suricata
detect-ike-vendor.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  *
20  * \author Frank Honza <frank.honza@dcso.de>
21  */
22 
23 #include "suricata-common.h"
24 #include "conf.h"
25 #include "detect.h"
26 #include "detect-parse.h"
27 #include "detect-engine.h"
28 #include "detect-engine-prefilter.h"
29 #include "detect-engine-content-inspection.h"
30 #include "detect-engine-mpm.h"
31 #include "detect-ike-vendor.h"
32 #include "app-layer-parser.h"
33 #include "util-byte.h"
34 
35 #include "rust-bindings.h"
36 #include "util-profiling.h"
37 
38 static int DetectIkeVendorSetup(DetectEngineCtx *, Signature *, const char *);
39 
40 static int g_ike_vendor_buffer_id = 0;
41 
42 static InspectionBuffer *IkeVendorGetData(DetectEngineThreadCtx *det_ctx,
43  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
44  int list_id, uint32_t local_id)
45 {
46  SCEnter();
47 
48  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
49  if (buffer == NULL)
50  return NULL;
51  if (buffer->initialized)
52  return buffer;
53 
54  const uint8_t *data;
55  uint32_t data_len;
56  if (rs_ike_tx_get_vendor(txv, local_id, &data, &data_len) == 0) {
57  InspectionBufferSetupMultiEmpty(buffer);
58  return NULL;
59  }
60 
61  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
62  buffer->flags = DETECT_CI_FLAGS_SINGLE;
63 
64  SCReturnPtr(buffer, "InspectionBuffer");
65 }
66 
67 /**
68  * \brief Registration function for ike.vendor keyword.
69  */
70 void DetectIkeVendorRegister(void)
71 {
72  sigmatch_table[DETECT_AL_IKE_VENDOR].name = "ike.vendor";
73  sigmatch_table[DETECT_AL_IKE_VENDOR].desc = "match IKE Vendor";
74  sigmatch_table[DETECT_AL_IKE_VENDOR].url = "/rules/ike-keywords.html#ike-vendor";
75  sigmatch_table[DETECT_AL_IKE_VENDOR].Setup = DetectIkeVendorSetup;
76  sigmatch_table[DETECT_AL_IKE_VENDOR].flags |= SIGMATCH_NOOPT;
77  sigmatch_table[DETECT_AL_IKE_VENDOR].flags |= SIGMATCH_INFO_STICKY_BUFFER;
78 
79  DetectAppLayerMultiRegister(
80  "ike.vendor", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, IkeVendorGetData, 1, 1);
81 
82  g_ike_vendor_buffer_id = DetectBufferTypeGetByName("ike.vendor");
83 
84  DetectBufferTypeSupportsMultiInstance("ike.vendor");
85 }
86 
87 /**
88  * \brief setup the sticky buffer keyword used in the rule
89  *
90  * \param de_ctx Pointer to the Detection Engine Context
91  * \param s Pointer to the Signature to which the current keyword belongs
92  * \param str Should hold an empty string always
93  *
94  * \retval 0 On success
95  * \retval -1 On failure
96  */
97 
98 static int DetectIkeVendorSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
99 {
100  if (DetectBufferSetActiveList(de_ctx, s, g_ike_vendor_buffer_id) < 0)
101  return -1;
102  if (DetectSignatureSetAppProto(s, ALPROTO_IKE) < 0)
103  return -1;
104  return 0;
105 }
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1307
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1737
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1512
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:49
SigTableElmt_::desc
const char * desc
Definition: detect.h:1306
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
SigTableElmt_::name
const char * name
Definition: detect.h:1304
InspectionBuffer::initialized
bool initialized
Definition: detect.h:377
DetectEngineTransforms
Definition: detect.h:408
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1356
InspectionBuffer
Definition: detect.h:373
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1298
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1043
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:378
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1289
detect-engine-prefilter.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1093
DetectAppLayerMultiRegister
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority, int tx_min_progress)
Definition: detect-engine.c:2201
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:267
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1567
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
DetectIkeVendorRegister
void DetectIkeVendorRegister(void)
Registration function for ike.vendor keyword.
Definition: detect-ike-vendor.c:70
detect-ike-vendor.h
app-layer-parser.h
util-profiling.h
conf.h
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
detect-engine-content-inspection.h
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DETECT_AL_IKE_VENDOR
@ DETECT_AL_IKE_VENDOR
Definition: detect-engine-register.h:322
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1580
str
#define str(s)
Definition: suricata-common.h:291
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1520
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1488