suricata
detect-flowvar.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Simple flowvar content match part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-content.h"
33 #include "threads.h"
34 #include "flow.h"
35 #include "flow-var.h"
36 #include "pkt-var.h"
37 #include "detect-flowvar.h"
38 
39 #include "util-spm.h"
40 #include "util-var-name.h"
41 #include "util-debug.h"
42 #include "util-print.h"
43 
44 #define PARSE_REGEX "(.*),(.*)"
45 static DetectParseRegex parse_regex;
46 
47 int DetectFlowvarMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectFlowvarSetup (DetectEngineCtx *, Signature *, const char *);
50 static int DetectFlowvarPostMatch(DetectEngineThreadCtx *det_ctx,
51  Packet *p, const Signature *s, const SigMatchCtx *ctx);
52 static void DetectFlowvarDataFree(DetectEngineCtx *, void *ptr);
53 
54 void DetectFlowvarRegister (void)
55 {
56  sigmatch_table[DETECT_FLOWVAR].name = "flowvar";
57  sigmatch_table[DETECT_FLOWVAR].Match = DetectFlowvarMatch;
58  sigmatch_table[DETECT_FLOWVAR].Setup = DetectFlowvarSetup;
59  sigmatch_table[DETECT_FLOWVAR].Free = DetectFlowvarDataFree;
60 
61  /* post-match for flowvar storage */
62  sigmatch_table[DETECT_FLOWVAR_POSTMATCH].name = "__flowvar__postmatch__";
63  sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Match = DetectFlowvarPostMatch;
64  sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Setup = NULL;
65  sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Free = DetectFlowvarDataFree;
66 
67  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
68 }
69 
70 /**
71  * \brief this function will SCFree memory associated with DetectFlowvarData
72  *
73  * \param cd pointer to DetectContentData
74  */
75 static void DetectFlowvarDataFree(DetectEngineCtx *de_ctx, void *ptr)
76 {
77  if (ptr == NULL)
78  SCReturn;
79 
80  DetectFlowvarData *fd = (DetectFlowvarData *)ptr;
81  /* leave unregistration to pcre keyword */
82  if (!fd->post_match)
83  VarNameStoreUnregister(fd->idx, VAR_TYPE_FLOW_VAR);
84 
85  if (fd->name)
86  SCFree(fd->name);
87  if (fd->content)
88  SCFree(fd->content);
89 
90  SCFree(fd);
91 }
92 
93 /*
94  * returns 0: no match
95  * 1: match
96  * -1: error
97  */
98 
99 int DetectFlowvarMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
100  const Signature *s, const SigMatchCtx *ctx)
101 {
102  int ret = 0;
103  DetectFlowvarData *fd = (DetectFlowvarData *)ctx;
104 
105  FlowVar *fv = FlowVarGet(p->flow, fd->idx);
106  if (fv != NULL) {
107  uint8_t *ptr = SpmSearch(fv->data.fv_str.value,
108  fv->data.fv_str.value_len,
109  fd->content, fd->content_len);
110  if (ptr != NULL)
111  ret = 1;
112  }
113 
114  return ret;
115 }
116 
117 static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
118 {
119  DetectFlowvarData *fd = NULL;
120  char varname[64], varcontent[64];
121  int res = 0;
122  size_t pcre2len;
123  uint8_t *content = NULL;
124  uint16_t contentlen = 0;
125  uint32_t contentflags = s->init_data->negated ? DETECT_CONTENT_NEGATED : 0;
126  pcre2_match_data *match = NULL;
127 
128  int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
129  if (ret != 3) {
130  SCLogError("\"%s\" is not a valid setting for flowvar.", rawstr);
131  if (match) {
132  pcre2_match_data_free(match);
133  }
134  return -1;
135  }
136 
137  pcre2len = sizeof(varname);
138  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)varname, &pcre2len);
139  if (res < 0) {
140  pcre2_match_data_free(match);
141  SCLogError("pcre2_substring_copy_bynumber failed");
142  return -1;
143  }
144 
145  pcre2len = sizeof(varcontent);
146  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)varcontent, &pcre2len);
147  pcre2_match_data_free(match);
148  if (res < 0) {
149  SCLogError("pcre2_substring_copy_bynumber failed");
150  return -1;
151  }
152 
153  int varcontent_index = 0;
154  if (strlen(varcontent) >= 2) {
155  if (varcontent[0] == '"')
156  varcontent_index++;
157  if (varcontent[strlen(varcontent)-1] == '"')
158  varcontent[strlen(varcontent)-1] = '\0';
159  }
160  SCLogDebug("varcontent %s", &varcontent[varcontent_index]);
161 
162  res = DetectContentDataParse("flowvar", &varcontent[varcontent_index], &content, &contentlen);
163  if (res == -1)
164  goto error;
165 
166  fd = SCCalloc(1, sizeof(DetectFlowvarData));
167  if (unlikely(fd == NULL))
168  goto error;
169 
170  fd->content = SCMalloc(contentlen);
171  if (unlikely(fd->content == NULL))
172  goto error;
173 
174  memcpy(fd->content, content, contentlen);
175  fd->content_len = contentlen;
176  fd->flags = contentflags;
177 
178  fd->name = SCStrdup(varname);
179  if (unlikely(fd->name == NULL))
180  goto error;
181  fd->idx = VarNameStoreRegister(varname, VAR_TYPE_FLOW_VAR);
182 
183  /* Okay so far so good, lets get this into a SigMatch
184  * and put it in the Signature. */
185 
186  if (SigMatchAppendSMToList(
187  de_ctx, s, DETECT_FLOWVAR, (SigMatchCtx *)fd, DETECT_SM_LIST_MATCH) == NULL) {
188  goto error;
189  }
190 
191  SCFree(content);
192  return 0;
193 
194 error:
195  if (fd != NULL)
196  DetectFlowvarDataFree(de_ctx, fd);
197  if (content != NULL)
198  SCFree(content);
199  return -1;
200 }
201 
202 /** \brief Store flowvar in det_ctx so we can exec it post-match */
203 int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx,
204  uint8_t *key, uint16_t key_len,
205  uint8_t *buffer, uint16_t len, int type)
206 {
207  DetectVarList *fs = SCCalloc(1, sizeof(*fs));
208  if (unlikely(fs == NULL))
209  return -1;
210 
211  fs->len = len;
212  fs->type = type;
213  fs->buffer = buffer;
214  fs->key = key;
215  fs->key_len = key_len;
216 
217  fs->next = det_ctx->varlist;
218  det_ctx->varlist = fs;
219  return 0;
220 }
221 
222 /** \brief Store flowvar in det_ctx so we can exec it post-match */
223 int DetectVarStoreMatch(DetectEngineThreadCtx *det_ctx,
224  uint32_t idx,
225  uint8_t *buffer, uint16_t len, int type)
226 {
227  DetectVarList *fs = det_ctx->varlist;
228 
229  /* first check if we have had a previous match for this idx */
230  for ( ; fs != NULL; fs = fs->next) {
231  if (fs->idx == idx) {
232  /* we're replacing the older store */
233  SCFree(fs->buffer);
234  fs->buffer = NULL;
235  break;
236  }
237  }
238 
239  if (fs == NULL) {
240  fs = SCCalloc(1, sizeof(*fs));
241  if (unlikely(fs == NULL))
242  return -1;
243 
244  fs->idx = idx;
245 
246  fs->next = det_ctx->varlist;
247  det_ctx->varlist = fs;
248  }
249 
250  fs->len = len;
251  fs->type = type;
252  fs->buffer = buffer;
253  return 0;
254 }
255 
256 /** \brief Setup a post-match for flowvar storage
257  * We're piggyback riding the DetectFlowvarData struct
258  */
259 int DetectFlowvarPostMatchSetup(DetectEngineCtx *de_ctx, Signature *s, uint32_t idx)
260 {
261  DetectFlowvarData *fv = NULL;
262 
263  fv = SCCalloc(1, sizeof(DetectFlowvarData));
264  if (unlikely(fv == NULL))
265  goto error;
266 
267  /* we only need the idx */
268  fv->idx = idx;
269  fv->post_match = true;
270 
271  if (SigMatchAppendSMToList(de_ctx, s, DETECT_FLOWVAR_POSTMATCH, (SigMatchCtx *)fv,
272  DETECT_SM_LIST_POSTMATCH) == NULL) {
273  goto error;
274  }
275  return 0;
276 error:
277  if (fv != NULL)
278  DetectFlowvarDataFree(de_ctx, fv);
279  return -1;
280 }
281 
282 /** \internal
283  * \brief post-match func to store flowvars in the flow
284  * \param sm sigmatch containing the idx to store
285  * \retval 1 or -1 in case of error
286  */
287 static int DetectFlowvarPostMatch(
288  DetectEngineThreadCtx *det_ctx,
289  Packet *p, const Signature *s, const SigMatchCtx *ctx)
290 {
291  DetectVarList *fs, *prev;
292  const DetectFlowvarData *fd;
293 
294  if (det_ctx->varlist == NULL)
295  return 1;
296 
297  fd = (const DetectFlowvarData *)ctx;
298 
299  prev = NULL;
300  fs = det_ctx->varlist;
301  while (fs != NULL) {
302  if (fd->idx == 0 || fd->idx == fs->idx) {
303  SCLogDebug("adding to the flow %u:", fs->idx);
304  //PrintRawDataFp(stdout, fs->buffer, fs->len);
305 
306  if (fs->type == DETECT_VAR_TYPE_FLOW_POSTMATCH && p && p->flow) {
307  FlowVarAddIdValue(p->flow, fs->idx, fs->buffer, fs->len);
308  /* memory at fs->buffer is now the responsibility of
309  * the flowvar code. */
310  } else if (fs->type == DETECT_VAR_TYPE_PKT_POSTMATCH && fs->key && p) {
311  /* pkt key/value */
312  if (PktVarAddKeyValue(p, (uint8_t *)fs->key, fs->key_len,
313  (uint8_t *)fs->buffer, fs->len) == -1)
314  {
315  SCFree(fs->key);
316  SCFree(fs->buffer);
317  /* the rest of fs is freed below */
318  }
319  } else if (fs->type == DETECT_VAR_TYPE_PKT_POSTMATCH && p) {
320  if (PktVarAdd(p, fs->idx, fs->buffer, fs->len) == -1) {
321  SCFree(fs->buffer);
322  /* the rest of fs is freed below */
323  }
324  }
325 
326  if (fs == det_ctx->varlist) {
327  det_ctx->varlist = fs->next;
328  SCFree(fs);
329  fs = det_ctx->varlist;
330  } else {
331  prev->next = fs->next;
332  SCFree(fs);
333  fs = prev->next;
334  }
335  } else {
336  prev = fs;
337  fs = fs->next;
338  }
339  }
340  return 1;
341 }
342 
343 /** \brief Handle flowvar candidate list in det_ctx: clean up the list
344  *
345  * Only called from DetectVarProcessList() when varlist is not NULL.
346  */
347 void DetectVarProcessListInternal(DetectVarList *fs, Flow *f, Packet *p)
348 {
349  DetectVarList *next;
350 
351  do {
352  next = fs->next;
353 
354  if (fs->key) {
355  SCFree(fs->key);
356  }
357  SCFree(fs->buffer);
358  SCFree(fs);
359  fs = next;
360  } while (fs != NULL);
361 }
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectFlowvarPostMatchSetup
int DetectFlowvarPostMatchSetup(DetectEngineCtx *de_ctx, Signature *s, uint32_t idx)
Setup a post-match for flowvar storage We're piggyback riding the DetectFlowvarData struct.
Definition: detect-flowvar.c:259
FlowVar_::data
union FlowVar_::@109 data
DetectVarList_::idx
uint32_t idx
Definition: detect.h:742
DetectVarList_::buffer
uint8_t * buffer
Definition: detect.h:747
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1286
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1296
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectVarStoreMatch
int DetectVarStoreMatch(DetectEngineThreadCtx *det_ctx, uint32_t idx, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
Definition: detect-flowvar.c:223
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:39
DetectVarList_::key_len
uint16_t key_len
Definition: detect.h:744
threads.h
Flow_
Flow data structure.
Definition: flow.h:355
DetectVarList_
Definition: detect.h:741
DetectVarList_::len
uint16_t len
Definition: detect.h:743
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:57
util-var-name.h
DetectVarProcessListInternal
void DetectVarProcessListInternal(DetectVarList *fs, Flow *f, Packet *p)
Handle flowvar candidate list in det_ctx: clean up the list.
Definition: detect-flowvar.c:347
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
DETECT_VAR_TYPE_PKT_POSTMATCH
#define DETECT_VAR_TYPE_PKT_POSTMATCH
Definition: detect.h:737
PktVarAdd
int PktVarAdd(Packet *p, uint32_t id, uint8_t *value, uint16_t size)
add a key-value pktvar to the pkt
Definition: pkt-var.c:86
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1281
DetectEngineThreadCtx_::varlist
DetectVarList * varlist
Definition: detect.h:1209
detect-flowvar.h
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:124
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectFlowvarData_::flags
uint32_t flags
Definition: detect-flowvar.h:34
DetectEngineThreadCtx_
Definition: detect.h:1095
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:85
DETECT_FLOWVAR_POSTMATCH
@ DETECT_FLOWVAR_POSTMATCH
Definition: detect-engine-register.h:86
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2800
util-print.h
DetectFlowvarData_
Definition: detect-flowvar.h:27
detect.h
pkt-var.h
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
DetectVarList_::next
struct DetectVarList_ * next
Definition: detect.h:749
SCReturn
#define SCReturn
Definition: util-debug.h:273
Packet_
Definition: decode.h:488
type
uint16_t type
Definition: decode-vlan.c:107
DetectFlowvarData_::name
char * name
Definition: detect-flowvar.h:28
FlowVarAddIdValue
void FlowVarAddIdValue(Flow *f, uint32_t idx, uint8_t *value, uint16_t size)
Definition: flow-var.c:113
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:665
SignatureInitData_::negated
bool negated
Definition: detect.h:540
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1264
DETECT_VAR_TYPE_FLOW_POSTMATCH
#define DETECT_VAR_TYPE_FLOW_POSTMATCH
Definition: detect.h:736
DetectFlowvarData_::post_match
bool post_match
Definition: detect-flowvar.h:33
DetectVarList_::type
int type
Definition: detect.h:745
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
DetectContentDataParse
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
Definition: detect-content.c:83
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:38
Packet_::flow
struct Flow_ * flow
Definition: decode.h:527
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectFlowvarData_::content
uint8_t * content
Definition: detect-flowvar.h:30
util-spm.h
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectFlowvarRegister
void DetectFlowvarRegister(void)
Definition: detect-flowvar.c:54
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
DetectVarList_::key
uint8_t * key
Definition: detect.h:746
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectFlowvarData_::idx
uint32_t idx
Definition: detect-flowvar.h:29
detect-parse.h
Signature_
Signature container.
Definition: detect.h:596
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:37
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-flowvar.c:44
DetectVarStoreMatchKeyValue
int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx, uint8_t *key, uint16_t key_len, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
Definition: detect-flowvar.c:203
SpmSearch
#define SpmSearch(text, textlen, needle, needlelen)
Definition: util-spm.h:99
PktVarAddKeyValue
int PktVarAddKeyValue(Packet *p, uint8_t *key, uint16_t ksize, uint8_t *value, uint16_t size)
add a key-value pktvar to the pkt
Definition: pkt-var.c:56
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
FlowVarGet
FlowVar * FlowVarGet(Flow *f, uint32_t idx)
get the flowvar with index 'idx' from the flow
Definition: flow-var.c:78
DetectFlowvarData_::content_len
uint16_t content_len
Definition: detect-flowvar.h:31
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
flow-var.h
FlowVar_
Definition: flow-var.h:48
DetectFlowvarMatch
int DetectFlowvarMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect-flowvar.c:99