suricata
detect-mark.c
Go to the documentation of this file.
1 /* Copyright (C) 2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Eric Leblond <eric@regit.org>
22  *
23  * Implements the mark keyword. Based on detect-gid
24  * by Breno Silva <breno.silva@gmail.com>
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "decode.h"
30 #include "detect.h"
31 #include "flow-var.h"
32 #include "decode-events.h"
33 
34 #include "detect-mark.h"
35 #include "detect-parse.h"
36 
37 #include "util-unittest.h"
38 #include "util-debug.h"
39 
40 #define PARSE_REGEX "([0x]*[0-9a-f]+)/([0x]*[0-9a-f]+)"
41 
42 static pcre *parse_regex;
43 static pcre_extra *parse_regex_study;
44 
45 static int DetectMarkSetup (DetectEngineCtx *, Signature *, const char *);
46 static int DetectMarkPacket(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
47  const Signature *s, const SigMatchCtx *ctx);
48 void DetectMarkDataFree(void *ptr);
49 
50 /**
51  * \brief Registration function for nfq_set_mark: keyword
52  */
53 
54 void DetectMarkRegister (void)
55 {
56  sigmatch_table[DETECT_MARK].name = "nfq_set_mark";
57  sigmatch_table[DETECT_MARK].Match = DetectMarkPacket;
58  sigmatch_table[DETECT_MARK].Setup = DetectMarkSetup;
59  sigmatch_table[DETECT_MARK].Free = DetectMarkDataFree;
60  sigmatch_table[DETECT_MARK].RegisterTests = MarkRegisterTests;
61 
62  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
63 }
64 
65 #ifdef NFQ
66 /**
67  * \internal
68  * \brief This function is used to parse mark options passed via mark: keyword
69  *
70  * \param rawstr Pointer to the user provided mark options
71  *
72  * \retval 0 on success
73  * \retval < 0 on failure
74  */
75 static void * DetectMarkParse (const char *rawstr)
76 {
77  int ret = 0, res = 0;
78 #define MAX_SUBSTRINGS 30
79  int ov[MAX_SUBSTRINGS];
80  const char *str_ptr = NULL;
81  char *ptr = NULL;
82  char *endptr = NULL;
83  uint32_t mark;
84  uint32_t mask;
85  DetectMarkData *data;
86 
87  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
88  if (ret < 1) {
89  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
90  return NULL;
91  }
92 
93  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
94  if (res < 0) {
95  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
96  return NULL;
97  }
98 
99  ptr = (char *)str_ptr;
100 
101  if (ptr == NULL)
102  return NULL;
103 
104  errno = 0;
105  mark = strtoul(ptr, &endptr, 0);
106  if (errno == ERANGE) {
107  SCLogError(SC_ERR_NUMERIC_VALUE_ERANGE, "Numeric value out of range");
108  SCFree(ptr);
109  return NULL;
110  } /* If there is no numeric value in the given string then strtoull(), makes
111  endptr equals to ptr and return 0 as result */
112  else if (endptr == ptr && mark == 0) {
113  SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "No numeric value");
114  SCFree(ptr);
115  return NULL;
116  } else if (endptr == ptr) {
117  SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "Invalid numeric value");
118  SCFree(ptr);
119  return NULL;
120  }
121 
122  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
123  if (res < 0) {
124  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
125  return NULL;
126  }
127 
128  SCFree(ptr);
129  ptr = (char *)str_ptr;
130 
131  if (ptr == NULL) {
132  data = SCMalloc(sizeof(DetectMarkData));
133  if (unlikely(data == NULL)) {
134  return NULL;
135  }
136  data->mark = mark;
137  data->mask = 0xffff;
138  return data;
139  }
140 
141  errno = 0;
142  mask = strtoul(ptr, &endptr, 0);
143  if (errno == ERANGE) {
144  SCLogError(SC_ERR_NUMERIC_VALUE_ERANGE, "Numeric value out of range");
145  SCFree(ptr);
146  return NULL;
147  } /* If there is no numeric value in the given string then strtoull(), makes
148  endptr equals to ptr and return 0 as result */
149  else if (endptr == ptr && mask == 0) {
150  SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "No numeric value");
151  SCFree(ptr);
152  return NULL;
153  }
154  else if (endptr == ptr) {
155  SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "Invalid numeric value");
156  SCFree(ptr);
157  return NULL;
158  }
159 
160  SCLogDebug("Rule will set mark 0x%x with mask 0x%x", mark, mask);
161  SCFree(ptr);
162 
163  data = SCMalloc(sizeof(DetectMarkData));
164  if (unlikely(data == NULL)) {
165  return NULL;
166  }
167  data->mark = mark;
168  data->mask = mask;
169  return data;
170 }
171 
172 #endif /* NFQ */
173 
174 /**
175  * \internal
176  * \brief this function is used to add the parsed mark into the current signature
177  *
178  * \param de_ctx pointer to the Detection Engine Context
179  * \param s pointer to the Current Signature
180  * \param rawstr pointer to the user provided mark options
181  *
182  * \retval 0 on Success
183  * \retval -1 on Failure
184  */
185 static int DetectMarkSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
186 {
187 #ifndef NFQ
188  return 0;
189 #else
190  DetectMarkData *data = DetectMarkParse(rawstr);
191  if (data == NULL) {
192  return -1;
193  }
194  SigMatch *sm = SigMatchAlloc();
195  if (sm == NULL) {
196  DetectMarkDataFree(data);
197  return -1;
198  }
199 
200  sm->type = DETECT_MARK;
201  sm->ctx = (SigMatchCtx *)data;
202 
203  /* Append it to the list of post match, so the mark is set if the
204  * full signature matches. */
205  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
206  return 0;
207 #endif
208 }
209 
210 void DetectMarkDataFree(void *ptr)
211 {
212  DetectMarkData *data = (DetectMarkData *)ptr;
213  SCFree(data);
214 }
215 
216 
217 static int DetectMarkPacket(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
218  const Signature *s, const SigMatchCtx *ctx)
219 {
220 #ifdef NFQ
221  const DetectMarkData *nf_data = (const DetectMarkData *)ctx;
222  if (nf_data->mask) {
223  if (!(IS_TUNNEL_PKT(p))) {
224  /* coverity[missing_lock] */
225  p->nfq_v.mark = (nf_data->mark & nf_data->mask)
226  | (p->nfq_v.mark & ~(nf_data->mask));
227  p->flags |= PKT_MARK_MODIFIED;
228  } else {
229  /* real tunnels may have multiple flows inside them, so marking
230  * might 'mark' too much. Rebuilt packets from IP fragments
231  * are fine. */
232  if (p->flags & PKT_REBUILT_FRAGMENT) {
233  Packet *tp = p->root ? p->root : p;
234  SCMutexLock(&tp->tunnel_mutex);
235  tp->nfq_v.mark = (nf_data->mark & nf_data->mask)
236  | (tp->nfq_v.mark & ~(nf_data->mask));
237  tp->flags |= PKT_MARK_MODIFIED;
238  SCMutexUnlock(&tp->tunnel_mutex);
239  }
240  }
241  }
242 #endif
243  return 1;
244 }
245 
246 /*
247  * ONLY TESTS BELOW THIS COMMENT
248  */
249 
250 #if defined UNITTESTS && defined NFQ
251 /**
252  * \test MarkTestParse01 is a test for a valid mark value
253  *
254  * \retval 1 on succces
255  * \retval 0 on failure
256  */
257 static int MarkTestParse01 (void)
258 {
259  DetectMarkData *data;
260 
261  data = DetectMarkParse("1/1");
262 
263  if (data == NULL) {
264  return 0;
265  }
266 
267  DetectMarkDataFree(data);
268  return 1;
269 }
270 
271 /**
272  * \test MarkTestParse02 is a test for an invalid mark value
273  *
274  * \retval 1 on succces
275  * \retval 0 on failure
276  */
277 static int MarkTestParse02 (void)
278 {
279  DetectMarkData *data;
280 
281  data = DetectMarkParse("4");
282 
283  if (data == NULL) {
284  return 1;
285  }
286 
287  DetectMarkDataFree(data);
288  return 0;
289 }
290 
291 /**
292  * \test MarkTestParse03 is a test for a valid mark value
293  *
294  * \retval 1 on succces
295  * \retval 0 on failure
296  */
297 static int MarkTestParse03 (void)
298 {
299  DetectMarkData *data;
300 
301  data = DetectMarkParse("0x10/0xff");
302 
303  if (data == NULL) {
304  return 0;
305  }
306 
307  DetectMarkDataFree(data);
308  return 1;
309 }
310 
311 /**
312  * \test MarkTestParse04 is a test for a invalid mark value
313  *
314  * \retval 1 on succces
315  * \retval 0 on failure
316  */
317 static int MarkTestParse04 (void)
318 {
319  DetectMarkData *data;
320 
321  data = DetectMarkParse("0x1g/0xff");
322 
323  if (data == NULL) {
324  return 1;
325  }
326 
327  DetectMarkDataFree(data);
328  return 0;
329 }
330 
331 
332 
333 #endif /* UNITTESTS */
334 
335 /**
336  * \brief this function registers unit tests for Mark
337  */
338 void MarkRegisterTests(void)
339 {
340 #if defined UNITTESTS && defined NFQ
341  UtRegisterTest("MarkTestParse01", MarkTestParse01);
342  UtRegisterTest("MarkTestParse02", MarkTestParse02);
343  UtRegisterTest("MarkTestParse03", MarkTestParse03);
344  UtRegisterTest("MarkTestParse04", MarkTestParse04);
345 #endif /* UNITTESTS */
346 }
MarkRegisterTests
void MarkRegisterTests(void)
this function registers unit tests for Mark
Definition: detect-mark.c:338
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectMarkDataFree
void DetectMarkDataFree(void *ptr)
Definition: detect-mark.c:210
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-mark.c:40
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:884
SigTableElmt_::name
const char * name
Definition: detect.h:1163
Signature_
Signature container.
Definition: detect.h:495
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1154
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2286
PKT_REBUILT_FRAGMENT
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1119
SigMatch_::type
uint8_t type
Definition: detect.h:323
Packet_
Definition: decode.h:405
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
DetectMarkRegister
void DetectMarkRegister(void)
Registration function for nfq_set_mark: keyword.
Definition: detect-mark.c:54
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
Packet_::tunnel_mutex
SCMutex tunnel_mutex
Definition: decode.h:587
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
NFQPacketVars_::mark
uint32_t mark
Definition: source-nfq.h:45
Packet_::nfq_v
NFQPacketVars nfq_v
Definition: decode.h:457
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:965
DetectMarkData_::mask
uint32_t mask
Definition: detect-mark.h:46
PKT_MARK_MODIFIED
#define PKT_MARK_MODIFIED
Definition: decode.h:1095
DetectMarkData_
Definition: detect-mark.h:44
Packet_::flags
uint32_t flags
Definition: decode.h:441
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1155
SigMatch_
a single match condition for a signature
Definition: detect.h:322
DetectMarkData_::mark
uint32_t mark
Definition: detect-mark.h:45
Packet_::root
struct Packet_ * root
Definition: decode.h:577