suricata
detect-fragoffset.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  *
23  * Implements fragoffset keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "decode-ipv4.h"
30 #include "decode-ipv6.h"
31 
32 #include "detect.h"
33 #include "detect-parse.h"
35 
36 #include "detect-fragoffset.h"
37 
38 #include "util-byte.h"
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 #define PARSE_REGEX "^\\s*(?:(<|>))?\\s*([0-9]+)"
43 
44 static pcre *parse_regex;
45 static pcre_extra *parse_regex_study;
46 
47 static int DetectFragOffsetMatch(ThreadVars *, DetectEngineThreadCtx *,
48  Packet *, const Signature *, const SigMatchCtx *);
49 static int DetectFragOffsetSetup(DetectEngineCtx *, Signature *, const char *);
51 void DetectFragOffsetFree(void *);
52 
53 static int PrefilterSetupFragOffset(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
54 static _Bool PrefilterFragOffsetIsPrefilterable(const Signature *s);
55 
56 /**
57  * \brief Registration function for fragoffset
58  */
60 {
61  sigmatch_table[DETECT_FRAGOFFSET].name = "fragoffset";
62  sigmatch_table[DETECT_FRAGOFFSET].desc = "match on specific decimal values of the IP fragment offset field";
63  sigmatch_table[DETECT_FRAGOFFSET].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#fragoffset";
64  sigmatch_table[DETECT_FRAGOFFSET].Match = DetectFragOffsetMatch;
65  sigmatch_table[DETECT_FRAGOFFSET].Setup = DetectFragOffsetSetup;
68 
69  sigmatch_table[DETECT_FRAGOFFSET].SupportsPrefilter = PrefilterFragOffsetIsPrefilterable;
70  sigmatch_table[DETECT_FRAGOFFSET].SetupPrefilter = PrefilterSetupFragOffset;
71 
72  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
73 }
74 
75 static inline int FragOffsetMatch(const uint16_t poffset, const uint8_t mode,
76  const uint16_t doffset)
77 {
78  switch (mode) {
79  case FRAG_LESS:
80  if (poffset < doffset)
81  return 1;
82  break;
83  case FRAG_MORE:
84  if (poffset > doffset)
85  return 1;
86  break;
87  default:
88  if (poffset == doffset)
89  return 1;
90  }
91  return 0;
92 }
93 
94 /**
95  * \brief This function is used to match fragoffset rule option set on a packet
96  *
97  * \param t pointer to thread vars
98  * \param det_ctx pointer to the pattern matcher thread
99  * \param p pointer to the current packet
100  * \param m pointer to the sigmatch that we will cast into DetectFragOffsetData
101  *
102  * \retval 0 no match or frag is not set
103  * \retval 1 match
104  *
105  */
106 static int DetectFragOffsetMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
107  Packet *p, const Signature *s, const SigMatchCtx *ctx)
108 {
109  uint16_t frag = 0;
110  const DetectFragOffsetData *fragoff = (const DetectFragOffsetData *)ctx;
111 
112  if (PKT_IS_PSEUDOPKT(p))
113  return 0;
114 
115  if (PKT_IS_IPV4(p)) {
116  frag = IPV4_GET_IPOFFSET(p);
117  } else if (PKT_IS_IPV6(p)) {
118  if (IPV6_EXTHDR_ISSET_FH(p)) {
119  frag = IPV6_EXTHDR_GET_FH_OFFSET(p);
120  } else {
121  return 0;
122  }
123  } else {
124  SCLogDebug("No IPv4 or IPv6 packet");
125  return 0;
126  }
127 
128  return FragOffsetMatch(frag, fragoff->mode, fragoff->frag_off);;
129 }
130 
131 /**
132  * \brief This function is used to parse fragoffset option passed via fragoffset: keyword
133  *
134  * \param fragoffsetstr Pointer to the user provided fragoffset options
135  *
136  * \retval fragoff pointer to DetectFragOffsetData on success
137  * \retval NULL on failure
138  */
139 static DetectFragOffsetData *DetectFragOffsetParse (const char *fragoffsetstr)
140 {
141  DetectFragOffsetData *fragoff = NULL;
142  char *substr[3] = {NULL, NULL, NULL};
143 #define MAX_SUBSTRINGS 30
144  int ret = 0, res = 0;
145  int ov[MAX_SUBSTRINGS];
146  int i;
147  const char *str_ptr;
148  char *mode = NULL;
149 
150  ret = pcre_exec(parse_regex, parse_regex_study, fragoffsetstr, strlen(fragoffsetstr), 0, 0, ov, MAX_SUBSTRINGS);
151  if (ret < 1 || ret > 4) {
152  SCLogError(SC_ERR_PCRE_MATCH,"Parse error %s", fragoffsetstr);
153  goto error;
154  }
155 
156  for (i = 1; i < ret; i++) {
157  res = pcre_get_substring((char *)fragoffsetstr, ov, MAX_SUBSTRINGS, i, &str_ptr);
158  if (res < 0) {
159  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,"pcre_get_substring failed");
160  goto error;
161  }
162  substr[i-1] = (char *)str_ptr;
163  }
164 
165  fragoff = SCMalloc(sizeof(DetectFragOffsetData));
166  if (unlikely(fragoff == NULL))
167  goto error;
168 
169  fragoff->frag_off = 0;
170  fragoff->mode = 0;
171 
172  mode = substr[0];
173 
174  if(mode != NULL) {
175 
176  while(*mode != '\0') {
177  switch(*mode) {
178  case '>':
179  fragoff->mode = FRAG_MORE;
180  break;
181  case '<':
182  fragoff->mode = FRAG_LESS;
183  break;
184  }
185  mode++;
186  }
187  }
188 
189  if (ByteExtractStringUint16(&fragoff->frag_off, 10, 0, substr[1]) < 0) {
190  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified frag offset %s is not "
191  "valid", substr[1]);
192  goto error;
193  }
194 
195  for (i = 0; i < 3; i++) {
196  if (substr[i] != NULL) SCFree(substr[i]);
197  }
198 
199  return fragoff;
200 
201 error:
202  for (i = 0; i < 3; i++) {
203  if (substr[i] != NULL) SCFree(substr[i]);
204  }
205  if (fragoff != NULL) DetectFragOffsetFree(fragoff);
206  return NULL;
207 
208 }
209 
210 /**
211  * \brief this function is used to add the parsed fragoffset data into the current signature
212  *
213  * \param de_ctx pointer to the Detection Engine Context
214  * \param s pointer to the Current Signature
215  * \param fragoffsetstr pointer to the user provided fragoffset option
216  *
217  * \retval 0 on Success
218  * \retval -1 on Failure
219  */
220 static int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, const char *fragoffsetstr)
221 {
222  DetectFragOffsetData *fragoff = NULL;
223  SigMatch *sm = NULL;
224 
225  fragoff = DetectFragOffsetParse(fragoffsetstr);
226  if (fragoff == NULL) goto error;
227 
228  sm = SigMatchAlloc();
229  if (sm == NULL) goto error;
230 
231  sm->type = DETECT_FRAGOFFSET;
232  sm->ctx = (SigMatchCtx *)fragoff;
233 
236 
237  return 0;
238 
239 error:
240  if (fragoff != NULL) DetectFragOffsetFree(fragoff);
241  if (sm != NULL) SCFree(sm);
242  return -1;
243 
244 }
245 
246 /**
247  * \brief this function will free memory associated with DetectFragOffsetData
248  *
249  * \param ptr pointer to DetectFragOffsetData
250  */
251 void DetectFragOffsetFree (void *ptr)
252 {
253  DetectFragOffsetData *fragoff = (DetectFragOffsetData *)ptr;
254  SCFree(fragoff);
255 }
256 
257 static void
258 PrefilterPacketFragOffsetMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
259 {
260  if (PKT_IS_PSEUDOPKT(p))
261  return;
262 
263  uint16_t frag;
264 
265  if (PKT_IS_IPV4(p)) {
266  frag = IPV4_GET_IPOFFSET(p);
267  } else if (PKT_IS_IPV6(p)) {
268  if (IPV6_EXTHDR_ISSET_FH(p)) {
269  frag = IPV6_EXTHDR_GET_FH_OFFSET(p);
270  } else {
271  return;
272  }
273  } else {
274  SCLogDebug("No IPv4 or IPv6 packet");
275  return;
276  }
277 
278  const PrefilterPacketHeaderCtx *ctx = pectx;
279  if (FragOffsetMatch(frag, ctx->v1.u8[0], ctx->v1.u16[1]))
280  {
281  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
282  }
283 }
284 
285 static void
286 PrefilterPacketFragOffsetSet(PrefilterPacketHeaderValue *v, void *smctx)
287 {
288  const DetectFragOffsetData *fb = smctx;
289  v->u8[0] = fb->mode;
290  v->u16[1] = fb->frag_off;
291 }
292 
293 static _Bool
294 PrefilterPacketFragOffsetCompare(PrefilterPacketHeaderValue v, void *smctx)
295 {
296  const DetectFragOffsetData *fb = smctx;
297  if (v.u8[0] == fb->mode &&
298  v.u16[1] == fb->frag_off)
299  {
300  return TRUE;
301  }
302  return FALSE;
303 }
304 
305 static int PrefilterSetupFragOffset(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
306 {
307  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FRAGOFFSET,
308  PrefilterPacketFragOffsetSet,
309  PrefilterPacketFragOffsetCompare,
310  PrefilterPacketFragOffsetMatch);
311 }
312 
313 static _Bool PrefilterFragOffsetIsPrefilterable(const Signature *s)
314 {
315  const SigMatch *sm;
316  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
317  switch (sm->type) {
318  case DETECT_FRAGOFFSET:
319  return TRUE;
320  }
321  }
322  return FALSE;
323 }
324 
325 #ifdef UNITTESTS
326 #include "detect-engine.h"
327 #include "detect-engine-mpm.h"
328 
329 /**
330  * \test DetectFragOffsetParseTest01 is a test for setting a valid fragoffset value
331  */
332 static int DetectFragOffsetParseTest01 (void)
333 {
334  DetectFragOffsetData *fragoff = NULL;
335  fragoff = DetectFragOffsetParse("300");
336  if (fragoff != NULL && fragoff->frag_off == 300) {
337  DetectFragOffsetFree(fragoff);
338  return 1;
339  }
340  return 0;
341 }
342 
343 /**
344  * \test DetectFragOffsetParseTest02 is a test for setting a valid fragoffset value
345  * with spaces all around
346  */
347 static int DetectFragOffsetParseTest02 (void)
348 {
349  DetectFragOffsetData *fragoff = NULL;
350  fragoff = DetectFragOffsetParse(">300");
351  if (fragoff != NULL && fragoff->frag_off == 300 && fragoff->mode == FRAG_MORE) {
352  DetectFragOffsetFree(fragoff);
353  return 1;
354  }
355  return 0;
356 }
357 
358 /**
359  * \test DetectFragOffsetParseTest03 is a test for setting an invalid fragoffset value
360  */
361 static int DetectFragOffsetParseTest03 (void)
362 {
363  DetectFragOffsetData *fragoff = NULL;
364  fragoff = DetectFragOffsetParse("badc");
365  if (fragoff != NULL) {
366  DetectFragOffsetFree(fragoff);
367  return 0;
368  }
369  return 1;
370 }
371 
372 /**
373  * \test DetectFragOffsetMatchTest01 is a test for checking the working of
374  * fragoffset keyword by creating 2 rules and matching a crafted packet
375  * against them. Only the first one shall trigger.
376  */
377 static int DetectFragOffsetMatchTest01 (void)
378 {
379  int result = 0;
381  if (unlikely(p == NULL))
382  return 0;
383  Signature *s = NULL;
384  DecodeThreadVars dtv;
385  ThreadVars th_v;
386  DetectEngineThreadCtx *det_ctx = NULL;
387  IPV4Hdr ip4h;
388 
389  memset(p, 0, SIZE_OF_PACKET);
390  memset(&ip4h, 0, sizeof(IPV4Hdr));
391  memset(&dtv, 0, sizeof(DecodeThreadVars));
392  memset(&th_v, 0, sizeof(ThreadVars));
393 
395 
396  p->src.family = AF_INET;
397  p->dst.family = AF_INET;
398  p->src.addr_data32[0] = 0x01020304;
399  p->dst.addr_data32[0] = 0x04030201;
400 
401  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
402  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
403  ip4h.ip_off = 0x2222;
404  p->ip4h = &ip4h;
405 
407  if (de_ctx == NULL) {
408  goto end;
409  }
410 
411  de_ctx->flags |= DE_QUIET;
412 
413  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:546; sid:1;)");
414  if (s == NULL) {
415  goto end;
416  }
417 
418  s = s->next = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:5000; sid:2;)");
419  if (s == NULL) {
420  goto end;
421  }
422 
423  SigGroupBuild(de_ctx);
424  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
425 
426  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
427  if (PacketAlertCheck(p, 1) == 0) {
428  printf("sid 1 did not alert, but should have: ");
429  goto cleanup;
430  } else if (PacketAlertCheck(p, 2)) {
431  printf("sid 2 alerted, but should not have: ");
432  goto cleanup;
433  }
434 
435  result = 1;
436 
437 cleanup:
438  SigGroupCleanup(de_ctx);
439  SigCleanSignatures(de_ctx);
440 
441  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
442  DetectEngineCtxFree(de_ctx);
443 
444  FlowShutdown();
445 end:
446  SCFree(p);
447  return result;
448 
449 }
450 #endif /* UNITTESTS */
451 
453 {
454 #ifdef UNITTESTS
455  UtRegisterTest("DetectFragOffsetParseTest01", DetectFragOffsetParseTest01);
456  UtRegisterTest("DetectFragOffsetParseTest02", DetectFragOffsetParseTest02);
457  UtRegisterTest("DetectFragOffsetParseTest03", DetectFragOffsetParseTest03);
458  UtRegisterTest("DetectFragOffsetMatchTest01", DetectFragOffsetMatchTest01);
459 #endif /* UNITTESTS */
460 }
461 
#define PARSE_REGEX
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
SignatureInitData * init_data
Definition: detect.h:564
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1150
#define SCLogDebug(...)
Definition: util-debug.h:335
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1153
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), _Bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint32_t flags
Definition: detect.h:497
_Bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1152
#define FALSE
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:730
#define FLOW_QUIET
Definition: flow.h:38
Address dst
Definition: decode.h:411
#define PKT_IS_IPV6(p)
Definition: decode.h:250
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Container for matching data for a signature group.
Definition: detect.h:1299
#define IPV6_EXTHDR_GET_FH_OFFSET(p)
Definition: decode-ipv6.h:125
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:228
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1164
#define IPV4_GET_IPOFFSET(p)
Definition: decode-ipv4.h:135
Signature container.
Definition: detect.h:496
#define TRUE
void DetectFragOffsetRegister(void)
Registration function for fragoffset.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
#define PKT_IS_IPV4(p)
Definition: decode.h:249
struct SigMatch_ * next
Definition: detect.h:326
main detection engine ctx
Definition: detect.h:724
#define FRAG_MORE
int ByteExtractStringUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:264
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:296
#define SIZE_OF_PACKET
Definition: decode.h:618
char family
Definition: decode.h:109
uint8_t flags
Definition: detect.h:725
void(* Free)(void *)
Definition: detect.h:1155
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
PrefilterRuleStore pmq
Definition: detect.h:1065
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:567
uint8_t type
Definition: detect.h:323
#define MAX_SUBSTRINGS
const char * desc
Definition: detect.h:1166
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
struct SigMatch_ ** smlists
Definition: detect.h:490
IPV4Hdr * ip4h
Definition: decode.h:498
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:667
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1133
const char * url
Definition: detect.h:1167
#define IPV6_EXTHDR_ISSET_FH(p)
Definition: decode-ipv6.h:236
void DetectFragOffsetRegisterTests(void)
#define FRAG_LESS
#define DOC_URL
Definition: suricata.h:86
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1131
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
void DetectFragOffsetFree(void *)
this function will free memory associated with DetectFragOffsetData
Per thread variable structure.
Definition: threadvars.h:57
#define DOC_VERSION
Definition: suricata.h:91
uint16_t ip_off
Definition: decode-ipv4.h:76
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1156
a single match condition for a signature
Definition: detect.h:322
Address src
Definition: decode.h:410
DetectEngineCtx * DetectEngineCtxInit(void)
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:512