suricata
detect-icmp-seq.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  *
23  * Implements the icmp_seq keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "detect-icmp-seq.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
42 
43 static DetectParseRegex parse_regex;
44 
45 static int DetectIcmpSeqMatch(DetectEngineThreadCtx *, Packet *,
46  const Signature *, const SigMatchCtx *);
47 static int DetectIcmpSeqSetup(DetectEngineCtx *, Signature *, const char *);
48 #ifdef UNITTESTS
49 static void DetectIcmpSeqRegisterTests(void);
50 #endif
51 void DetectIcmpSeqFree(DetectEngineCtx *, void *);
52 static int PrefilterSetupIcmpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
53 static bool PrefilterIcmpSeqIsPrefilterable(const Signature *s);
54 
55 /**
56  * \brief Registration function for icmp_seq
57  */
59 {
60  sigmatch_table[DETECT_ICMP_SEQ].name = "icmp_seq";
61  sigmatch_table[DETECT_ICMP_SEQ].desc = "check for a ICMP sequence number";
62  sigmatch_table[DETECT_ICMP_SEQ].url = "/rules/header-keywords.html#icmp-seq";
63  sigmatch_table[DETECT_ICMP_SEQ].Match = DetectIcmpSeqMatch;
64  sigmatch_table[DETECT_ICMP_SEQ].Setup = DetectIcmpSeqSetup;
66 #ifdef UNITTESTS
67  sigmatch_table[DETECT_ICMP_SEQ].RegisterTests = DetectIcmpSeqRegisterTests;
68 #endif
69  sigmatch_table[DETECT_ICMP_SEQ].SupportsPrefilter = PrefilterIcmpSeqIsPrefilterable;
70  sigmatch_table[DETECT_ICMP_SEQ].SetupPrefilter = PrefilterSetupIcmpSeq;
71 
72  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
73 }
74 
75 static inline bool GetIcmpSeq(Packet *p, uint16_t *seq)
76 {
77  uint16_t seqn;
78 
79  if (PKT_IS_PSEUDOPKT(p))
80  return false;
81 
82  if (PKT_IS_ICMPV4(p)) {
83  switch (ICMPV4_GET_TYPE(p)){
84  case ICMP_ECHOREPLY:
85  case ICMP_ECHO:
86  case ICMP_TIMESTAMP:
88  case ICMP_INFO_REQUEST:
89  case ICMP_INFO_REPLY:
90  case ICMP_ADDRESS:
91  case ICMP_ADDRESSREPLY:
92  SCLogDebug("ICMPV4_GET_SEQ(p) %"PRIu16" (network byte order), "
93  "%"PRIu16" (host byte order)", ICMPV4_GET_SEQ(p),
95 
96  seqn = ICMPV4_GET_SEQ(p);
97  break;
98  default:
99  SCLogDebug("Packet has no seq field");
100  return false;
101  }
102  } else if (PKT_IS_ICMPV6(p)) {
103 
104  switch (ICMPV6_GET_TYPE(p)) {
105  case ICMP6_ECHO_REQUEST:
106  case ICMP6_ECHO_REPLY:
107  SCLogDebug("ICMPV6_GET_SEQ(p) %"PRIu16" (network byte order), "
108  "%"PRIu16" (host byte order)", ICMPV6_GET_SEQ(p),
109  SCNtohs(ICMPV6_GET_SEQ(p)));
110 
111  seqn = ICMPV6_GET_SEQ(p);
112  break;
113  default:
114  SCLogDebug("Packet has no seq field");
115  return false;
116  }
117  } else {
118  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
119  return false;
120  }
121 
122  *seq = seqn;
123  return true;
124 }
125 
126 /**
127  * \brief This function is used to match icmp_seq rule option set on a packet
128  *
129  * \param t pointer to thread vars
130  * \param det_ctx pointer to the pattern matcher thread
131  * \param p pointer to the current packet
132  * \param m pointer to the sigmatch that we will cast into DetectIcmpSeqData
133  *
134  * \retval 0 no match
135  * \retval 1 match
136  */
137 static int DetectIcmpSeqMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
138  const Signature *s, const SigMatchCtx *ctx)
139 {
140  uint16_t seqn;
141 
142  if (!GetIcmpSeq(p, &seqn))
143  return 0;
144 
145  const DetectIcmpSeqData *iseq = (const DetectIcmpSeqData *)ctx;
146  if (seqn == iseq->seq)
147  return 1;
148 
149  return 0;
150 }
151 
152 /**
153  * \brief This function is used to parse icmp_seq option passed via icmp_seq: keyword
154  *
155  * \param de_ctx Pointer to the detection engine context
156  * \param icmpseqstr Pointer to the user provided icmp_seq options
157  *
158  * \retval iseq pointer to DetectIcmpSeqData on success
159  * \retval NULL on failure
160  */
161 static DetectIcmpSeqData *DetectIcmpSeqParse (DetectEngineCtx *de_ctx, const char *icmpseqstr)
162 {
163  DetectIcmpSeqData *iseq = NULL;
164  char *substr[3] = {NULL, NULL, NULL};
165  int res = 0;
166  size_t pcre2_len;
167  int i;
168  const char *str_ptr;
169 
170  pcre2_match_data *match = NULL;
171  int ret = DetectParsePcreExec(&parse_regex, &match, icmpseqstr, 0, 0);
172  if (ret < 1 || ret > 4) {
173  SCLogError("Parse error %s", icmpseqstr);
174  goto error;
175  }
176 
177  for (i = 1; i < ret; i++) {
178  res = SC_Pcre2SubstringGet(match, i, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
179  if (res < 0) {
180  SCLogError("pcre2_substring_get_bynumber failed");
181  goto error;
182  }
183  substr[i-1] = (char *)str_ptr;
184  }
185 
186  iseq = SCMalloc(sizeof(DetectIcmpSeqData));
187  if (unlikely(iseq == NULL))
188  goto error;
189 
190  iseq->seq = 0;
191 
192  if (substr[0] != NULL && strlen(substr[0]) != 0) {
193  if (substr[2] == NULL) {
194  SCLogError("Missing quote in input");
195  goto error;
196  }
197  } else {
198  if (substr[2] != NULL) {
199  SCLogError("Missing quote in input");
200  goto error;
201  }
202  }
203 
204  uint16_t seq = 0;
205  if (StringParseUint16(&seq, 10, 0, substr[1]) < 0) {
206  SCLogError("specified icmp seq %s is not "
207  "valid",
208  substr[1]);
209  goto error;
210  }
211  iseq->seq = htons(seq);
212 
213  for (i = 0; i < 3; i++) {
214  if (substr[i] != NULL)
215  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
216  }
217 
218  pcre2_match_data_free(match);
219  return iseq;
220 
221 error:
222  if (match) {
223  pcre2_match_data_free(match);
224  }
225  for (i = 0; i < 3; i++) {
226  if (substr[i] != NULL)
227  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
228  }
229  if (iseq != NULL) DetectIcmpSeqFree(de_ctx, iseq);
230  return NULL;
231 
232 }
233 
234 /**
235  * \brief this function is used to add the parsed icmp_seq data into the current signature
236  *
237  * \param de_ctx pointer to the Detection Engine Context
238  * \param s pointer to the Current Signature
239  * \param icmpseqstr pointer to the user provided icmp_seq option
240  *
241  * \retval 0 on Success
242  * \retval -1 on Failure
243  */
244 static int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpseqstr)
245 {
246  DetectIcmpSeqData *iseq = NULL;
247 
248  iseq = DetectIcmpSeqParse(de_ctx, icmpseqstr);
249  if (iseq == NULL) goto error;
250 
252  de_ctx, s, DETECT_ICMP_SEQ, (SigMatchCtx *)iseq, DETECT_SM_LIST_MATCH) == NULL) {
253  goto error;
254  }
255 
256  return 0;
257 
258 error:
259  if (iseq != NULL)
260  DetectIcmpSeqFree(de_ctx, iseq);
261  return -1;
262 
263 }
264 
265 /**
266  * \brief this function will free memory associated with DetectIcmpSeqData
267  *
268  * \param ptr pointer to DetectIcmpSeqData
269  */
271 {
272  DetectIcmpSeqData *iseq = (DetectIcmpSeqData *)ptr;
273  SCFree(iseq);
274 }
275 
276 /* prefilter code */
277 
278 static void
279 PrefilterPacketIcmpSeqMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
280 {
281  const PrefilterPacketHeaderCtx *ctx = pectx;
282 
283  uint16_t seqn;
284 
285  if (!GetIcmpSeq(p, &seqn))
286  return;
287 
288  if (seqn == ctx->v1.u16[0])
289  {
290  SCLogDebug("packet matches ICMP SEQ %u", ctx->v1.u16[0]);
291  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
292  }
293 }
294 
295 static void
296 PrefilterPacketIcmpSeqSet(PrefilterPacketHeaderValue *v, void *smctx)
297 {
298  const DetectIcmpSeqData *a = smctx;
299  v->u16[0] = a->seq;
300 }
301 
302 static bool
303 PrefilterPacketIcmpSeqCompare(PrefilterPacketHeaderValue v, void *smctx)
304 {
305  const DetectIcmpSeqData *a = smctx;
306  if (v.u16[0] == a->seq)
307  return true;
308  return false;
309 }
310 
311 static int PrefilterSetupIcmpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
312 {
314  PrefilterPacketIcmpSeqSet,
315  PrefilterPacketIcmpSeqCompare,
316  PrefilterPacketIcmpSeqMatch);
317 }
318 
319 static bool PrefilterIcmpSeqIsPrefilterable(const Signature *s)
320 {
321  const SigMatch *sm;
322  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
323  switch (sm->type) {
324  case DETECT_ICMP_SEQ:
325  return true;
326  }
327  }
328  return false;
329 }
330 
331 #ifdef UNITTESTS
332 #include "detect-engine.h"
333 #include "detect-engine-mpm.h"
334 #include "detect-engine-alert.h"
335 
336 /**
337  * \test DetectIcmpSeqParseTest01 is a test for setting a valid icmp_seq value
338  */
339 static int DetectIcmpSeqParseTest01 (void)
340 {
341  DetectIcmpSeqData *iseq = NULL;
342  iseq = DetectIcmpSeqParse(NULL, "300");
343  FAIL_IF_NULL(iseq);
344  FAIL_IF_NOT(htons(iseq->seq) == 300);
345  DetectIcmpSeqFree(NULL, iseq);
346  PASS;
347 }
348 
349 /**
350  * \test DetectIcmpSeqParseTest02 is a test for setting a valid icmp_seq value
351  * with spaces all around
352  */
353 static int DetectIcmpSeqParseTest02 (void)
354 {
355  DetectIcmpSeqData *iseq = NULL;
356  iseq = DetectIcmpSeqParse(NULL, " 300 ");
357  FAIL_IF_NULL(iseq);
358  FAIL_IF_NOT(htons(iseq->seq) == 300);
359  DetectIcmpSeqFree(NULL, iseq);
360  PASS;
361 }
362 
363 /**
364  * \test DetectIcmpSeqParseTest03 is a test for setting an invalid icmp_seq value
365  */
366 static int DetectIcmpSeqParseTest03 (void)
367 {
368  DetectIcmpSeqData *iseq = DetectIcmpSeqParse(NULL, "badc");
369  FAIL_IF_NOT_NULL(iseq);
370  PASS;
371 }
372 
373 static void DetectIcmpSeqRegisterTests (void)
374 {
375  UtRegisterTest("DetectIcmpSeqParseTest01", DetectIcmpSeqParseTest01);
376  UtRegisterTest("DetectIcmpSeqParseTest02", DetectIcmpSeqParseTest02);
377  UtRegisterTest("DetectIcmpSeqParseTest03", DetectIcmpSeqParseTest03);
378 }
379 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1296
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:578
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST
Definition: decode-icmpv4.h:66
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-seq.c:41
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1293
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1074
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
seq
uint32_t seq
Definition: stream-tcp-private.h:2
ICMPV6_GET_SEQ
#define ICMPV6_GET_SEQ(p)
Definition: decode-icmpv6.h:112
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:42
ICMP_ECHO
#define ICMP_ECHO
Definition: decode-icmpv4.h:45
ICMPV4_GET_SEQ
#define ICMPV4_GET_SEQ(p)
Definition: decode-icmpv4.h:245
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1281
ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY
Definition: decode-icmpv4.h:75
ICMP_ADDRESS
#define ICMP_ADDRESS
Definition: decode-icmpv4.h:72
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:43
DetectEngineThreadCtx_
Definition: detect.h:1092
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:233
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
detect-engine-mpm.h
detect.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:351
DetectIcmpSeqRegister
void DetectIcmpSeqRegister(void)
Registration function for icmp_seq.
Definition: detect-icmp-seq.c:58
DetectIcmpSeqData_
Definition: detect-icmp-seq.h:27
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:111
SC_Pcre2SubstringGet
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2779
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:251
Packet_
Definition: decode.h:437
detect-engine-build.h
ICMP_INFO_REPLY
#define ICMP_INFO_REPLY
Definition: decode-icmpv4.h:69
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1261
ICMP_ECHOREPLY
#define ICMP_ECHOREPLY
Definition: decode-icmpv4.h:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
DetectIcmpSeqData_::seq
uint16_t seq
Definition: detect-icmp-seq.h:28
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:414
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:348
DETECT_ICMP_SEQ
@ DETECT_ICMP_SEQ
Definition: detect-engine-register.h:50
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:250
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1280
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:101
ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY
Definition: decode-icmpv4.h:63
ICMP_TIMESTAMP
#define ICMP_TIMESTAMP
Definition: decode-icmpv4.h:60
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
detect-engine-prefilter-common.h
DetectIcmpSeqFree
void DetectIcmpSeqFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpSeqData
Definition: detect-icmp-seq.c:270
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
detect-icmp-seq.h