suricata
detect-l3proto.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Eric Leblond <eric@regit.org>
22  *
23  *
24  * Implements the l3_proto keyword
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-ipproto.h"
32 
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-build.h"
37 
38 #include "detect-engine-siggroup.h"
39 #include "detect-engine-address.h"
40 
41 #include "detect-l3proto.h"
42 
43 #include "util-byte.h"
44 #include "util-unittest.h"
45 #include "util-unittest-helper.h"
46 
47 #include "util-debug.h"
48 
49 static int DetectL3ProtoSetup(DetectEngineCtx *, Signature *, const char *);
50 #ifdef UNITTESTS
51 static void DetectL3protoRegisterTests(void);
52 #endif
53 
54 void DetectL3ProtoRegister(void)
55 {
56  sigmatch_table[DETECT_L3PROTO].name = "l3_proto";
57  sigmatch_table[DETECT_L3PROTO].Match = NULL;
58  sigmatch_table[DETECT_L3PROTO].Setup = DetectL3ProtoSetup;
59  sigmatch_table[DETECT_L3PROTO].Free = NULL;
60 #ifdef UNITTESTS
61  sigmatch_table[DETECT_L3PROTO].RegisterTests = DetectL3protoRegisterTests;
62 #endif
63 }
64 /**
65  * \internal
66  * \brief Setup l3_proto keyword.
67  *
68  * \param de_ctx Detection engine context
69  * \param s Signature
70  * \param optstr Options string
71  *
72  * \return Non-zero on error
73  */
74 static int DetectL3ProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
75 {
76  const char *str = optstr;
77 
78  /* reset possible any value */
79  if (s->proto.flags & DETECT_PROTO_ANY) {
80  s->proto.flags &= ~DETECT_PROTO_ANY;
81  }
82 
83  /* authorized value, ip, any, ip4, ipv4, ip6, ipv6 */
84  if (strcasecmp(str,"ipv4") == 0 ||
85  strcasecmp(str,"ip4") == 0 ) {
86  if (s->proto.flags & DETECT_PROTO_IPV6) {
87  SCLogError("Conflicting l3 proto specified");
88  goto error;
89  }
90  s->proto.flags |= DETECT_PROTO_IPV4;
91  SCLogDebug("IPv4 protocol detected");
92  } else if (strcasecmp(str,"ipv6") == 0 ||
93  strcasecmp(str,"ip6") == 0 ) {
94  if (s->proto.flags & DETECT_PROTO_IPV6) {
95  SCLogError("Conflicting l3 proto specified");
96  goto error;
97  }
98  s->proto.flags |= DETECT_PROTO_IPV6;
99  SCLogDebug("IPv6 protocol detected");
100  } else {
101  SCLogError("Invalid l3 proto: \"%s\"", str);
102  goto error;
103  }
104 
105  return 0;
106 error:
107  return -1;
108 }
109 
110 #ifdef UNITTESTS
111 #include "detect-engine-alert.h"
112 
113 /**
114  * \test DetectL3protoTestSig01 is a test for checking the working of ttl keyword
115  * by setting up the signature and later testing its working by matching
116  * the received packet against the sig.
117  */
118 
119 static int DetectL3protoTestSig1(void)
120 {
121 
122  Packet *p = PacketGetFromAlloc();
123  FAIL_IF_NULL(p);
124  Signature *s = NULL;
125  ThreadVars th_v;
126  DetectEngineThreadCtx *det_ctx;
127  IPV4Hdr ip4h;
128 
129  memset(&th_v, 0, sizeof(th_v));
130 
131  p->src.family = AF_INET;
132  p->dst.family = AF_INET;
133  p->proto = IPPROTO_TCP;
134  UTHSetIPV4Hdr(p, &ip4h);
135 
136  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
137  FAIL_IF_NULL(de_ctx);
138 
139  de_ctx->flags |= DE_QUIET;
140 
141  s = DetectEngineAppendSig(
142  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
143  FAIL_IF_NULL(s);
144 
145  s = DetectEngineAppendSig(
146  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
147  FAIL_IF_NULL(s);
148 
149  s = DetectEngineAppendSig(
150  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
151  FAIL_IF_NULL(s);
152 
153  s = DetectEngineAppendSig(
154  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:4;)");
155  FAIL_IF_NULL(s);
156 
157  SigGroupBuild(de_ctx);
158  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
159 
160  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
161  FAIL_IF_NOT(PacketAlertCheck(p, 1));
162  FAIL_IF(PacketAlertCheck(p, 2));
163  FAIL_IF_NOT(PacketAlertCheck(p, 3));
164  FAIL_IF(PacketAlertCheck(p, 4));
165 
166  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
167  DetectEngineCtxFree(de_ctx);
168 
169  SCFree(p);
170 
171  PASS;
172 }
173 
174 /**
175  * \test DetectL3protoTestSig02 is a test for checking the working of l3proto keyword
176  * by setting up the signature and later testing its working by matching
177  * the received IPv6 packet against the sig.
178  */
179 
180 static int DetectL3protoTestSig2(void)
181 {
182 
183  Packet *p = PacketGetFromAlloc();
184  FAIL_IF_NULL(p);
185  Signature *s = NULL;
186  ThreadVars th_v;
187  DetectEngineThreadCtx *det_ctx;
188  IPV6Hdr ip6h;
189 
190  memset(&th_v, 0, sizeof(th_v));
191 
192  p->src.family = AF_INET6;
193  p->dst.family = AF_INET6;
194  p->proto = IPPROTO_TCP;
195  UTHSetIPV6Hdr(p, &ip6h);
196 
197  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
198  FAIL_IF_NULL(de_ctx);
199 
200  de_ctx->flags |= DE_QUIET;
201 
202  s = DetectEngineAppendSig(
203  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
204  FAIL_IF_NULL(s);
205 
206  s = DetectEngineAppendSig(
207  de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
208  FAIL_IF_NULL(s);
209 
210  s = DetectEngineAppendSig(
211  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
212  FAIL_IF_NULL(s);
213 
214  s = DetectEngineAppendSig(
215  de_ctx, "alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:4;)");
216  FAIL_IF_NULL(s);
217 
218  SigGroupBuild(de_ctx);
219  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
220 
221  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
222  FAIL_IF(PacketAlertCheck(p, 1));
223  FAIL_IF_NOT(PacketAlertCheck(p, 2));
224  FAIL_IF(PacketAlertCheck(p, 3));
225  FAIL_IF_NOT(PacketAlertCheck(p, 4));
226 
227  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
228  DetectEngineCtxFree(de_ctx);
229 
230  SCFree(p);
231 
232  PASS;
233 }
234 
235 /**
236  * \test DetectL3protoTestSig03 is a test for checking the working of l3proto keyword
237  * in conjunction with ip_proto keyword.
238  */
239 
240 static int DetectL3protoTestSig3(void)
241 {
242 
243  Packet *p = PacketGetFromAlloc();
244  FAIL_IF_NULL(p);
245  Signature *s = NULL;
246  ThreadVars th_v;
247  DetectEngineThreadCtx *det_ctx;
248  IPV6Hdr ip6h;
249 
250  memset(&th_v, 0, sizeof(th_v));
251 
252  p->src.family = AF_INET6;
253  p->dst.family = AF_INET6;
254  p->proto = IPPROTO_TCP;
255  UTHSetIPV6Hdr(p, &ip6h);
256 
257  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
258  FAIL_IF_NULL(de_ctx);
259 
260  de_ctx->flags |= DE_QUIET;
261 
262  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv4 and "
263  "ip_proto udp\"; l3_proto:ipv4; ip_proto:17; sid:1;)");
264  FAIL_IF_NULL(s);
265 
266  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6 and "
267  "ip_proto udp\"; l3_proto:ipv6; ip_proto:17; sid:2;)");
268  FAIL_IF_NULL(s);
269 
270  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ip4 and ip_proto "
271  "tcp\"; l3_proto:ipv4; ip_proto:6; sid:3;)");
272  FAIL_IF_NULL(s);
273 
274  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (msg:\"l3proto ipv6 and "
275  "ip_proto tcp\"; l3_proto:ipv6; ip_proto:6; sid:4;)");
276  FAIL_IF_NULL(s);
277 
278  SigGroupBuild(de_ctx);
279  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
280 
281  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
282  FAIL_IF(PacketAlertCheck(p, 1));
283  FAIL_IF(PacketAlertCheck(p, 2));
284  FAIL_IF(PacketAlertCheck(p, 3));
285  FAIL_IF_NOT(PacketAlertCheck(p, 4));
286 
287  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
288  DetectEngineCtxFree(de_ctx);
289 
290  SCFree(p);
291 
292  PASS;
293 }
294 
295 /**
296  * \brief this function registers unit tests for DetectL3proto
297  */
298 static void DetectL3protoRegisterTests(void)
299 {
300  UtRegisterTest("DetectL3protoTestSig1", DetectL3protoTestSig1);
301  UtRegisterTest("DetectL3protoTestSig2", DetectL3protoTestSig2);
302  UtRegisterTest("DetectL3protoTestSig3", DetectL3protoTestSig3);
303 }
304 #endif /* UNITTESTS */
util-byte.h
Packet_::proto
uint8_t proto
Definition: decode.h:523
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:32
detect-engine-siggroup.h
SigTableElmt_::name
const char * name
Definition: detect.h:1459
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
UTHSetIPV4Hdr
void UTHSetIPV4Hdr(Packet *p, IPV4Hdr *ip4h)
Definition: util-unittest-helper.c:126
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:28
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
UTHSetIPV6Hdr
void UTHSetIPV6Hdr(Packet *p, IPV6Hdr *ip6h)
Definition: util-unittest-helper.c:131
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3437
detect-l3proto.h
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
util-unittest.h
DETECT_L3PROTO
@ DETECT_L3PROTO
Definition: detect-engine-register.h:243
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectL3ProtoRegister
void DetectL3ProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-l3proto.c:54
DetectEngineThreadCtx_
Definition: detect.h:1244
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3372
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
detect-ipproto.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2204
IPV4Hdr_
Definition: decode-ipv4.h:72
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:37
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:31
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Signature_::proto
DetectProto proto
Definition: detect.h:687
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3608
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:506
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
detect-engine-address.h
Packet_::src
Address src
Definition: decode.h:505
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448