suricata
detect-icmp-seq.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  *
23  * Implements the icmp_seq keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-icmp-seq.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
42 
43 static pcre *parse_regex;
44 static pcre_extra *parse_regex_study;
45 
46 static int DetectIcmpSeqMatch(DetectEngineThreadCtx *, Packet *,
47  const Signature *, const SigMatchCtx *);
48 static int DetectIcmpSeqSetup(DetectEngineCtx *, Signature *, const char *);
50 void DetectIcmpSeqFree(void *);
51 static int PrefilterSetupIcmpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
52 static _Bool PrefilterIcmpSeqIsPrefilterable(const Signature *s);
53 
54 /**
55  * \brief Registration function for icmp_seq
56  */
58 {
59  sigmatch_table[DETECT_ICMP_SEQ].name = "icmp_seq";
60  sigmatch_table[DETECT_ICMP_SEQ].desc = "check for a ICMP sequence number";
61  sigmatch_table[DETECT_ICMP_SEQ].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icmp-seq";
62  sigmatch_table[DETECT_ICMP_SEQ].Match = DetectIcmpSeqMatch;
63  sigmatch_table[DETECT_ICMP_SEQ].Setup = DetectIcmpSeqSetup;
66 
67  sigmatch_table[DETECT_ICMP_SEQ].SupportsPrefilter = PrefilterIcmpSeqIsPrefilterable;
68  sigmatch_table[DETECT_ICMP_SEQ].SetupPrefilter = PrefilterSetupIcmpSeq;
69 
70  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
71 }
72 
73 static inline _Bool GetIcmpSeq(Packet *p, uint16_t *seq)
74 {
75  uint16_t seqn;
76 
77  if (PKT_IS_PSEUDOPKT(p))
78  return FALSE;
79 
80  if (PKT_IS_ICMPV4(p)) {
81  switch (ICMPV4_GET_TYPE(p)){
82  case ICMP_ECHOREPLY:
83  case ICMP_ECHO:
84  case ICMP_TIMESTAMP:
85  case ICMP_TIMESTAMPREPLY:
86  case ICMP_INFO_REQUEST:
87  case ICMP_INFO_REPLY:
88  case ICMP_ADDRESS:
89  case ICMP_ADDRESSREPLY:
90  SCLogDebug("ICMPV4_GET_SEQ(p) %"PRIu16" (network byte order), "
91  "%"PRIu16" (host byte order)", ICMPV4_GET_SEQ(p),
93 
94  seqn = ICMPV4_GET_SEQ(p);
95  break;
96  default:
97  SCLogDebug("Packet has no seq field");
98  return FALSE;
99  }
100  } else if (PKT_IS_ICMPV6(p)) {
101 
102  switch (ICMPV6_GET_TYPE(p)) {
103  case ICMP6_ECHO_REQUEST:
104  case ICMP6_ECHO_REPLY:
105  SCLogDebug("ICMPV6_GET_SEQ(p) %"PRIu16" (network byte order), "
106  "%"PRIu16" (host byte order)", ICMPV6_GET_SEQ(p),
107  SCNtohs(ICMPV6_GET_SEQ(p)));
108 
109  seqn = ICMPV6_GET_SEQ(p);
110  break;
111  default:
112  SCLogDebug("Packet has no seq field");
113  return FALSE;
114  }
115  } else {
116  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
117  return FALSE;
118  }
119 
120  *seq = seqn;
121  return TRUE;
122 }
123 
124 /**
125  * \brief This function is used to match icmp_seq rule option set on a packet
126  *
127  * \param t pointer to thread vars
128  * \param det_ctx pointer to the pattern matcher thread
129  * \param p pointer to the current packet
130  * \param m pointer to the sigmatch that we will cast into DetectIcmpSeqData
131  *
132  * \retval 0 no match
133  * \retval 1 match
134  */
135 static int DetectIcmpSeqMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
136  const Signature *s, const SigMatchCtx *ctx)
137 {
138  uint16_t seqn;
139 
140  if (GetIcmpSeq(p, &seqn) == FALSE)
141  return 0;
142 
143  const DetectIcmpSeqData *iseq = (const DetectIcmpSeqData *)ctx;
144  if (seqn == iseq->seq)
145  return 1;
146 
147  return 0;
148 }
149 
150 /**
151  * \brief This function is used to parse icmp_seq option passed via icmp_seq: keyword
152  *
153  * \param icmpseqstr Pointer to the user provided icmp_seq options
154  *
155  * \retval iseq pointer to DetectIcmpSeqData on success
156  * \retval NULL on failure
157  */
158 static DetectIcmpSeqData *DetectIcmpSeqParse (const char *icmpseqstr)
159 {
160  DetectIcmpSeqData *iseq = NULL;
161  char *substr[3] = {NULL, NULL, NULL};
162 #define MAX_SUBSTRINGS 30
163  int ret = 0, res = 0;
164  int ov[MAX_SUBSTRINGS];
165  int i;
166  const char *str_ptr;
167 
168  ret = pcre_exec(parse_regex, parse_regex_study, icmpseqstr, strlen(icmpseqstr), 0, 0, ov, MAX_SUBSTRINGS);
169  if (ret < 1 || ret > 4) {
170  SCLogError(SC_ERR_PCRE_MATCH,"Parse error %s", icmpseqstr);
171  goto error;
172  }
173 
174  for (i = 1; i < ret; i++) {
175  res = pcre_get_substring((char *)icmpseqstr, ov, MAX_SUBSTRINGS, i, &str_ptr);
176  if (res < 0) {
177  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,"pcre_get_substring failed");
178  goto error;
179  }
180  substr[i-1] = (char *)str_ptr;
181  }
182 
183  iseq = SCMalloc(sizeof(DetectIcmpSeqData));
184  if (unlikely(iseq == NULL))
185  goto error;
186 
187  iseq->seq = 0;
188 
189  if (substr[0] != NULL && strlen(substr[0]) != 0) {
190  if (substr[2] == NULL) {
191  SCLogError(SC_ERR_MISSING_QUOTE,"Missing quote in input");
192  goto error;
193  }
194  } else {
195  if (substr[2] != NULL) {
196  SCLogError(SC_ERR_MISSING_QUOTE,"Missing quote in input");
197  goto error;
198  }
199  }
200 
201  uint16_t seq = 0;
202  if (ByteExtractStringUint16(&seq, 10, 0, substr[1]) < 0) {
203  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp seq %s is not "
204  "valid", substr[1]);
205  goto error;
206  }
207  iseq->seq = htons(seq);
208 
209  for (i = 0; i < 3; i++) {
210  if (substr[i] != NULL) SCFree(substr[i]);
211  }
212 
213  return iseq;
214 
215 error:
216  for (i = 0; i < 3; i++) {
217  if (substr[i] != NULL) SCFree(substr[i]);
218  }
219  if (iseq != NULL) DetectIcmpSeqFree(iseq);
220  return NULL;
221 
222 }
223 
224 /**
225  * \brief this function is used to add the parsed icmp_seq data into the current signature
226  *
227  * \param de_ctx pointer to the Detection Engine Context
228  * \param s pointer to the Current Signature
229  * \param icmpseqstr pointer to the user provided icmp_seq option
230  *
231  * \retval 0 on Success
232  * \retval -1 on Failure
233  */
234 static int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpseqstr)
235 {
236  DetectIcmpSeqData *iseq = NULL;
237  SigMatch *sm = NULL;
238 
239  iseq = DetectIcmpSeqParse(icmpseqstr);
240  if (iseq == NULL) goto error;
241 
242  sm = SigMatchAlloc();
243  if (sm == NULL) goto error;
244 
245  sm->type = DETECT_ICMP_SEQ;
246  sm->ctx = (SigMatchCtx *)iseq;
247 
249 
250  return 0;
251 
252 error:
253  if (iseq != NULL) DetectIcmpSeqFree(iseq);
254  if (sm != NULL) SCFree(sm);
255  return -1;
256 
257 }
258 
259 /**
260  * \brief this function will free memory associated with DetectIcmpSeqData
261  *
262  * \param ptr pointer to DetectIcmpSeqData
263  */
264 void DetectIcmpSeqFree (void *ptr)
265 {
266  DetectIcmpSeqData *iseq = (DetectIcmpSeqData *)ptr;
267  SCFree(iseq);
268 }
269 
270 /* prefilter code */
271 
272 static void
273 PrefilterPacketIcmpSeqMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
274 {
275  const PrefilterPacketHeaderCtx *ctx = pectx;
276 
277  uint16_t seqn;
278 
279  if (GetIcmpSeq(p, &seqn) == FALSE)
280  return;
281 
282  if (seqn == ctx->v1.u16[0])
283  {
284  SCLogDebug("packet matches ICMP SEQ %u", ctx->v1.u16[0]);
285  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
286  }
287 }
288 
289 static void
290 PrefilterPacketIcmpSeqSet(PrefilterPacketHeaderValue *v, void *smctx)
291 {
292  const DetectIcmpSeqData *a = smctx;
293  v->u16[0] = a->seq;
294 }
295 
296 static _Bool
297 PrefilterPacketIcmpSeqCompare(PrefilterPacketHeaderValue v, void *smctx)
298 {
299  const DetectIcmpSeqData *a = smctx;
300  if (v.u16[0] == a->seq)
301  return TRUE;
302  return FALSE;
303 }
304 
305 static int PrefilterSetupIcmpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
306 {
307  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMP_SEQ,
308  PrefilterPacketIcmpSeqSet,
309  PrefilterPacketIcmpSeqCompare,
310  PrefilterPacketIcmpSeqMatch);
311 }
312 
313 static _Bool PrefilterIcmpSeqIsPrefilterable(const Signature *s)
314 {
315  const SigMatch *sm;
316  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
317  switch (sm->type) {
318  case DETECT_ICMP_SEQ:
319  return TRUE;
320  }
321  }
322  return FALSE;
323 }
324 
325 #ifdef UNITTESTS
326 #include "detect-engine.h"
327 #include "detect-engine-mpm.h"
328 
329 /**
330  * \test DetectIcmpSeqParseTest01 is a test for setting a valid icmp_seq value
331  */
332 static int DetectIcmpSeqParseTest01 (void)
333 {
334  DetectIcmpSeqData *iseq = NULL;
335  iseq = DetectIcmpSeqParse("300");
336  if (iseq != NULL && htons(iseq->seq) == 300) {
337  DetectIcmpSeqFree(iseq);
338  return 1;
339  }
340  return 0;
341 }
342 
343 /**
344  * \test DetectIcmpSeqParseTest02 is a test for setting a valid icmp_seq value
345  * with spaces all around
346  */
347 static int DetectIcmpSeqParseTest02 (void)
348 {
349  DetectIcmpSeqData *iseq = NULL;
350  iseq = DetectIcmpSeqParse(" 300 ");
351  if (iseq != NULL && htons(iseq->seq) == 300) {
352  DetectIcmpSeqFree(iseq);
353  return 1;
354  }
355  return 0;
356 }
357 
358 /**
359  * \test DetectIcmpSeqParseTest03 is a test for setting an invalid icmp_seq value
360  */
361 static int DetectIcmpSeqParseTest03 (void)
362 {
363  DetectIcmpSeqData *iseq = NULL;
364  iseq = DetectIcmpSeqParse("badc");
365  if (iseq != NULL) {
366  DetectIcmpSeqFree(iseq);
367  return 0;
368  }
369  return 1;
370 }
371 
372 /**
373  * \test DetectIcmpSeqMatchTest01 is a test for checking the working of
374  * icmp_seq keyword by creating 2 rules and matching a crafted packet
375  * against them. Only the first one shall trigger.
376  */
377 static int DetectIcmpSeqMatchTest01 (void)
378 {
379  int result = 0;
380  Packet *p = NULL;
381  Signature *s = NULL;
382  ThreadVars th_v;
383  DetectEngineThreadCtx *det_ctx = NULL;
384 
385  memset(&th_v, 0, sizeof(th_v));
386 
387  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
388  p->icmpv4vars.seq = htons(2216);
389 
391  if (de_ctx == NULL) {
392  goto end;
393  }
394 
395  de_ctx->flags |= DE_QUIET;
396 
397  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_seq:2216; sid:1;)");
398  if (s == NULL) {
399  goto end;
400  }
401 
402  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_seq:5000; sid:2;)");
403  if (s == NULL) {
404  goto end;
405  }
406 
407  SigGroupBuild(de_ctx);
408  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
409 
410  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
411  if (PacketAlertCheck(p, 1) == 0) {
412  printf("sid 1 did not alert, but should have: ");
413  goto cleanup;
414  } else if (PacketAlertCheck(p, 2)) {
415  printf("sid 2 alerted, but should not have: ");
416  goto cleanup;
417  }
418 
419  result = 1;
420 
421 cleanup:
422  SigGroupCleanup(de_ctx);
423  SigCleanSignatures(de_ctx);
424 
425  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
426  DetectEngineCtxFree(de_ctx);
427 
428  UTHFreePackets(&p, 1);
429 end:
430  return result;
431 
432 }
433 #endif /* UNITTESTS */
434 
436 {
437 #ifdef UNITTESTS
438  UtRegisterTest("DetectIcmpSeqParseTest01", DetectIcmpSeqParseTest01);
439  UtRegisterTest("DetectIcmpSeqParseTest02", DetectIcmpSeqParseTest02);
440  UtRegisterTest("DetectIcmpSeqParseTest03", DetectIcmpSeqParseTest03);
441  UtRegisterTest("DetectIcmpSeqMatchTest01", DetectIcmpSeqMatchTest01);
442 #endif /* UNITTESTS */
443 }
444 
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
SignatureInitData * init_data
Definition: detect.h:586
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179
#define SCLogDebug(...)
Definition: util-debug.h:335
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1182
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), _Bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
_Bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1181
#define FALSE
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:762
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ICMPV6_GET_SEQ(p)
Container for matching data for a signature group.
Definition: detect.h:1329
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1193
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:43
Signature container.
Definition: detect.h:517
#define ICMPV4_GET_TYPE(p)
#define TRUE
#define ICMPV4_GET_SEQ(p)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
struct SigMatch_ * next
Definition: detect.h:317
main detection engine ctx
Definition: detect.h:756
int ByteExtractStringUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:264
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:44
#define PARSE_REGEX
#define DE_QUIET
Definition: detect.h:287
uint32_t seq
uint8_t flags
Definition: detect.h:757
void(* Free)(void *)
Definition: detect.h:1184
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define PKT_IS_ICMPV6(p)
Definition: decode.h:256
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
void DetectIcmpSeqFree(void *)
this function will free memory associated with DetectIcmpSeqData
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
PrefilterRuleStore pmq
Definition: detect.h:1095
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1163
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:589
uint8_t type
Definition: detect.h:314
const char * desc
Definition: detect.h:1195
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
struct SigMatch_ ** smlists
Definition: detect.h:511
SigMatchCtx * ctx
Definition: detect.h:316
#define SCMalloc(a)
Definition: util-mem.h:222
#define SCFree(a)
Definition: util-mem.h:322
PoolThreadReserved res
#define SCNtohs(x)
#define ICMPV6_GET_TYPE(p)
#define PKT_IS_ICMPV4(p)
Definition: decode.h:255
const char * url
Definition: detect.h:1196
#define DOC_URL
Definition: suricata.h:86
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1129
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
#define DOC_VERSION
Definition: suricata.h:91
uint16_t seq
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
ICMPV4Vars icmpv4vars
Definition: decode.h:515
void(* RegisterTests)(void)
Definition: detect.h:1185
a single match condition for a signature
Definition: detect.h:313
void DetectIcmpSeqRegister(void)
Registration function for icmp_seq.
#define MAX_SUBSTRINGS
void DetectIcmpSeqRegisterTests(void)
DetectEngineCtx * DetectEngineCtxInit(void)