].name = "__flowvar__postmatch__";
65  sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Match = DetectFlowvarPostMatch;
67  sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Free = DetectFlowvarDataFree;
69 
70  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
71 }
72 
73 /**
74  * \brief this function will SCFree memory associated with DetectFlowvarData
75  *
76  * \param cd pointer to DetectCotentData
77  */
78 static void DetectFlowvarDataFree(void *ptr)
79 {
80  if (ptr == NULL)
81  SCReturn;
82 
84 
85  if (fd->name)
86  SCFree(fd->name);
87  if (fd->content)
88  SCFree(fd->content);
89 
90  SCFree(fd);
91 }
92 
93 /*
94  * returns 0: no match
95  * 1: match
96  * -1: error
97  */
98 
100  const Signature *s, const SigMatchCtx *ctx)
101 {
102  int ret = 0;
104 
105  FlowVar *fv = FlowVarGet(p->flow, fd->idx);
106  if (fv != NULL) {
107  uint8_t *ptr = SpmSearch(fv->data.fv_str.value,
108  fv->data.fv_str.value_len,
109  fd->content, fd->content_len);
110  if (ptr != NULL)
111  ret = 1;
112  }
113 
114  return ret;
115 }
116 
117 static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
118 {
119  DetectFlowvarData *fd = NULL;
120  SigMatch *sm = NULL;
121  char *varname = NULL, *varcontent = NULL;
122 #define MAX_SUBSTRINGS 30
123  int ret = 0, res = 0;
124  int ov[MAX_SUBSTRINGS];
125  const char *str_ptr;
126  uint8_t *content = NULL;
127  uint16_t contentlen = 0;
128  uint32_t contentflags = s->init_data->negated ? DETECT_CONTENT_NEGATED : 0;
129 
130  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
131  if (ret != 3) {
132  SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for flowvar.", rawstr);
133  return -1;
134  }
135 
136  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
137  if (res < 0) {
138  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
139  return -1;
140  }
141  varname = (char *)str_ptr;
142 
143  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
144  if (res < 0) {
145  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
146  return -1;
147  }
148  varcontent = (char *)str_ptr;
149 
150  if (strlen(varcontent) >= 2) {
151  if (varcontent[0] == '"')
152  varcontent++;
153  if (varcontent[strlen(varcontent)-1] == '"')
154  varcontent[strlen(varcontent)-1] = '\0';
155  }
156  SCLogDebug("varcontent %s", varcontent);
157 
158  res = DetectContentDataParse("flowvar", varcontent, &content, &contentlen);
159  if (res == -1)
160  goto error;
161 
162  fd = SCMalloc(sizeof(DetectFlowvarData));
163  if (unlikely(fd == NULL))
164  goto error;
165  memset(fd, 0x00, sizeof(*fd));
166 
167  fd->content = SCMalloc(contentlen);
168  if (unlikely(fd->content == NULL))
169  goto error;
170 
171  memcpy(fd->content, content, contentlen);
172  fd->content_len = contentlen;
173  fd->flags = contentflags;
174 
175  fd->name = SCStrdup(varname);
176  if (unlikely(fd->name == NULL))
177  goto error;
179 
180  /* Okay so far so good, lets get this into a SigMatch
181  * and put it in the Signature. */
182  sm = SigMatchAlloc();
183  if (unlikely(sm == NULL))
184  goto error;
185 
186  sm->type = DETECT_FLOWVAR;
187  sm->ctx = (SigMatchCtx *)fd;
188 
190 
191  SCFree(content);
192  return 0;
193 
194 error:
195  if (fd != NULL)
196  DetectFlowvarDataFree(fd);
197  if (sm != NULL)
198  SCFree(sm);
199  if (content != NULL)
200  SCFree(content);
201  return -1;
202 }
203 
204 /** \brief Store flowvar in det_ctx so we can exec it post-match */
206  uint8_t *key, uint16_t key_len,
207  uint8_t *buffer, uint16_t len, int type)
208 {
209  DetectVarList *fs = SCCalloc(1, sizeof(*fs));
210  if (unlikely(fs == NULL))
211  return -1;
212 
213  fs->len = len;
214  fs->type = type;
215  fs->buffer = buffer;
216  fs->key = key;
217  fs->key_len = key_len;
218 
219  fs->next = det_ctx->varlist;
220  det_ctx->varlist = fs;
221  return 0;
222 }
223 
224 /** \brief Store flowvar in det_ctx so we can exec it post-match */
226  uint32_t idx,
227  uint8_t *buffer, uint16_t len, int type)
228 {
229  DetectVarList *fs = det_ctx->varlist;
230 
231  /* first check if we have had a previous match for this idx */
232  for ( ; fs != NULL; fs = fs->next) {
233  if (fs->idx == idx) {
234  /* we're replacing the older store */
235  SCFree(fs->buffer);
236  fs->buffer = NULL;
237  break;
238  }
239  }
240 
241  if (fs == NULL) {
242  fs = SCCalloc(1, sizeof(*fs));
243  if (unlikely(fs == NULL))
244  return -1;
245 
246  fs->idx = idx;
247 
248  fs->next = det_ctx->varlist;
249  det_ctx->varlist = fs;
250  }
251 
252  fs->len = len;
253  fs->type = type;
254  fs->buffer = buffer;
255  return 0;
256 }
257 
258 /** \brief Setup a post-match for flowvar storage
259  * We're piggyback riding the DetectFlowvarData struct
260  */
262 {
263  SigMatch *sm = NULL;
264  DetectFlowvarData *fv = NULL;
265 
266  fv = SCMalloc(sizeof(DetectFlowvarData));
267  if (unlikely(fv == NULL))
268  goto error;
269  memset(fv, 0x00, sizeof(*fv));
270 
271  /* we only need the idx */
272  fv->idx = idx;
273 
274  sm = SigMatchAlloc();
275  if (unlikely(sm == NULL))
276  goto error;
277 
279  sm->ctx = (SigMatchCtx *)fv;
280 
282  return 0;
283 error:
284  if (fv != NULL)
285  DetectFlowvarDataFree(fv);
286  return -1;
287 }
288 
289 /** \internal
290  * \brief post-match func to store flowvars in the flow
291  * \param sm sigmatch containing the idx to store
292  * \retval 1 or -1 in case of error
293  */
294 static int DetectFlowvarPostMatch(ThreadVars *tv,
295  DetectEngineThreadCtx *det_ctx,
296  Packet *p, const Signature *s, const SigMatchCtx *ctx)
297 {
298  DetectVarList *fs, *prev;
299  const DetectFlowvarData *fd;
300 
301  if (det_ctx->varlist == NULL)
302  return 1;
303 
304  fd = (const DetectFlowvarData *)ctx;
305 
306  prev = NULL;
307  fs = det_ctx->varlist;
308  while (fs != NULL) {
309  if (fd->idx == 0 || fd->idx == fs->idx) {
310  SCLogDebug("adding to the flow %u:", fs->idx);
311  //PrintRawDataFp(stdout, fs->buffer, fs->len);
312 
313  if (fs->type == DETECT_VAR_TYPE_FLOW_POSTMATCH && p && p->flow) {
314  FlowVarAddIdValue(p->flow, fs->idx, fs->buffer, fs->len);
315  /* memory at fs->buffer is now the responsibility of
316  * the flowvar code. */
317  } else if (fs->type == DETECT_VAR_TYPE_PKT_POSTMATCH && fs->key && p) {
318  /* pkt key/value */
319  if (PktVarAddKeyValue(p, (uint8_t *)fs->key, fs->key_len,
320  (uint8_t *)fs->buffer, fs->len) == -1)
321  {
322  SCFree(fs->key);
323  SCFree(fs->buffer);
324  /* the rest of fs is freed below */
325  }
326  } else if (fs->type == DETECT_VAR_TYPE_PKT_POSTMATCH && p) {
327  if (PktVarAdd(p, fs->idx, fs->buffer, fs->len) == -1) {
328  SCFree(fs->buffer);
329  /* the rest of fs is freed below */
330  }
331  }
332 
333  if (fs == det_ctx->varlist) {
334  det_ctx->varlist = fs->next;
335  SCFree(fs);
336  fs = det_ctx->varlist;
337  } else {
338  prev->next = fs->next;
339  SCFree(fs);
340  fs = prev->next;
341  }
342  } else {
343  prev = fs;
344  fs = fs->next;
345  }
346  }
347  return 1;
348 }
349 
350 /** \brief Handle flowvar candidate list in det_ctx: clean up the list
351  *
352  * Only called from DetectVarProcessList() when varlist is not NULL.
353  */
355 {
357 
358  do {
359  next = fs->next;
360 
361  if (fs->key) {
362  SCFree(fs->key);
363  }
364  SCFree(fs->buffer);
365  SCFree(fs);
366  fs = next;
367  } while (fs != NULL);
368 }
#define PARSE_REGEX
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SignatureInitData * init_data
Definition: detect.h:563
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define SCLogDebug(...)
Definition: util-debug.h:335
uint16_t value_len
Definition: flow-var.h:39
struct Flow_ * flow
Definition: decode.h:443
struct HtpBodyChunk_ * next
int DetectFlowvarPostMatchSetup(Signature *s, uint32_t idx)
Setup a post-match for flowvar storage We&#39;re piggyback riding the DetectFlowvarData struct...
#define unlikely(expr)
Definition: util-optimize.h:35
uint16_t key_len
Definition: detect.h:618
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
uint16_t len
Definition: detect.h:617
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
main detection engine ctx
Definition: detect.h:723
FlowVarTypeStr fv_str
Definition: flow-var.h:57
DetectVarList * varlist
Definition: detect.h:1079
#define SCCalloc(nm, a)
Definition: util-mem.h:197
struct DetectVarList_ * next
Definition: detect.h:623
void DetectVarProcessListInternal(DetectVarList *fs, Flow *f, Packet *p)
Handle flowvar candidate list in det_ctx: clean up the list.
uint8_t * key
Definition: detect.h:620
void(* Free)(void *)
Definition: detect.h:1154
uint8_t type
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int PktVarAdd(Packet *p, uint32_t id, uint8_t *value, uint16_t size)
add a key-value pktvar to the pkt
Definition: pkt-var.c:86
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
union FlowVar_::@112 data
uint8_t type
Definition: detect.h:323
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
uint8_t * value
Definition: flow-var.h:38
int DetectVarStoreMatch(DetectEngineThreadCtx *det_ctx, uint32_t idx, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
FlowVar * FlowVarGet(Flow *f, uint32_t idx)
get the flowvar with index &#39;idx&#39; from the flow
Definition: flow-var.c:78
#define DETECT_CONTENT_NEGATED
uint32_t idx
Definition: detect.h:616
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
#define MAX_SUBSTRINGS
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
void FlowVarAddIdValue(Flow *f, uint32_t idx, uint8_t *value, uint16_t size)
Definition: flow-var.c:113
uint8_t * buffer
Definition: detect.h:621
int PktVarAddKeyValue(Packet *p, uint8_t *key, uint16_t ksize, uint8_t *value, uint16_t size)
add a key-value pktvar to the pkt
Definition: pkt-var.c:56
#define SCStrdup(a)
Definition: util-mem.h:212
#define DETECT_VAR_TYPE_FLOW_POSTMATCH
Definition: detect.h:610
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
#define SCReturn
Definition: util-debug.h:339
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
int DetectFlowvarMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define SpmSearch(text, textlen, needle, needlelen)
Definition: util-spm.h:101
#define DETECT_VAR_TYPE_PKT_POSTMATCH
Definition: detect.h:611
Flow data structure.
Definition: flow.h:324
int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx, uint8_t *key, uint16_t key_len, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
void(* RegisterTests)(void)
Definition: detect.h:1155
a single match condition for a signature
Definition: detect.h:322
void DetectFlowvarRegister(void)