suricata
detect-krb5-cname.c
Go to the documentation of this file.
1 /* Copyright (C) 2018-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pierre Chifflier <chifflier@wzdftpd.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "util-unittest.h"
26 
27 #include "detect-parse.h"
28 #include "detect-engine.h"
29 #include "detect-engine-mpm.h"
30 #include "detect-engine-state.h"
33 
34 #include "detect-krb5-cname.h"
35 
36 #include "rust.h"
37 #include "util-profiling.h"
38 
39 static int g_krb5_cname_buffer_id = 0;
40 
42  uint32_t local_id; /**< used as index into thread inspect array */
43  void *txv;
44 };
45 
46 static int DetectKrb5CNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
47 {
48  if (DetectBufferSetActiveList(de_ctx, s, g_krb5_cname_buffer_id) < 0)
49  return -1;
50 
52  return -1;
53 
54  return 0;
55 }
56 
57 static InspectionBuffer *GetKrb5CNameData(DetectEngineThreadCtx *det_ctx,
58  const DetectEngineTransforms *transforms, Flow *_f,
59  const struct Krb5PrincipalNameDataArgs *cbdata, int list_id)
60 {
61  SCEnter();
62 
63  InspectionBuffer *buffer =
64  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
65  if (buffer == NULL)
66  return NULL;
67  if (buffer->initialized)
68  return buffer;
69 
70  uint32_t b_len = 0;
71  const uint8_t *b = NULL;
72 
73  if (rs_krb5_tx_get_cname(cbdata->txv, cbdata->local_id, &b, &b_len) != 1) {
75  return NULL;
76  }
77  if (b == NULL || b_len == 0) {
79  return NULL;
80  }
81 
82  InspectionBufferSetupMulti(buffer, transforms, b, b_len);
83 
84  SCReturnPtr(buffer, "InspectionBuffer");
85 }
86 
87 static uint8_t DetectEngineInspectKrb5CName(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
88  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
89  void *alstate, void *txv, uint64_t tx_id)
90 {
91  uint32_t local_id = 0;
92 
93  const DetectEngineTransforms *transforms = NULL;
94  if (!engine->mpm) {
95  transforms = engine->v2.transforms;
96  }
97 
98  while (1) {
99  struct Krb5PrincipalNameDataArgs cbdata = { local_id, txv, };
100  InspectionBuffer *buffer =
101  GetKrb5CNameData(det_ctx, transforms, f, &cbdata, engine->sm_list);
102  if (buffer == NULL || buffer->inspect == NULL)
103  break;
104 
105  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
106  buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
108  if (match) {
110  }
111  local_id++;
112  }
113 
115 }
116 
117 typedef struct PrefilterMpmKrb5Name {
118  int list_id;
119  const MpmCtx *mpm_ctx;
122 
123 /** \brief Krb5CName Krb5CName Mpm prefilter callback
124  *
125  * \param det_ctx detection engine thread ctx
126  * \param p packet to inspect
127  * \param f flow to inspect
128  * \param txv tx to inspect
129  * \param pectx inspection context
130  */
131 static void PrefilterTxKrb5CName(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
132  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
133 {
134  SCEnter();
135 
136  const PrefilterMpmKrb5Name *ctx = (const PrefilterMpmKrb5Name *)pectx;
137  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
138  const int list_id = ctx->list_id;
139 
140  uint32_t local_id = 0;
141 
142  while(1) {
143  // loop until we get a NULL
144 
145  struct Krb5PrincipalNameDataArgs cbdata = { local_id, txv };
146  InspectionBuffer *buffer = GetKrb5CNameData(det_ctx, ctx->transforms, f, &cbdata, list_id);
147  if (buffer == NULL)
148  break;
149 
150  if (buffer->inspect_len >= mpm_ctx->minlen) {
151  (void)mpm_table[mpm_ctx->mpm_type].Search(
152  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
153  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
154  }
155 
156  local_id++;
157  }
158 }
159 
160 static void PrefilterMpmKrb5NameFree(void *ptr)
161 {
162  SCFree(ptr);
163 }
164 
165 static int PrefilterMpmKrb5CNameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
166  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
167 {
168  PrefilterMpmKrb5Name *pectx = SCCalloc(1, sizeof(*pectx));
169  if (pectx == NULL)
170  return -1;
171  pectx->list_id = list_id;
172  pectx->mpm_ctx = mpm_ctx;
173  pectx->transforms = &mpm_reg->transforms;
174 
175  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxKrb5CName,
176  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
177  pectx, PrefilterMpmKrb5NameFree, mpm_reg->name);
178 }
179 
181 {
182  sigmatch_table[DETECT_AL_KRB5_CNAME].name = "krb5.cname";
183  sigmatch_table[DETECT_AL_KRB5_CNAME].alias = "krb5_cname";
184  sigmatch_table[DETECT_AL_KRB5_CNAME].url = "/rules/kerberos-keywords.html#krb5-cname";
185  sigmatch_table[DETECT_AL_KRB5_CNAME].Setup = DetectKrb5CNameSetup;
187  sigmatch_table[DETECT_AL_KRB5_CNAME].desc = "sticky buffer to match on Kerberos 5 client name";
188 
189  DetectAppLayerMpmRegister("krb5_cname", SIG_FLAG_TOCLIENT, 2, PrefilterMpmKrb5CNameRegister,
190  NULL, ALPROTO_KRB5, 1);
191 
193  "krb5_cname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectKrb5CName, NULL);
194 
196  "Kerberos 5 ticket client name");
197 
198  g_krb5_cname_buffer_id = DetectBufferTypeGetByName("krb5_cname");
199 
201 }
PrefilterMpmKrb5Name
Definition: detect-krb5-cname.c:117
DetectEngineAppInspectionEngine_
Definition: detect.h:427
SigTableElmt_::url
const char * url
Definition: detect.h:1302
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:431
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1503
SigTableElmt_::desc
const char * desc
Definition: detect.h:1301
SigTableElmt_::name
const char * name
Definition: detect.h:1299
InspectionBuffer::initialized
bool initialized
Definition: detect.h:378
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1451
DetectEngineTransforms
Definition: detect.h:409
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1335
InspectionBuffer
Definition: detect.h:374
Flow_
Flow data structure.
Definition: flow.h:355
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1204
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1293
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
Krb5PrincipalNameDataArgs::txv
void * txv
Definition: detect-krb5-cname.c:43
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1022
rust.h
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:680
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:267
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1284
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:693
detect-engine-prefilter.h
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1072
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:50
PrefilterMpmKrb5Name::list_id
int list_id
Definition: detect-krb5-cname.c:118
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:433
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1546
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:376
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
util-profiling.h
Packet_
Definition: decode.h:491
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-krb5-cname.h
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:168
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1203
detect-engine-content-inspection.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:444
PrefilterMpmKrb5Name::transforms
const DetectEngineTransforms * transforms
Definition: detect-krb5-cname.c:120
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1361
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:287
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1300
DetectKrb5CNameRegister
void DetectKrb5CNameRegister(void)
Definition: detect-krb5-cname.c:180
suricata-common.h
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@86::@88 app_v2
DetectBufferMpmRegistry_::name
const char * name
Definition: detect.h:681
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1559
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:377
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@83 v2
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:375
Krb5PrincipalNameDataArgs::local_id
uint32_t local_id
Definition: detect-krb5-cname.c:42
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Krb5PrincipalNameDataArgs
Definition: detect-krb5-cname.c:41
detect-parse.h
Signature_
Signature container.
Definition: detect.h:596
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:441
PrefilterMpmKrb5Name
struct PrefilterMpmKrb5Name PrefilterMpmKrb5Name
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1499
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1479
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:169
DETECT_AL_KRB5_CNAME
@ DETECT_AL_KRB5_CNAME
Definition: detect-engine-register.h:267
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1169
MpmCtx_
Definition: util-mpm.h:88
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:723
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpmKrb5Name::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-krb5-cname.c:119