suricata
detect-mqtt-flags.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha@steinbiss.name>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
30 #include "detect-mqtt-flags.h"
31 #include "util-unittest.h"
32 
33 #include "rust.h"
34 
35 #define PARSE_REGEX "(?: *,?!?(?:retain|dup))+"
36 static DetectParseRegex parse_regex;
37 
38 static int mqtt_flags_id = 0;
39 
40 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
41  Flow *f, uint8_t flags, void *state,
42  void *txv, const Signature *s,
43  const SigMatchCtx *ctx);
44 static int DetectMQTTFlagsSetup (DetectEngineCtx *, Signature *, const char *);
45 void MQTTFlagsRegisterTests(void);
47 
48 typedef struct DetectMQTTFlagsData_ {
49  MQTTFlagState retain, dup;
51 
52 /**
53  * \brief Registration function for mqtt.flags: keyword
54  */
56 {
58  sigmatch_table[DETECT_AL_MQTT_FLAGS].desc = "match MQTT fixed header flags";
59  sigmatch_table[DETECT_AL_MQTT_FLAGS].url = "/rules/mqtt-keywords.html#mqtt-flags";
60  sigmatch_table[DETECT_AL_MQTT_FLAGS].AppLayerTxMatch = DetectMQTTFlagsMatch;
61  sigmatch_table[DETECT_AL_MQTT_FLAGS].Setup = DetectMQTTFlagsSetup;
63 #ifdef UNITTESTS
65 #endif
66 
67  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
68 
71 
72  mqtt_flags_id = DetectBufferTypeGetByName("mqtt.flags");
73 }
74 
75 /**
76  * \internal
77  * \brief Function to match fixed header flags of an MQTT Tx
78  *
79  * \param det_ctx Pointer to the pattern matcher thread.
80  * \param f Pointer to the current flow.
81  * \param flags Flags.
82  * \param state App layer state.
83  * \param txv Pointer to the transaction.
84  * \param s Pointer to the Signature.
85  * \param ctx Pointer to the sigmatch that we will cast into DetectMQTTFlagsData.
86  *
87  * \retval 0 no match.
88  * \retval 1 match.
89  */
90 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
91  Flow *f, uint8_t flags, void *state,
92  void *txv, const Signature *s,
93  const SigMatchCtx *ctx)
94 {
95  const DetectMQTTFlagsData *de = (const DetectMQTTFlagsData *)ctx;
96 
97  if (!de)
98  return 0;
99 
100  return rs_mqtt_tx_has_flags(txv, de->retain, de->dup);
101 }
102 
103 /**
104  * \internal
105  * \brief This function is used to parse options passed via mqtt.flags: keyword
106  *
107  * \param rawstr Pointer to the user provided options
108  *
109  * \retval de pointer to DetectMQTTFlagsData on success
110  * \retval NULL on failure
111  */
112 static DetectMQTTFlagsData *DetectMQTTFlagsParse(const char *rawstr)
113 {
114 
116  if (unlikely(de == NULL))
117  return NULL;
118 
119  pcre2_match_data *match = NULL;
120  int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
121  if (ret < 1) {
122  SCLogError("invalid flag definition: %s", rawstr);
123  if (match) {
124  pcre2_match_data_free(match);
125  }
126  SCFree(de);
127  return NULL;
128  }
129 
130  de->retain = de->dup = MQTT_DONT_CARE;
131 
132  char copy[strlen(rawstr)+1];
133  strlcpy(copy, rawstr, sizeof(copy));
134  char *xsaveptr = NULL;
135 
136  /* Iterate through comma-separated string... */
137  char *flagv = strtok_r(copy, ",", &xsaveptr);
138  while (flagv != NULL) {
139  /* skip blanks */
140  while (*flagv != '\0' && isblank(*flagv)) {
141  flagv++;
142  }
143  if (strlen(flagv) < 2) {
144  /* flags have a minimum length */
145  SCLogError("malformed flag value: %s", flagv);
146  goto error;
147  } else {
148  int offset = 0;
149  MQTTFlagState fs_to_set = MQTT_MUST_BE_SET;
150  if (flagv[0] == '!') {
151  /* negated flag */
152  offset = 1; /* skip negation operator during comparison */
153  fs_to_set = MQTT_CANT_BE_SET;
154  }
155  if (strcmp(flagv+offset, "dup") == 0) {
156  if (de->dup != MQTT_DONT_CARE) {
157  SCLogError("duplicate flag definition: %s", flagv);
158  goto error;
159  }
160  de->dup = fs_to_set;
161  } else if (strcmp(flagv+offset, "retain") == 0) {
162  if (de->retain != MQTT_DONT_CARE) {
163  SCLogError("duplicate flag definition: %s", flagv);
164  goto error;
165  }
166  de->retain = fs_to_set;
167  } else {
168  SCLogError("invalid flag definition: %s", flagv);
169  goto error;
170  }
171  }
172  flagv = strtok_r(NULL, ",", &xsaveptr);
173  }
174 
175  pcre2_match_data_free(match);
176  return de;
177 
178 error:
179  if (match) {
180  pcre2_match_data_free(match);
181  }
182  if (de)
183  SCFree(de);
184  return NULL;
185 }
186 
187 /**
188  * \internal
189  * \brief this function is used to add the parsed type query into the current signature
190  *
191  * \param de_ctx pointer to the Detection Engine Context
192  * \param s pointer to the Current Signature
193  * \param rawstr pointer to the user provided options
194  *
195  * \retval 0 on Success
196  * \retval -1 on Failure
197  */
198 static int DetectMQTTFlagsSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
199 {
200  DetectMQTTFlagsData *de = NULL;
201  SigMatch *sm = NULL;
202 
204  return -1;
205 
206  de = DetectMQTTFlagsParse(rawstr);
207  if (de == NULL)
208  goto error;
209 
210  sm = SigMatchAlloc();
211  if (sm == NULL)
212  goto error;
213 
215  sm->ctx = (SigMatchCtx *)de;
216 
217  SigMatchAppendSMToList(s, sm, mqtt_flags_id);
218 
219  return 0;
220 
221 error:
222  if (de != NULL)
223  SCFree(de);
224  if (sm != NULL)
225  SCFree(sm);
226  return -1;
227 }
228 
229 /**
230  * \internal
231  * \brief this function will free memory associated with DetectMQTTFlagsData
232  *
233  * \param de pointer to DetectMQTTFlagsData
234  */
236 {
237  if (de_ptr != NULL)
238  SCFree(de_ptr);
239 }
240 
241 /*
242  * ONLY TESTS BELOW THIS COMMENT
243  */
244 
245 #ifdef UNITTESTS
246 /**
247  * \test MQTTFlagsTestParse01 is a test for a valid value
248  *
249  * \retval 1 on success
250  * \retval 0 on failure
251  */
252 static int MQTTFlagsTestParse01 (void)
253 {
254  DetectMQTTFlagsData *de = NULL;
255 
256  de = DetectMQTTFlagsParse("retain");
257  FAIL_IF_NULL(de);
258  DetectMQTTFlagsFree(NULL, de);
259 
260  de = DetectMQTTFlagsParse("dup");
261  FAIL_IF_NULL(de);
262  DetectMQTTFlagsFree(NULL, de);
263 
264  de = DetectMQTTFlagsParse("retain,dup");
265  FAIL_IF_NULL(de);
266  DetectMQTTFlagsFree(NULL, de);
267 
268  de = DetectMQTTFlagsParse("dup, retain");
269  FAIL_IF_NULL(de);
270  DetectMQTTFlagsFree(NULL, de);
271 
272  PASS;
273 }
274 
275 /**
276  * \test MQTTFlagsTestParse02 is a test for a valid value
277  *
278  * \retval 1 on success
279  * \retval 0 on failure
280  */
281 static int MQTTFlagsTestParse02 (void)
282 {
283  DetectMQTTFlagsData *de = NULL;
284  de = DetectMQTTFlagsParse("retain,!dup");
285  FAIL_IF_NULL(de);
286  DetectMQTTFlagsFree(NULL, de);
287 
288  PASS;
289 }
290 
291 /**
292  * \test MQTTFlagsTestParse03 is a test for an invalid value
293  *
294  * \retval 1 on success
295  * \retval 0 on failure
296  */
297 static int MQTTFlagsTestParse03 (void)
298 {
299  DetectMQTTFlagsData *de = NULL;
300  de = DetectMQTTFlagsParse("ref");
301  if (de) {
302  DetectMQTTFlagsFree(NULL, de);
303  FAIL;
304  }
305 
306  PASS;
307 }
308 
309 /**
310  * \test MQTTFlagsTestParse04 is a test for an invalid value
311  *
312  * \retval 1 on success
313  * \retval 0 on failure
314  */
315 static int MQTTFlagsTestParse04 (void)
316 {
317  DetectMQTTFlagsData *de = NULL;
318  de = DetectMQTTFlagsParse("dup,!");
319  if (de) {
320  DetectMQTTFlagsFree(NULL, de);
321  FAIL;
322  }
323 
324  PASS;
325 }
326 
327 /**
328  * \test MQTTFlagsTestParse05 is a test for an invalid value
329  *
330  * \retval 1 on success
331  * \retval 0 on failure
332  */
333 static int MQTTFlagsTestParse05 (void)
334 {
335  DetectMQTTFlagsData *de = NULL;
336  de = DetectMQTTFlagsParse("dup,!dup");
337  if (de) {
338  DetectMQTTFlagsFree(NULL, de);
339  FAIL;
340  }
341 
342  de = DetectMQTTFlagsParse("!retain,retain");
343  if (de) {
344  DetectMQTTFlagsFree(NULL, de);
345  FAIL;
346  }
347 
348  PASS;
349 }
350 
351 
352 #endif /* UNITTESTS */
353 
354 /**
355  * \brief this function registers unit tests for MQTTFlags
356  */
358 {
359 #ifdef UNITTESTS
360  UtRegisterTest("MQTTFlagsTestParse01", MQTTFlagsTestParse01);
361  UtRegisterTest("MQTTFlagsTestParse02", MQTTFlagsTestParse02);
362  UtRegisterTest("MQTTFlagsTestParse03", MQTTFlagsTestParse03);
363  UtRegisterTest("MQTTFlagsTestParse04", MQTTFlagsTestParse04);
364  UtRegisterTest("MQTTFlagsTestParse05", MQTTFlagsTestParse05);
365 #endif /* UNITTESTS */
366 }
detect-mqtt-flags.h
SigTableElmt_::url
const char * url
Definition: detect.h:1287
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1703
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DetectMQTTFlagsData_::retain
MQTTFlagState retain
Definition: detect-mqtt-flags.c:49
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1284
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1255
rust.h
DETECT_AL_MQTT_FLAGS
@ DETECT_AL_MQTT_FLAGS
Definition: detect-engine-register.h:290
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2623
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1124
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:255
DetectMQTTFlagsData_::dup
MQTTFlagState dup
Definition: detect-mqtt-flags.c:49
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
de
uint8_t de
Definition: app-layer-htp.c:577
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2747
detect.h
MQTTFlagsRegisterTests
void MQTTFlagsRegisterTests(void)
this function registers unit tests for MQTTFlags
Definition: detect-mqtt-flags.c:357
DetectMQTTFlagsData_
Definition: detect-mqtt-flags.c:48
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:343
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:216
conf.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:335
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectMQTTFlagsRegister
void DetectMQTTFlagsRegister(void)
Registration function for mqtt.flags: keyword.
Definition: detect-mqtt-flags.c:55
SigMatch_::type
uint16_t type
Definition: detect.h:341
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectMQTTFlagsFree
void DetectMQTTFlagsFree(DetectEngineCtx *de_ctx, void *)
Definition: detect-mqtt-flags.c:235
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2122
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:581
SigMatch_
a single match condition for a signature
Definition: detect.h:340
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
DetectMQTTFlagsData
struct DetectMQTTFlagsData_ DetectMQTTFlagsData
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-mqtt-flags.c:35