suricata
detect-lua-extensions.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Functions to expose to the lua scripts.
24  */
25 
26 #include "suricata-common.h"
27 #include "conf.h"
28 
29 #include "threads.h"
30 #include "debug.h"
31 #include "decode.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-flowvar.h"
36 
37 #include "detect-engine.h"
38 #include "detect-engine-mpm.h"
39 #include "detect-engine-state.h"
40 
41 #include "flow.h"
42 #include "flow-var.h"
43 #include "flow-util.h"
44 
45 #include "util-debug.h"
46 #include "util-spm-bm.h"
47 #include "util-print.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 #include "app-layer.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "detect-lua.h"
57 
58 #include "queue.h"
59 #include "util-cpu.h"
60 
61 #include "app-layer-parser.h"
62 
63 #ifdef HAVE_LUA
64 
65 #include "util-lua.h"
66 #include "util-lua-common.h"
67 #include "util-lua-http.h"
68 #include "util-lua-dns.h"
69 #include "util-lua-ja3.h"
70 #include "util-lua-tls.h"
71 #include "util-lua-ssh.h"
72 #include "util-lua-hassh.h"
73 #include "util-lua-smtp.h"
74 #include "util-lua-dnp3.h"
75 #include "detect-lua-extensions.h"
76 
77 static const char luaext_key_ld[] = "suricata:luadata";
78 
79 /* hack to please scan-build. Even though LuaCallbackError *always*
80  * returns 2, scan-build doesn't accept it and generates false
81  * positives */
82 #define LUA_ERROR(msg) \
83  LuaCallbackError(luastate, (msg)); \
84  return 2
85 
86 static int GetLuaData(lua_State *luastate, DetectLuaData **ret_ld)
87 {
88  *ret_ld = NULL;
89 
90  DetectLuaData *ld;
91  lua_pushlightuserdata(luastate, (void *)&luaext_key_ld);
92  lua_gettable(luastate, LUA_REGISTRYINDEX);
93  ld = lua_touserdata(luastate, -1);
94  if (ld == NULL) {
95  LUA_ERROR("internal error: no ld");
96  }
97  *ret_ld = ld;
98  return 0;
99 }
100 
101 static int GetFlow(lua_State *luastate, Flow **ret_f)
102 {
103  Flow *f = LuaStateGetFlow(luastate);
104  if (f == NULL) {
105  LUA_ERROR("no flow");
106  }
107  *ret_f = f;
108  return 0;
109 }
110 
111 static int GetFlowVarById(lua_State *luastate, Flow *f,
112  FlowVar **ret_fv, bool fv_may_be_null, uint32_t *ret_idx)
113 {
114  DetectLuaData *ld = NULL;
115  if (ret_idx)
116  *ret_idx = 0;
117  *ret_fv = NULL;
118 
119  /* need lua data for id -> idx conversion */
120  int ret = GetLuaData(luastate, &ld);
121  if (ret != 0)
122  return ret;
123 
124  if (!lua_isnumber(luastate, 1)) {
125  LUA_ERROR("flowvar id not a number");
126  }
127  int id = lua_tonumber(luastate, 1);
128  if (id < 0 || id >= DETECT_LUAJIT_MAX_FLOWVARS) {
129  LUA_ERROR("flowvar id out of range");
130  }
131  uint32_t idx = ld->flowvar[id];
132  if (idx == 0) {
133  LUA_ERROR("flowvar id uninitialized");
134  }
135  FlowVar *fv = FlowVarGet(f, idx);
136  if (!fv_may_be_null && fv == NULL) {
137  LUA_ERROR("no flow var");
138  }
139  *ret_fv = fv;
140  if (ret_idx)
141  *ret_idx = idx;
142  return 0;
143 }
144 
145 static int GetFlowVarByKey(lua_State *luastate, Flow *f, FlowVar **ret_fv)
146 {
147  *ret_fv = NULL;
148 
149  if (!lua_isstring(luastate, 1)) {
150  LUA_ERROR("flowvar key not a string");
151  }
152  const char *keystr = lua_tostring(luastate, 1);
153  if (keystr == NULL) {
154  LUA_ERROR("key is null");
155  }
156  if (!lua_isnumber(luastate, 2)) {
157  LUA_ERROR("key length not specified");
158  }
159  int keylen = lua_tonumber(luastate, 2);
160  if (keylen < 0 || keylen > 0xff) {
161  LUA_ERROR("key len out of range: max 256");
162  }
163 
164  FlowVar *fv = FlowVarGetByKey(f, (const uint8_t *)keystr, keylen);
165  if (fv == NULL) {
166  LUA_ERROR("no flow var");
167  }
168  *ret_fv = fv;
169  return 0;
170 }
171 
172 static int GetFlowIntById(lua_State *luastate, Flow *f,
173  FlowVar **ret_fv, bool fv_may_be_null, uint32_t *ret_idx)
174 {
175  DetectLuaData *ld = NULL;
176  if (ret_idx)
177  *ret_idx = 0;
178  *ret_fv = NULL;
179 
180  /* need lua data for id -> idx conversion */
181  int ret = GetLuaData(luastate, &ld);
182  if (ret != 0)
183  return ret;
184 
185  if (!lua_isnumber(luastate, 1)) {
186  LUA_ERROR("flowvar id not a number");
187  }
188  int id = lua_tonumber(luastate, 1);
189  if (id < 0 || id >= DETECT_LUAJIT_MAX_FLOWVARS) {
190  LUA_ERROR("flowvar id out of range");
191  }
192  uint32_t idx = ld->flowint[id];
193  if (idx == 0) {
194  LUA_ERROR("flowvar id uninitialized");
195  }
196  FlowVar *fv = FlowVarGet(f, idx);
197  if (!fv_may_be_null && fv == NULL) {
198  LUA_ERROR("no flow var");
199  }
200  *ret_fv = fv;
201  if (ret_idx)
202  *ret_idx = idx;
203  return 0;
204 }
205 
206 static int LuaGetFlowvar(lua_State *luastate)
207 {
208  Flow *f;
209  FlowVar *fv;
210  int ret;
211 
212  /* need flow */
213  ret = GetFlow(luastate, &f);
214  if (ret != 0)
215  return ret;
216 
217  if (lua_isnumber(luastate, 1)) {
218  ret = GetFlowVarById(luastate, f, &fv, false, NULL);
219  if (ret != 0 || fv == NULL)
220  return ret;
221  } else if (lua_isstring(luastate, 1)) {
222  ret = GetFlowVarByKey(luastate, f, &fv);
223  if (ret != 0 || fv == NULL)
224  return ret;
225  } else {
226  LUA_ERROR("invalid data type as first argument");
227  }
228 
229  LuaPushStringBuffer(luastate,
230  (const uint8_t *)fv->data.fv_str.value,
231  (size_t)fv->data.fv_str.value_len);
232  return 1;
233 }
234 
235 static int LuaSetFlowvarById(lua_State *luastate)
236 {
237  uint32_t idx = 0;
238  Flow *f;
239  const char *str;
240  int len;
241  uint8_t *buffer;
242  FlowVar *fv = NULL;
243 
244  /* need flow */
245  int ret = GetFlow(luastate, &f);
246  if (ret != 0)
247  return ret;
248 
249  ret = GetFlowVarById(luastate, f, &fv, true, &idx);
250  if (ret != 0)
251  return ret;
252 
253  if (!lua_isstring(luastate, 2)) {
254  LUA_ERROR("buffer not a string");
255  }
256  str = lua_tostring(luastate, 2);
257  if (str == NULL) {
258  LUA_ERROR("buffer is null");
259  }
260 
261  if (!lua_isnumber(luastate, 3)) {
262  LUA_ERROR("buffer length not specified");
263  }
264  len = lua_tonumber(luastate, 3);
265  if (len < 0 || len > 0xffff) {
266  LUA_ERROR("len out of range: max 64k");
267  }
268 
269  buffer = SCMalloc(len+1);
270  if (unlikely(buffer == NULL)) {
271  LUA_ERROR("out of memory");
272  }
273  memcpy(buffer, str, len);
274  buffer[len] = '\0';
275 
276  FlowVarAddIdValue(f, idx, buffer, len);
277  return 0;
278 }
279 
280 static int LuaSetFlowvarByKey(lua_State *luastate)
281 {
282  Flow *f;
283  const char *str;
284  int len;
285  uint8_t *buffer;
286 
287  /* need flow */
288  int ret = GetFlow(luastate, &f);
289  if (ret != 0)
290  return ret;
291 
292  const char *keystr = NULL;
293  int keylen = 0;
294 
295  keystr = lua_tostring(luastate, 1);
296  if (keystr == NULL) {
297  LUA_ERROR("key is null");
298  }
299  if (!lua_isnumber(luastate, 2)) {
300  LUA_ERROR("key length not specified");
301  }
302  keylen = lua_tonumber(luastate, 2);
303  if (keylen < 0 || keylen > 0xff) {
304  LUA_ERROR("key len out of range: max 256");
305  }
306 
307  if (!lua_isstring(luastate, 3)) {
308  LUA_ERROR("buffer not a string");
309  }
310  str = lua_tostring(luastate, 3);
311  if (str == NULL) {
312  LUA_ERROR("buffer is null");
313  }
314 
315  if (!lua_isnumber(luastate, 4)) {
316  LUA_ERROR("buffer length not specified");
317  }
318  len = lua_tonumber(luastate, 4);
319  if (len < 0 || len > 0xffff) {
320  LUA_ERROR("len out of range: max 64k");
321  }
322 
323  buffer = SCMalloc(len+1);
324  if (unlikely(buffer == NULL)) {
325  LUA_ERROR("out of memory");
326  }
327  memcpy(buffer, str, len);
328  buffer[len] = '\0';
329 
330  uint8_t *keybuf = SCMalloc(keylen+1);
331  if (unlikely(keybuf == NULL)) {
332  SCFree(buffer);
333  LUA_ERROR("out of memory");
334  }
335  memcpy(keybuf, keystr, keylen);
336  keybuf[keylen] = '\0';
337  FlowVarAddKeyValue(f, keybuf, keylen, buffer, len);
338 
339  return 0;
340 }
341 
342 static int LuaSetFlowvar(lua_State *luastate)
343 {
344  if (lua_isnumber(luastate, 1)) {
345  return LuaSetFlowvarById(luastate);
346  } else {
347  return LuaSetFlowvarByKey(luastate);
348  }
349 }
350 
351 static int LuaGetFlowint(lua_State *luastate)
352 {
353  Flow *f;
354  FlowVar *fv;
355  uint32_t number;
356 
357  /* need flow */
358  int ret = GetFlow(luastate, &f);
359  if (ret != 0)
360  return ret;
361 
362  ret = GetFlowIntById(luastate, f, &fv, false, NULL);
363  if (ret != 0)
364  return ret;
365 
366  number = fv->data.fv_int.value;
367 
368  /* return value through luastate, as a luanumber */
369  lua_pushnumber(luastate, (lua_Number)number);
370  return 1;
371 
372 }
373 
374 static int LuaSetFlowint(lua_State *luastate)
375 {
376  uint32_t idx;
377  Flow *f;
378  DetectLuaData *ld;
379 
380  /* need lua data for id -> idx conversion */
381  int ret = GetLuaData(luastate, &ld);
382  if (ret != 0)
383  return ret;
384 
385  /* need flow */
386  ret = GetFlow(luastate, &f);
387  if (ret != 0)
388  return ret;
389 
390  /* need flowint idx */
391  if (!lua_isnumber(luastate, 1)) {
392  LUA_ERROR("1st arg not a number");
393  }
394  int id = lua_tonumber(luastate, 1);
395  if (id < 0 || id >= DETECT_LUAJIT_MAX_FLOWVARS) {
396  LUA_ERROR("flowint id out of range");
397  }
398 
399  if (!lua_isnumber(luastate, 2)) {
400  LUA_ERROR("2nd arg not a number");
401  }
402  lua_Number luanumber = lua_tonumber(luastate, 2);
403  if (luanumber < 0 || id > (double)UINT_MAX) {
404  LUA_ERROR("value out of range, "
405  "value must be unsigned 32bit int");
406  }
407  uint32_t number = (uint32_t)luanumber;
408 
409  idx = ld->flowint[id];
410  if (idx == 0) {
411  LUA_ERROR("flowint id uninitialized");
412  }
413 
414  FlowVarAddInt(f, idx, number);
415 
416  SCLogDebug("stored flow:%p idx:%u value:%u", f, idx, number);
417  return 0;
418 }
419 
420 static int LuaIncrFlowint(lua_State *luastate)
421 {
422  uint32_t idx;
423  Flow *f;
424  FlowVar *fv;
425  uint32_t number;
426 
427  /* need flow */
428  int ret = GetFlow(luastate, &f);
429  if (ret != 0)
430  return ret;
431 
432  ret = GetFlowIntById(luastate, f, &fv, true, &idx);
433  if (ret != 0)
434  return ret;
435 
436  if (fv == NULL) {
437  number = 1;
438  } else {
439  number = fv->data.fv_int.value;
440  if (number < UINT_MAX)
441  number++;
442  }
443  FlowVarAddIntNoLock(f, idx, number);
444 
445  /* return value through luastate, as a luanumber */
446  lua_pushnumber(luastate, (lua_Number)number);
447  SCLogDebug("incremented flow:%p idx:%u value:%u", f, idx, number);
448  return 1;
449 
450 }
451 
452 static int LuaDecrFlowint(lua_State *luastate)
453 {
454  uint32_t idx;
455  Flow *f;
456  FlowVar *fv;
457  uint32_t number;
458 
459  /* need flow */
460  int ret = GetFlow(luastate, &f);
461  if (ret != 0)
462  return ret;
463 
464  ret = GetFlowIntById(luastate, f, &fv, true, &idx);
465  if (ret != 0)
466  return ret;
467 
468  if (fv == NULL) {
469  number = 0;
470  } else {
471  number = fv->data.fv_int.value;
472  if (number > 0)
473  number--;
474  }
475  FlowVarAddIntNoLock(f, idx, number);
476 
477  /* return value through luastate, as a luanumber */
478  lua_pushnumber(luastate, (lua_Number)number);
479  SCLogDebug("decremented flow:%p idx:%u value:%u", f, idx, number);
480  return 1;
481 
482 }
483 
484 static int LuaGetByteVar(lua_State *luastate)
485 {
486  DetectLuaData *ld = NULL;
487  DetectEngineThreadCtx *det_ctx = LuaStateGetDetCtx(luastate);
488 
489  if (det_ctx == NULL)
490  return LuaCallbackError(luastate, "internal error: no ldet_ctx");
491 
492  int ret = GetLuaData(luastate, &ld);
493  if (ret != 0)
494  return ret;
495 
496  if (!lua_isnumber(luastate, 1)) {
497  LUA_ERROR("bytevar id not a number");
498  }
499  int id = lua_tonumber(luastate, 1);
500  if (id < 0 || id >= DETECT_LUAJIT_MAX_BYTEVARS) {
501  LUA_ERROR("bytevar id out of range");
502  }
503  uint32_t idx = ld->bytevar[id];
504 
505  lua_pushinteger(luastate, det_ctx->byte_values[idx]);
506 
507  return 1;
508 }
509 
510 void LuaExtensionsMatchSetup(lua_State *lua_state, DetectLuaData *ld,
511  DetectEngineThreadCtx *det_ctx, Flow *f, Packet *p, const Signature *s, uint8_t flags)
512 {
513  SCLogDebug("det_ctx %p, f %p", det_ctx, f);
514 
515  /* lua keyword data */
516  lua_pushlightuserdata(lua_state, (void *)&luaext_key_ld);
517  lua_pushlightuserdata(lua_state, (void *)ld);
518  lua_settable(lua_state, LUA_REGISTRYINDEX);
519 
520  LuaStateSetSignature(lua_state, s);
521 
522  LuaStateSetFlow(lua_state, f);
523  LuaStateSetDetCtx(lua_state, det_ctx);
524 
525  if (det_ctx->tx_id_set) {
526  if (f && f->alstate) {
527  void *txptr = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, det_ctx->tx_id);
528  if (txptr) {
529  LuaStateSetTX(lua_state, txptr);
530  }
531  }
532  }
533 
534  if (p != NULL)
535  LuaStateSetPacket(lua_state, p);
536 
537  LuaStateSetDirection(lua_state, (flags & STREAM_TOSERVER));
538 }
539 
540 /**
541  * \brief Register Suricata Lua functions
542  */
543 int LuaRegisterExtensions(lua_State *lua_state)
544 {
545  lua_pushcfunction(lua_state, LuaGetFlowvar);
546  lua_setglobal(lua_state, "ScFlowvarGet");
547 
548  lua_pushcfunction(lua_state, LuaGetFlowvar);
549  lua_setglobal(lua_state, "SCFlowvarGet");
550 
551  lua_pushcfunction(lua_state, LuaSetFlowvar);
552  lua_setglobal(lua_state, "ScFlowvarSet");
553 
554  lua_pushcfunction(lua_state, LuaSetFlowvar);
555  lua_setglobal(lua_state, "SCFlowvarSet");
556 
557  lua_pushcfunction(lua_state, LuaGetFlowint);
558  lua_setglobal(lua_state, "ScFlowintGet");
559 
560  lua_pushcfunction(lua_state, LuaGetFlowint);
561  lua_setglobal(lua_state, "SCFlowintGet");
562 
563  lua_pushcfunction(lua_state, LuaSetFlowint);
564  lua_setglobal(lua_state, "ScFlowintSet");
565 
566  lua_pushcfunction(lua_state, LuaSetFlowint);
567  lua_setglobal(lua_state, "SCFlowintSet");
568 
569  lua_pushcfunction(lua_state, LuaIncrFlowint);
570  lua_setglobal(lua_state, "ScFlowintIncr");
571 
572  lua_pushcfunction(lua_state, LuaIncrFlowint);
573  lua_setglobal(lua_state, "SCFlowintIncr");
574 
575  lua_pushcfunction(lua_state, LuaDecrFlowint);
576  lua_setglobal(lua_state, "ScFlowintDecr");
577 
578  lua_pushcfunction(lua_state, LuaDecrFlowint);
579  lua_setglobal(lua_state, "SCFlowintDecr");
580 
581  lua_pushcfunction(lua_state, LuaGetByteVar);
582  lua_setglobal(lua_state, "SCByteVarGet");
583 
584  LuaRegisterFunctions(lua_state);
585  LuaRegisterHttpFunctions(lua_state);
586  LuaRegisterDnsFunctions(lua_state);
587  LuaRegisterJa3Functions(lua_state);
588  LuaRegisterTlsFunctions(lua_state);
589  LuaRegisterSshFunctions(lua_state);
590  LuaRegisterHasshFunctions(lua_state);
591  LuaRegisterSmtpFunctions(lua_state);
592  LuaRegisterDNP3Functions(lua_state);
593  return 0;
594 }
595 
596 #endif /* HAVE_LUA */
DetectEngineThreadCtx_::byte_values
uint64_t * byte_values
Definition: detect.h:1151
lua_State
void lua_State
Definition: util-lua.h:31
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
util-lua-ssh.h
util-lua-hassh.h
util-lua-common.h
flow-util.h
FlowVarAddKeyValue
void FlowVarAddKeyValue(Flow *f, uint8_t *key, uint16_t keysize, uint8_t *value, uint16_t size)
Definition: flow-var.c:94
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Flow_::proto
uint8_t proto
Definition: flow.h:375
util-lua.h
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1107
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:39
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
util-lua-ja3.h
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:57
detect-lua.h
util-unittest.h
util-unittest-helper.h
detect-flowvar.h
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:58
FlowVar_::data
union FlowVar_::@111 data
decode.h
util-debug.h
FlowVarGetByKey
FlowVar * FlowVarGetByKey(Flow *f, const uint8_t *key, uint16_t keylen)
get the flowvar with index 'idx' from the flow
Definition: flow-var.c:54
DetectEngineThreadCtx_
Definition: detect.h:1034
util-cpu.h
util-print.h
detect-engine-mpm.h
detect.h
app-layer-parser.h
Packet_
Definition: decode.h:433
conf.h
util-lua-dnp3.h
FlowVarAddIdValue
void FlowVarAddIdValue(Flow *f, uint32_t idx, uint8_t *value, uint16_t size)
Definition: flow-var.c:113
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1124
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:44
util-lua-smtp.h
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:38
flags
uint8_t flags
Definition: decode-gre.h:0
detect-lua-extensions.h
suricata-common.h
util-lua-dns.h
util-spm-bm.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:486
FlowVarAddInt
void FlowVarAddInt(Flow *f, uint32_t idx, uint32_t value)
Definition: flow-var.c:156
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
FlowVarAddIntNoLock
void FlowVarAddIntNoLock(Flow *f, uint32_t idx, uint32_t value)
Definition: flow-var.c:135
util-lua-tls.h
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1105
util-lua-http.h
FlowVarGet
FlowVar * FlowVarGet(Flow *f, uint32_t idx)
get the flowvar with index 'idx' from the flow
Definition: flow-var.c:78
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
flow-var.h
FlowVar_
Definition: flow-var.h:48
debug.h
app-layer.h