suricata
detect-l3proto.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Eric Leblond <eric@regit.org>
22  *
23  *
24  * Implements the l3_proto keyword
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-ipproto.h"
32 
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-build.h"
37 
38 #include "detect-engine-siggroup.h"
39 #include "detect-engine-address.h"
40 
41 #include "detect-l3proto.h"
42 
43 #include "util-byte.h"
44 #include "util-unittest.h"
45 #include "util-unittest-helper.h"
46 
47 #include "util-debug.h"
48 
49 static int DetectL3ProtoSetup(DetectEngineCtx *, Signature *, const char *);
50 #ifdef UNITTESTS
51 static void DetectL3protoRegisterTests(void);
52 #endif
53 
54 void DetectL3ProtoRegister(void)
55 {
56  sigmatch_table[DETECT_L3PROTO].name = "l3_proto";
57  sigmatch_table[DETECT_L3PROTO].Match = NULL;
58  sigmatch_table[DETECT_L3PROTO].Setup = DetectL3ProtoSetup;
59  sigmatch_table[DETECT_L3PROTO].Free = NULL;
60 #ifdef UNITTESTS
61  sigmatch_table[DETECT_L3PROTO].RegisterTests = DetectL3protoRegisterTests;
62 #endif
63 }
64 /**
65  * \internal
66  * \brief Setup l3_proto keyword.
67  *
68  * \param de_ctx Detection engine context
69  * \param s Signature
70  * \param optstr Options string
71  *
72  * \return Non-zero on error
73  */
74 static int DetectL3ProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
75 {
76  const char *str = optstr;
77 
78  /* reset possible any value */
79  if (s->proto.flags & DETECT_PROTO_ANY) {
80  s->proto.flags &= ~DETECT_PROTO_ANY;
81  }
82 
83  /* authorized value, ip, any, ip4, ipv4, ip6, ipv6 */
84  if (strcasecmp(str,"ipv4") == 0 ||
85  strcasecmp(str,"ip4") == 0 ) {
86  if (s->proto.flags & DETECT_PROTO_IPV6) {
87  SCLogError("Conflicting l3 proto specified");
88  goto error;
89  }
90  s->proto.flags |= DETECT_PROTO_IPV4;
91  SCLogDebug("IPv4 protocol detected");
92  } else if (strcasecmp(str,"ipv6") == 0 ||
93  strcasecmp(str,"ip6") == 0 ) {
94  if (s->proto.flags & DETECT_PROTO_IPV6) {
95  SCLogError("Conflicting l3 proto specified");
96  goto error;
97  }
98  s->proto.flags |= DETECT_PROTO_IPV6;
99  SCLogDebug("IPv6 protocol detected");
100  } else {
101  SCLogError("Invalid l3 proto: \"%s\"", str);
102  goto error;
103  }
104 
105  return 0;
106 error:
107  return -1;
108 }
109 
110 #ifdef UNITTESTS
111 #include "detect-engine-alert.h"
112 
113 /**
114  * \test DetectL3protoTestSig01 is a test for checking the working of ttl keyword
115  * by setting up the signature and later testing its working by matching
116  * the received packet against the sig.
117  */
118 
119 static int DetectL3protoTestSig1(void)
120 {
121  Packet *p = PacketGetFromAlloc();
122  FAIL_IF_NULL(p);
123  Signature *s = NULL;
124  ThreadVars th_v;
125  DetectEngineThreadCtx *det_ctx;
126  IPV4Hdr ip4h;
127 
128  memset(&th_v, 0, sizeof(th_v));
129 
130  p->src.family = AF_INET;
131  p->dst.family = AF_INET;
132  p->proto = IPPROTO_TCP;
133  UTHSetIPV4Hdr(p, &ip4h);
134 
135  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
136  FAIL_IF_NULL(de_ctx);
137 
138  de_ctx->flags |= DE_QUIET;
139 
140  s = DetectEngineAppendSig(
141  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
142  FAIL_IF_NULL(s);
143 
144  s = DetectEngineAppendSig(
145  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
146  FAIL_IF_NULL(s);
147 
148  s = DetectEngineAppendSig(
149  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
150  FAIL_IF_NULL(s);
151 
152  s = DetectEngineAppendSig(
153  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:4;)");
154  FAIL_IF_NULL(s);
155 
156  SigGroupBuild(de_ctx);
157  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
158 
159  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
160  FAIL_IF_NOT(PacketAlertCheck(p, 1));
161  FAIL_IF(PacketAlertCheck(p, 2));
162  FAIL_IF_NOT(PacketAlertCheck(p, 3));
163  FAIL_IF(PacketAlertCheck(p, 4));
164 
165  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
166  DetectEngineCtxFree(de_ctx);
167 
168  PacketFree(p);
169  StatsThreadCleanup(&th_v);
170  PASS;
171 }
172 
173 /**
174  * \test DetectL3protoTestSig02 is a test for checking the working of l3proto keyword
175  * by setting up the signature and later testing its working by matching
176  * the received IPv6 packet against the sig.
177  */
178 
179 static int DetectL3protoTestSig2(void)
180 {
181  Packet *p = PacketGetFromAlloc();
182  FAIL_IF_NULL(p);
183  Signature *s = NULL;
184  ThreadVars th_v;
185  DetectEngineThreadCtx *det_ctx;
186  IPV6Hdr ip6h;
187 
188  memset(&th_v, 0, sizeof(th_v));
189 
190  p->src.family = AF_INET6;
191  p->dst.family = AF_INET6;
192  p->proto = IPPROTO_TCP;
193  UTHSetIPV6Hdr(p, &ip6h);
194 
195  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
196  FAIL_IF_NULL(de_ctx);
197 
198  de_ctx->flags |= DE_QUIET;
199 
200  s = DetectEngineAppendSig(
201  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
202  FAIL_IF_NULL(s);
203 
204  s = DetectEngineAppendSig(
205  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
206  FAIL_IF_NULL(s);
207 
208  s = DetectEngineAppendSig(
209  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
210  FAIL_IF_NULL(s);
211 
212  s = DetectEngineAppendSig(
213  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:4;)");
214  FAIL_IF_NULL(s);
215 
216  SigGroupBuild(de_ctx);
217  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
218 
219  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
220  FAIL_IF(PacketAlertCheck(p, 1));
221  FAIL_IF_NOT(PacketAlertCheck(p, 2));
222  FAIL_IF(PacketAlertCheck(p, 3));
223  FAIL_IF_NOT(PacketAlertCheck(p, 4));
224 
225  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
226  DetectEngineCtxFree(de_ctx);
227 
228  PacketFree(p);
229  StatsThreadCleanup(&th_v);
230 
231  PASS;
232 }
233 
234 /**
235  * \test DetectL3protoTestSig03 is a test for checking the working of l3proto keyword
236  * in conjunction with ip_proto keyword.
237  */
238 
239 static int DetectL3protoTestSig3(void)
240 {
241  Packet *p = PacketGetFromAlloc();
242  FAIL_IF_NULL(p);
243  Signature *s = NULL;
244  ThreadVars th_v;
245  DetectEngineThreadCtx *det_ctx;
246  IPV6Hdr ip6h;
247 
248  memset(&th_v, 0, sizeof(th_v));
249 
250  p->src.family = AF_INET6;
251  p->dst.family = AF_INET6;
252  p->proto = IPPROTO_TCP;
253  UTHSetIPV6Hdr(p, &ip6h);
254 
255  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
256  FAIL_IF_NULL(de_ctx);
257 
258  de_ctx->flags |= DE_QUIET;
259 
260  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv4 and "
261  "ip_proto udp\"; l3_proto:ipv4; ip_proto:17; sid:1;)");
262  FAIL_IF_NULL(s);
263 
264  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6 and "
265  "ip_proto udp\"; l3_proto:ipv6; ip_proto:17; sid:2;)");
266  FAIL_IF_NULL(s);
267 
268  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ip4 and ip_proto "
269  "tcp\"; l3_proto:ipv4; ip_proto:6; sid:3;)");
270  FAIL_IF_NULL(s);
271 
272  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6 and "
273  "ip_proto tcp\"; l3_proto:ipv6; ip_proto:6; sid:4;)");
274  FAIL_IF_NULL(s);
275 
276  SigGroupBuild(de_ctx);
277  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
278 
279  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
280  FAIL_IF(PacketAlertCheck(p, 1));
281  FAIL_IF(PacketAlertCheck(p, 2));
282  FAIL_IF(PacketAlertCheck(p, 3));
283  FAIL_IF_NOT(PacketAlertCheck(p, 4));
284 
285  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
286  DetectEngineCtxFree(de_ctx);
287 
288  PacketFree(p);
289  StatsThreadCleanup(&th_v);
290 
291  PASS;
292 }
293 
294 /**
295  * \brief this function registers unit tests for DetectL3proto
296  */
297 static void DetectL3protoRegisterTests(void)
298 {
299  UtRegisterTest("DetectL3protoTestSig1", DetectL3protoTestSig1);
300  UtRegisterTest("DetectL3protoTestSig2", DetectL3protoTestSig2);
301  UtRegisterTest("DetectL3protoTestSig3", DetectL3protoTestSig3);
302 }
303 #endif /* UNITTESTS */
util-byte.h
Packet_::proto
uint8_t proto
Definition: decode.h:523
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1444
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:32
detect-engine-siggroup.h
SigTableElmt_::name
const char * name
Definition: detect.h:1457
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
UTHSetIPV4Hdr
void UTHSetIPV4Hdr(Packet *p, IPV4Hdr *ip4h)
Definition: util-unittest-helper.c:126
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:28
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
UTHSetIPV6Hdr
void UTHSetIPV6Hdr(Packet *p, IPV6Hdr *ip6h)
Definition: util-unittest-helper.c:131
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
detect-l3proto.h
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
util-unittest.h
DETECT_L3PROTO
@ DETECT_L3PROTO
Definition: detect-engine-register.h:242
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectL3ProtoRegister
void DetectL3ProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-l3proto.c:54
DetectEngineThreadCtx_
Definition: detect.h:1244
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:219
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
detect-ipproto.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1419
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
IPV4Hdr_
Definition: decode-ipv4.h:72
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:37
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:31
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Signature_::proto
DetectProto proto
Definition: detect.h:687
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:271
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:506
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
detect-engine-address.h
Packet_::src
Address src
Definition: decode.h:505
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1446