suricata
detect-krb5-sname.c
Go to the documentation of this file.
1 /* Copyright (C) 2018-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pierre Chifflier <chifflier@wzdftpd.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "util-unittest.h"
26 
27 #include "detect-parse.h"
28 #include "detect-engine.h"
29 #include "detect-engine-buffer.h"
30 #include "detect-engine-mpm.h"
31 #include "detect-engine-state.h"
32 #include "detect-engine-prefilter.h"
33 #include "detect-engine-content-inspection.h"
34 
35 #include "detect-krb5-sname.h"
36 
37 #include "rust.h"
38 #include "util-profiling.h"
39 
40 static int g_krb5_sname_buffer_id = 0;
41 
42 static int DetectKrb5SNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
43 {
44  if (SCDetectBufferSetActiveList(de_ctx, s, g_krb5_sname_buffer_id) < 0)
45  return -1;
46 
47  if (DetectSignatureSetAppProto(s, ALPROTO_KRB5) != 0)
48  return -1;
49 
50  return 0;
51 }
52 
53 void DetectKrb5SNameRegister(void)
54 {
55  sigmatch_table[DETECT_KRB5_SNAME].name = "krb5.sname";
56  sigmatch_table[DETECT_KRB5_SNAME].alias = "krb5_sname";
57  sigmatch_table[DETECT_KRB5_SNAME].url = "/rules/kerberos-keywords.html#krb5-sname";
58  sigmatch_table[DETECT_KRB5_SNAME].Setup = DetectKrb5SNameSetup;
59  sigmatch_table[DETECT_KRB5_SNAME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
60  sigmatch_table[DETECT_KRB5_SNAME].desc = "sticky buffer to match on Kerberos 5 server name";
61 
62  DetectAppLayerMultiRegister(
63  "krb5_sname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 1, SCKrb5TxGetSname, 2);
64 
65  DetectBufferTypeSetDescriptionByName("krb5_sname",
66  "Kerberos 5 ticket server name");
67 
68  g_krb5_sname_buffer_id = DetectBufferTypeGetByName("krb5_sname");
69 
70  DetectBufferTypeSupportsMultiInstance("krb5_sname");
71 }
SigTableElmt_::url
const char * url
Definition: detect.h:1422
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2288
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1636
SigTableElmt_::desc
const char * desc
Definition: detect.h:1421
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
SigTableElmt_::name
const char * name
Definition: detect.h:1419
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1413
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:919
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1206
rust.h
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:272
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1404
detect-engine-prefilter.h
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1256
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:56
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
detect-engine-mpm.h
util-profiling.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-krb5-sname.h
detect-engine-content-inspection.h
SigTableElmt_::alias
const char * alias
Definition: detect.h:1420
suricata-common.h
DetectKrb5SNameRegister
void DetectKrb5SNameRegister(void)
Definition: detect-krb5-sname.c:53
detect-engine-buffer.h
DETECT_KRB5_SNAME
@ DETECT_KRB5_SNAME
Definition: detect-engine-register.h:273
detect-parse.h
Signature_
Signature container.
Definition: detect.h:657
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1611
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1353
DetectAppLayerMultiRegister
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority)
Definition: detect-engine.c:2086