suricata
detect-mqtt-flags.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha@steinbiss.name>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
30 #include "detect-mqtt-flags.h"
31 #include "util-unittest.h"
32 
33 #include "rust.h"
34 
35 #define PARSE_REGEX "(?: *,?!?(?:retain|dup))+"
36 static DetectParseRegex parse_regex;
37 
38 static int mqtt_flags_id = 0;
39 
40 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
41  Flow *f, uint8_t flags, void *state,
42  void *txv, const Signature *s,
43  const SigMatchCtx *ctx);
44 static int DetectMQTTFlagsSetup (DetectEngineCtx *, Signature *, const char *);
45 void MQTTFlagsRegisterTests(void);
47 
48 static int DetectEngineInspectMQTTFlagsGeneric(DetectEngineCtx *de_ctx,
49  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
50  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
51 
52 typedef struct DetectMQTTFlagsData_ {
53  MQTTFlagState retain, dup;
55 
56 /**
57  * \brief Registration function for mqtt.flags: keyword
58  */
60 {
62  sigmatch_table[DETECT_AL_MQTT_FLAGS].desc = "match MQTT fixed header flags";
63  sigmatch_table[DETECT_AL_MQTT_FLAGS].url = "/rules/mqtt-keywords.html#mqtt-flags";
64  sigmatch_table[DETECT_AL_MQTT_FLAGS].AppLayerTxMatch = DetectMQTTFlagsMatch;
65  sigmatch_table[DETECT_AL_MQTT_FLAGS].Setup = DetectMQTTFlagsSetup;
67 #ifdef UNITTESTS
69 #endif
70 
71  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
72 
74  DetectEngineInspectMQTTFlagsGeneric, NULL);
75 
76  mqtt_flags_id = DetectBufferTypeGetByName("mqtt.flags");
77 }
78 
79 static int DetectEngineInspectMQTTFlagsGeneric(DetectEngineCtx *de_ctx,
80  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
81  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
82 {
84  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
85 }
86 
87 /**
88  * \internal
89  * \brief Function to match fixed header flags of an MQTT Tx
90  *
91  * \param det_ctx Pointer to the pattern matcher thread.
92  * \param f Pointer to the current flow.
93  * \param flags Flags.
94  * \param state App layer state.
95  * \param txv Pointer to the transaction.
96  * \param s Pointer to the Signature.
97  * \param ctx Pointer to the sigmatch that we will cast into DetectMQTTFlagsData.
98  *
99  * \retval 0 no match.
100  * \retval 1 match.
101  */
102 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
103  Flow *f, uint8_t flags, void *state,
104  void *txv, const Signature *s,
105  const SigMatchCtx *ctx)
106 {
107  const DetectMQTTFlagsData *de = (const DetectMQTTFlagsData *)ctx;
108 
109  if (!de)
110  return 0;
111 
112  return rs_mqtt_tx_has_flags(txv, de->retain, de->dup);
113 }
114 
115 /**
116  * \internal
117  * \brief This function is used to parse options passed via mqtt.flags: keyword
118  *
119  * \param rawstr Pointer to the user provided options
120  *
121  * \retval de pointer to DetectMQTTFlagsData on success
122  * \retval NULL on failure
123  */
124 static DetectMQTTFlagsData *DetectMQTTFlagsParse(const char *rawstr)
125 {
126  DetectMQTTFlagsData *de = NULL;
127  int ret = 0;
128 
129  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
130  if (ret < 1) {
131  SCLogError(SC_ERR_PCRE_MATCH, "invalid flag definition: %s", rawstr);
132  return NULL;
133  }
134 
135  de = SCCalloc(1, sizeof(DetectMQTTFlagsData));
136  if (unlikely(de == NULL))
137  return NULL;
138  de->retain = de->dup = MQTT_DONT_CARE;
139 
140  char copy[strlen(rawstr)+1];
141  strlcpy(copy, rawstr, sizeof(copy));
142  char *xsaveptr = NULL;
143 
144  /* Iterate through comma-separated string... */
145  char *flagv = strtok_r(copy, ",", &xsaveptr);
146  while (flagv != NULL) {
147  /* skip blanks */
148  while (*flagv != '\0' && isblank(*flagv)) {
149  flagv++;
150  }
151  if (strlen(flagv) < 2) {
152  /* flags have a minimum length */
153  SCLogError(SC_ERR_UNKNOWN_VALUE, "malformed flag value: %s", flagv);
154  goto error;
155  } else {
156  int offset = 0;
157  MQTTFlagState fs_to_set = MQTT_MUST_BE_SET;
158  if (flagv[0] == '!') {
159  /* negated flag */
160  offset = 1; /* skip negation operator during comparison */
161  fs_to_set = MQTT_CANT_BE_SET;
162  }
163  if (strcmp(flagv+offset, "dup") == 0) {
164  if (de->dup != MQTT_DONT_CARE) {
165  SCLogError(SC_ERR_INVALID_VALUE, "duplicate flag definition: %s", flagv);
166  goto error;
167  }
168  de->dup = fs_to_set;
169  } else if (strcmp(flagv+offset, "retain") == 0) {
170  if (de->retain != MQTT_DONT_CARE) {
171  SCLogError(SC_ERR_INVALID_VALUE, "duplicate flag definition: %s", flagv);
172  goto error;
173  }
174  de->retain = fs_to_set;
175  } else {
176  SCLogError(SC_ERR_UNKNOWN_VALUE, "invalid flag definition: %s", flagv);
177  goto error;
178  }
179  }
180  flagv = strtok_r(NULL, ",", &xsaveptr);
181  }
182 
183  return de;
184 
185 error:
186  /* de can't be NULL here */
187  SCFree(de);
188  return NULL;
189 }
190 
191 /**
192  * \internal
193  * \brief this function is used to add the parsed type query into the current signature
194  *
195  * \param de_ctx pointer to the Detection Engine Context
196  * \param s pointer to the Current Signature
197  * \param rawstr pointer to the user provided options
198  *
199  * \retval 0 on Success
200  * \retval -1 on Failure
201  */
202 static int DetectMQTTFlagsSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
203 {
204  DetectMQTTFlagsData *de = NULL;
205  SigMatch *sm = NULL;
206 
208  return -1;
209 
210  de = DetectMQTTFlagsParse(rawstr);
211  if (de == NULL)
212  goto error;
213 
214  sm = SigMatchAlloc();
215  if (sm == NULL)
216  goto error;
217 
219  sm->ctx = (SigMatchCtx *)de;
220 
221  SigMatchAppendSMToList(s, sm, mqtt_flags_id);
222 
223  return 0;
224 
225 error:
226  if (de != NULL)
227  SCFree(de);
228  if (sm != NULL)
229  SCFree(sm);
230  return -1;
231 }
232 
233 /**
234  * \internal
235  * \brief this function will free memory associated with DetectMQTTFlagsData
236  *
237  * \param de pointer to DetectMQTTFlagsData
238  */
240 {
241  if (de_ptr != NULL)
242  SCFree(de_ptr);
243 }
244 
245 /*
246  * ONLY TESTS BELOW THIS COMMENT
247  */
248 
249 #ifdef UNITTESTS
250 /**
251  * \test MQTTFlagsTestParse01 is a test for a valid value
252  *
253  * \retval 1 on success
254  * \retval 0 on failure
255  */
256 static int MQTTFlagsTestParse01 (void)
257 {
258  DetectMQTTFlagsData *de = NULL;
259 
260  de = DetectMQTTFlagsParse("retain");
261  FAIL_IF_NULL(de);
262  DetectMQTTFlagsFree(NULL, de);
263 
264  de = DetectMQTTFlagsParse("dup");
265  FAIL_IF_NULL(de);
266  DetectMQTTFlagsFree(NULL, de);
267 
268  de = DetectMQTTFlagsParse("retain,dup");
269  FAIL_IF_NULL(de);
270  DetectMQTTFlagsFree(NULL, de);
271 
272  de = DetectMQTTFlagsParse("dup, retain");
273  FAIL_IF_NULL(de);
274  DetectMQTTFlagsFree(NULL, de);
275 
276  PASS;
277 }
278 
279 /**
280  * \test MQTTFlagsTestParse02 is a test for a valid value
281  *
282  * \retval 1 on success
283  * \retval 0 on failure
284  */
285 static int MQTTFlagsTestParse02 (void)
286 {
287  DetectMQTTFlagsData *de = NULL;
288  de = DetectMQTTFlagsParse("retain,!dup");
289  FAIL_IF_NULL(de);
290  DetectMQTTFlagsFree(NULL, de);
291 
292  PASS;
293 }
294 
295 /**
296  * \test MQTTFlagsTestParse03 is a test for an invalid value
297  *
298  * \retval 1 on success
299  * \retval 0 on failure
300  */
301 static int MQTTFlagsTestParse03 (void)
302 {
303  DetectMQTTFlagsData *de = NULL;
304  de = DetectMQTTFlagsParse("ref");
305  if (de) {
306  DetectMQTTFlagsFree(NULL, de);
307  FAIL;
308  }
309 
310  PASS;
311 }
312 
313 /**
314  * \test MQTTFlagsTestParse04 is a test for an invalid value
315  *
316  * \retval 1 on success
317  * \retval 0 on failure
318  */
319 static int MQTTFlagsTestParse04 (void)
320 {
321  DetectMQTTFlagsData *de = NULL;
322  de = DetectMQTTFlagsParse("dup,!");
323  if (de) {
324  DetectMQTTFlagsFree(NULL, de);
325  FAIL;
326  }
327 
328  PASS;
329 }
330 
331 /**
332  * \test MQTTFlagsTestParse05 is a test for an invalid value
333  *
334  * \retval 1 on success
335  * \retval 0 on failure
336  */
337 static int MQTTFlagsTestParse05 (void)
338 {
339  DetectMQTTFlagsData *de = NULL;
340  de = DetectMQTTFlagsParse("dup,!dup");
341  if (de) {
342  DetectMQTTFlagsFree(NULL, de);
343  FAIL;
344  }
345 
346  de = DetectMQTTFlagsParse("!retain,retain");
347  if (de) {
348  DetectMQTTFlagsFree(NULL, de);
349  FAIL;
350  }
351 
352  PASS;
353 }
354 
355 
356 #endif /* UNITTESTS */
357 
358 /**
359  * \brief this function registers unit tests for MQTTFlags
360  */
362 {
363 #ifdef UNITTESTS
364  UtRegisterTest("MQTTFlagsTestParse01", MQTTFlagsTestParse01);
365  UtRegisterTest("MQTTFlagsTestParse02", MQTTFlagsTestParse02);
366  UtRegisterTest("MQTTFlagsTestParse03", MQTTFlagsTestParse03);
367  UtRegisterTest("MQTTFlagsTestParse04", MQTTFlagsTestParse04);
368  UtRegisterTest("MQTTFlagsTestParse05", MQTTFlagsTestParse05);
369 #endif /* UNITTESTS */
370 }
detect-mqtt-flags.h
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectMQTTFlagsData_::retain
MQTTFlagState retain
Definition: detect-mqtt-flags.c:53
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1238
rust.h
DETECT_AL_MQTT_FLAGS
@ DETECT_AL_MQTT_FLAGS
Definition: detect-engine-register.h:274
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
DetectMQTTFlagsData_::dup
MQTTFlagState dup
Definition: detect-mqtt-flags.c:53
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
de
uint8_t de
Definition: app-layer-htp.c:563
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
detect.h
MQTTFlagsRegisterTests
void MQTTFlagsRegisterTests(void)
this function registers unit tests for MQTTFlags
Definition: detect-mqtt-flags.c:361
DetectMQTTFlagsData_
Definition: detect-mqtt-flags.c:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
conf.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectMQTTFlagsRegister
void DetectMQTTFlagsRegister(void)
Registration function for mqtt.flags: keyword.
Definition: detect-mqtt-flags.c:59
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectMQTTFlagsFree
void DetectMQTTFlagsFree(DetectEngineCtx *de_ctx, void *)
Definition: detect-mqtt-flags.c:239
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
DetectMQTTFlagsData
struct DetectMQTTFlagsData_ DetectMQTTFlagsData
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-mqtt-flags.c:35