suricata
detect-mqtt-flags.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha@steinbiss.name>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
30 #include "detect-mqtt-flags.h"
31 #include "util-unittest.h"
32 
33 #include "rust-bindings.h"
34 
35 #define PARSE_REGEX "(?: *,?!?(?:retain|dup))+"
36 static DetectParseRegex parse_regex;
37 
38 static int mqtt_flags_id = 0;
39 
40 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
41  Flow *f, uint8_t flags, void *state,
42  void *txv, const Signature *s,
43  const SigMatchCtx *ctx);
44 static int DetectMQTTFlagsSetup (DetectEngineCtx *, Signature *, const char *);
45 void MQTTFlagsRegisterTests(void);
47 
48 static int DetectEngineInspectMQTTFlagsGeneric(ThreadVars *tv,
50  const Signature *s, const SigMatchData *smd,
51  Flow *f, uint8_t flags, void *alstate,
52  void *txv, uint64_t tx_id);
53 
54 typedef struct DetectMQTTFlagsData_ {
55  MQTTFlagState retain, dup;
57 
58 /**
59  * \brief Registration function for mqtt.flags: keyword
60  */
62 {
64  sigmatch_table[DETECT_AL_MQTT_FLAGS].desc = "match MQTT fixed header flags";
65  sigmatch_table[DETECT_AL_MQTT_FLAGS].url = "/rules/mqtt-keywords.html#mqtt-flags";
66  sigmatch_table[DETECT_AL_MQTT_FLAGS].AppLayerTxMatch = DetectMQTTFlagsMatch;
67  sigmatch_table[DETECT_AL_MQTT_FLAGS].Setup = DetectMQTTFlagsSetup;
69 #ifdef UNITTESTS
71 #endif
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 
77  DetectEngineInspectMQTTFlagsGeneric);
78 
79  mqtt_flags_id = DetectBufferTypeGetByName("mqtt.flags");
80 }
81 
82 static int DetectEngineInspectMQTTFlagsGeneric(ThreadVars *tv,
84  const Signature *s, const SigMatchData *smd,
85  Flow *f, uint8_t flags, void *alstate,
86  void *txv, uint64_t tx_id)
87 {
88  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
89  f, flags, alstate, txv, tx_id);
90 }
91 
92 /**
93  * \internal
94  * \brief Function to match fixed header flags of an MQTT Tx
95  *
96  * \param det_ctx Pointer to the pattern matcher thread.
97  * \param f Pointer to the current flow.
98  * \param flags Flags.
99  * \param state App layer state.
100  * \param txv Pointer to the transaction.
101  * \param s Pointer to the Signature.
102  * \param ctx Pointer to the sigmatch that we will cast into DetectMQTTFlagsData.
103  *
104  * \retval 0 no match.
105  * \retval 1 match.
106  */
107 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
108  Flow *f, uint8_t flags, void *state,
109  void *txv, const Signature *s,
110  const SigMatchCtx *ctx)
111 {
112  const DetectMQTTFlagsData *de = (const DetectMQTTFlagsData *)ctx;
113 
114  if (!de)
115  return 0;
116 
117  return rs_mqtt_tx_has_flags(txv, de->retain, de->dup);
118 }
119 
120 /**
121  * \internal
122  * \brief This function is used to parse options passed via mqtt.flags: keyword
123  *
124  * \param rawstr Pointer to the user provided options
125  *
126  * \retval de pointer to DetectMQTTFlagsData on success
127  * \retval NULL on failure
128  */
129 static DetectMQTTFlagsData *DetectMQTTFlagsParse(const char *rawstr)
130 {
131  DetectMQTTFlagsData *de = NULL;
132  int ret = 0;
133  int ov[MAX_SUBSTRINGS];
134 
135  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
136  if (ret < 1) {
137  SCLogError(SC_ERR_PCRE_MATCH, "invalid flag definition: %s", rawstr);
138  return NULL;
139  }
140 
141  de = SCCalloc(1, sizeof(DetectMQTTFlagsData));
142  if (unlikely(de == NULL))
143  return NULL;
144  de->retain = de->dup = MQTT_DONT_CARE;
145 
146  char copy[strlen(rawstr)+1];
147  strlcpy(copy, rawstr, sizeof(copy));
148  char *xsaveptr = NULL;
149 
150  /* Iterate through comma-separated string... */
151  char *flagv = strtok_r(copy, ",", &xsaveptr);
152  while (flagv != NULL) {
153  /* skip blanks */
154  while (*flagv != '\0' && isblank(*flagv)) {
155  flagv++;
156  }
157  if (strlen(flagv) < 2) {
158  /* flags have a minimum length */
159  SCLogError(SC_ERR_UNKNOWN_VALUE, "malformed flag value: %s", flagv);
160  goto error;
161  } else {
162  int offset = 0;
163  MQTTFlagState fs_to_set = MQTT_MUST_BE_SET;
164  if (flagv[0] == '!') {
165  /* negated flag */
166  offset = 1; /* skip negation operator during comparison */
167  fs_to_set = MQTT_CANT_BE_SET;
168  }
169  if (strcmp(flagv+offset, "dup") == 0) {
170  if (de->dup != MQTT_DONT_CARE) {
171  SCLogError(SC_ERR_INVALID_VALUE, "duplicate flag definition: %s", flagv);
172  goto error;
173  }
174  de->dup = fs_to_set;
175  } else if (strcmp(flagv+offset, "retain") == 0) {
176  if (de->retain != MQTT_DONT_CARE) {
177  SCLogError(SC_ERR_INVALID_VALUE, "duplicate flag definition: %s", flagv);
178  goto error;
179  }
180  de->retain = fs_to_set;
181  } else {
182  SCLogError(SC_ERR_UNKNOWN_VALUE, "invalid flag definition: %s", flagv);
183  goto error;
184  }
185  }
186  flagv = strtok_r(NULL, ",", &xsaveptr);
187  }
188 
189  return de;
190 
191 error:
192  /* de can't be NULL here */
193  SCFree(de);
194  return NULL;
195 }
196 
197 /**
198  * \internal
199  * \brief this function is used to add the parsed type query into the current signature
200  *
201  * \param de_ctx pointer to the Detection Engine Context
202  * \param s pointer to the Current Signature
203  * \param rawstr pointer to the user provided options
204  *
205  * \retval 0 on Success
206  * \retval -1 on Failure
207  */
208 static int DetectMQTTFlagsSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
209 {
210  DetectMQTTFlagsData *de = NULL;
211  SigMatch *sm = NULL;
212 
214  return -1;
215 
216  de = DetectMQTTFlagsParse(rawstr);
217  if (de == NULL)
218  goto error;
219 
220  sm = SigMatchAlloc();
221  if (sm == NULL)
222  goto error;
223 
225  sm->ctx = (SigMatchCtx *)de;
226 
227  SigMatchAppendSMToList(s, sm, mqtt_flags_id);
228 
229  return 0;
230 
231 error:
232  if (de != NULL)
233  SCFree(de);
234  if (sm != NULL)
235  SCFree(sm);
236  return -1;
237 }
238 
239 /**
240  * \internal
241  * \brief this function will free memory associated with DetectMQTTFlagsData
242  *
243  * \param de pointer to DetectMQTTFlagsData
244  */
246 {
247  if (de_ptr != NULL)
248  SCFree(de_ptr);
249 }
250 
251 /*
252  * ONLY TESTS BELOW THIS COMMENT
253  */
254 
255 #ifdef UNITTESTS
256 /**
257  * \test MQTTFlagsTestParse01 is a test for a valid value
258  *
259  * \retval 1 on success
260  * \retval 0 on failure
261  */
262 static int MQTTFlagsTestParse01 (void)
263 {
264  DetectMQTTFlagsData *de = NULL;
265 
266  de = DetectMQTTFlagsParse("retain");
267  FAIL_IF_NULL(de);
268  DetectMQTTFlagsFree(NULL, de);
269 
270  de = DetectMQTTFlagsParse("dup");
271  FAIL_IF_NULL(de);
272  DetectMQTTFlagsFree(NULL, de);
273 
274  de = DetectMQTTFlagsParse("retain,dup");
275  FAIL_IF_NULL(de);
276  DetectMQTTFlagsFree(NULL, de);
277 
278  de = DetectMQTTFlagsParse("dup, retain");
279  FAIL_IF_NULL(de);
280  DetectMQTTFlagsFree(NULL, de);
281 
282  PASS;
283 }
284 
285 /**
286  * \test MQTTFlagsTestParse02 is a test for a valid value
287  *
288  * \retval 1 on success
289  * \retval 0 on failure
290  */
291 static int MQTTFlagsTestParse02 (void)
292 {
293  DetectMQTTFlagsData *de = NULL;
294  de = DetectMQTTFlagsParse("retain,!dup");
295  FAIL_IF_NULL(de);
296  DetectMQTTFlagsFree(NULL, de);
297 
298  PASS;
299 }
300 
301 /**
302  * \test MQTTFlagsTestParse03 is a test for an invalid value
303  *
304  * \retval 1 on success
305  * \retval 0 on failure
306  */
307 static int MQTTFlagsTestParse03 (void)
308 {
309  DetectMQTTFlagsData *de = NULL;
310  de = DetectMQTTFlagsParse("ref");
311  if (de) {
312  DetectMQTTFlagsFree(NULL, de);
313  FAIL;
314  }
315 
316  PASS;
317 }
318 
319 /**
320  * \test MQTTFlagsTestParse04 is a test for an invalid value
321  *
322  * \retval 1 on success
323  * \retval 0 on failure
324  */
325 static int MQTTFlagsTestParse04 (void)
326 {
327  DetectMQTTFlagsData *de = NULL;
328  de = DetectMQTTFlagsParse("dup,!");
329  if (de) {
330  DetectMQTTFlagsFree(NULL, de);
331  FAIL;
332  }
333 
334  PASS;
335 }
336 
337 /**
338  * \test MQTTFlagsTestParse05 is a test for an invalid value
339  *
340  * \retval 1 on success
341  * \retval 0 on failure
342  */
343 static int MQTTFlagsTestParse05 (void)
344 {
345  DetectMQTTFlagsData *de = NULL;
346  de = DetectMQTTFlagsParse("dup,!dup");
347  if (de) {
348  DetectMQTTFlagsFree(NULL, de);
349  FAIL;
350  }
351 
352  de = DetectMQTTFlagsParse("!retain,retain");
353  if (de) {
354  DetectMQTTFlagsFree(NULL, de);
355  FAIL;
356  }
357 
358  PASS;
359 }
360 
361 
362 #endif /* UNITTESTS */
363 
364 /**
365  * \brief this function registers unit tests for MQTTFlags
366  */
368 {
369 #ifdef UNITTESTS
370  UtRegisterTest("MQTTFlagsTestParse01", MQTTFlagsTestParse01);
371  UtRegisterTest("MQTTFlagsTestParse02", MQTTFlagsTestParse02);
372  UtRegisterTest("MQTTFlagsTestParse03", MQTTFlagsTestParse03);
373  UtRegisterTest("MQTTFlagsTestParse04", MQTTFlagsTestParse04);
374  UtRegisterTest("MQTTFlagsTestParse05", MQTTFlagsTestParse05);
375 #endif /* UNITTESTS */
376 }
detect-mqtt-flags.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectMQTTFlagsData_::retain
MQTTFlagState retain
Definition: detect-mqtt-flags.c:55
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
DETECT_AL_MQTT_FLAGS
@ DETECT_AL_MQTT_FLAGS
Definition: detect-engine-register.h:271
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
DetectMQTTFlagsData_::dup
MQTTFlagState dup
Definition: detect-mqtt-flags.c:55
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
de
int de
Definition: app-layer-htp.c:575
MQTTFlagsRegisterTests
void MQTTFlagsRegisterTests(void)
this function registers unit tests for MQTTFlags
Definition: detect-mqtt-flags.c:367
DetectMQTTFlagsData_
Definition: detect-mqtt-flags.c:54
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
conf.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:321
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectMQTTFlagsRegister
void DetectMQTTFlagsRegister(void)
Registration function for mqtt.flags: keyword.
Definition: detect-mqtt-flags.c:61
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectMQTTFlagsFree
void DetectMQTTFlagsFree(DetectEngineCtx *de_ctx, void *)
Definition: detect-mqtt-flags.c:245
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:55
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
DetectMQTTFlagsData
struct DetectMQTTFlagsData_ DetectMQTTFlagsData
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-mqtt-flags.c:35