suricata
detect-mqtt-flags.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha@steinbiss.name>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
30 #include "detect-mqtt-flags.h"
31 #include "util-unittest.h"
32 
33 #include "rust.h"
34 
35 #define PARSE_REGEX "(?: *,?!?(?:retain|dup))+"
36 static DetectParseRegex parse_regex;
37 
38 static int mqtt_flags_id = 0;
39 
40 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
41  Flow *f, uint8_t flags, void *state,
42  void *txv, const Signature *s,
43  const SigMatchCtx *ctx);
44 static int DetectMQTTFlagsSetup (DetectEngineCtx *, Signature *, const char *);
45 void MQTTFlagsRegisterTests(void);
47 
48 typedef struct DetectMQTTFlagsData_ {
49  MQTTFlagState retain, dup;
51 
52 /**
53  * \brief Registration function for mqtt.flags: keyword
54  */
56 {
58  sigmatch_table[DETECT_AL_MQTT_FLAGS].desc = "match MQTT fixed header flags";
59  sigmatch_table[DETECT_AL_MQTT_FLAGS].url = "/rules/mqtt-keywords.html#mqtt-flags";
60  sigmatch_table[DETECT_AL_MQTT_FLAGS].AppLayerTxMatch = DetectMQTTFlagsMatch;
61  sigmatch_table[DETECT_AL_MQTT_FLAGS].Setup = DetectMQTTFlagsSetup;
63 #ifdef UNITTESTS
65 #endif
66 
67  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
68 
71 
72  mqtt_flags_id = DetectBufferTypeGetByName("mqtt.flags");
73 }
74 
75 /**
76  * \internal
77  * \brief Function to match fixed header flags of an MQTT Tx
78  *
79  * \param det_ctx Pointer to the pattern matcher thread.
80  * \param f Pointer to the current flow.
81  * \param flags Flags.
82  * \param state App layer state.
83  * \param txv Pointer to the transaction.
84  * \param s Pointer to the Signature.
85  * \param ctx Pointer to the sigmatch that we will cast into DetectMQTTFlagsData.
86  *
87  * \retval 0 no match.
88  * \retval 1 match.
89  */
90 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
91  Flow *f, uint8_t flags, void *state,
92  void *txv, const Signature *s,
93  const SigMatchCtx *ctx)
94 {
95  const DetectMQTTFlagsData *de = (const DetectMQTTFlagsData *)ctx;
96 
97  if (!de)
98  return 0;
99 
100  return rs_mqtt_tx_has_flags(txv, de->retain, de->dup);
101 }
102 
103 /**
104  * \internal
105  * \brief This function is used to parse options passed via mqtt.flags: keyword
106  *
107  * \param rawstr Pointer to the user provided options
108  *
109  * \retval de pointer to DetectMQTTFlagsData on success
110  * \retval NULL on failure
111  */
112 static DetectMQTTFlagsData *DetectMQTTFlagsParse(const char *rawstr)
113 {
114  DetectMQTTFlagsData *de = NULL;
115  int ret = 0;
116 
117  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
118  if (ret < 1) {
119  SCLogError(SC_ERR_PCRE_MATCH, "invalid flag definition: %s", rawstr);
120  return NULL;
121  }
122 
123  de = SCCalloc(1, sizeof(DetectMQTTFlagsData));
124  if (unlikely(de == NULL))
125  return NULL;
126  de->retain = de->dup = MQTT_DONT_CARE;
127 
128  char copy[strlen(rawstr)+1];
129  strlcpy(copy, rawstr, sizeof(copy));
130  char *xsaveptr = NULL;
131 
132  /* Iterate through comma-separated string... */
133  char *flagv = strtok_r(copy, ",", &xsaveptr);
134  while (flagv != NULL) {
135  /* skip blanks */
136  while (*flagv != '\0' && isblank(*flagv)) {
137  flagv++;
138  }
139  if (strlen(flagv) < 2) {
140  /* flags have a minimum length */
141  SCLogError(SC_ERR_UNKNOWN_VALUE, "malformed flag value: %s", flagv);
142  goto error;
143  } else {
144  int offset = 0;
145  MQTTFlagState fs_to_set = MQTT_MUST_BE_SET;
146  if (flagv[0] == '!') {
147  /* negated flag */
148  offset = 1; /* skip negation operator during comparison */
149  fs_to_set = MQTT_CANT_BE_SET;
150  }
151  if (strcmp(flagv+offset, "dup") == 0) {
152  if (de->dup != MQTT_DONT_CARE) {
153  SCLogError(SC_ERR_INVALID_VALUE, "duplicate flag definition: %s", flagv);
154  goto error;
155  }
156  de->dup = fs_to_set;
157  } else if (strcmp(flagv+offset, "retain") == 0) {
158  if (de->retain != MQTT_DONT_CARE) {
159  SCLogError(SC_ERR_INVALID_VALUE, "duplicate flag definition: %s", flagv);
160  goto error;
161  }
162  de->retain = fs_to_set;
163  } else {
164  SCLogError(SC_ERR_UNKNOWN_VALUE, "invalid flag definition: %s", flagv);
165  goto error;
166  }
167  }
168  flagv = strtok_r(NULL, ",", &xsaveptr);
169  }
170 
171  return de;
172 
173 error:
174  /* de can't be NULL here */
175  SCFree(de);
176  return NULL;
177 }
178 
179 /**
180  * \internal
181  * \brief this function is used to add the parsed type query into the current signature
182  *
183  * \param de_ctx pointer to the Detection Engine Context
184  * \param s pointer to the Current Signature
185  * \param rawstr pointer to the user provided options
186  *
187  * \retval 0 on Success
188  * \retval -1 on Failure
189  */
190 static int DetectMQTTFlagsSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
191 {
192  DetectMQTTFlagsData *de = NULL;
193  SigMatch *sm = NULL;
194 
196  return -1;
197 
198  de = DetectMQTTFlagsParse(rawstr);
199  if (de == NULL)
200  goto error;
201 
202  sm = SigMatchAlloc();
203  if (sm == NULL)
204  goto error;
205 
207  sm->ctx = (SigMatchCtx *)de;
208 
209  SigMatchAppendSMToList(s, sm, mqtt_flags_id);
210 
211  return 0;
212 
213 error:
214  if (de != NULL)
215  SCFree(de);
216  if (sm != NULL)
217  SCFree(sm);
218  return -1;
219 }
220 
221 /**
222  * \internal
223  * \brief this function will free memory associated with DetectMQTTFlagsData
224  *
225  * \param de pointer to DetectMQTTFlagsData
226  */
228 {
229  if (de_ptr != NULL)
230  SCFree(de_ptr);
231 }
232 
233 /*
234  * ONLY TESTS BELOW THIS COMMENT
235  */
236 
237 #ifdef UNITTESTS
238 /**
239  * \test MQTTFlagsTestParse01 is a test for a valid value
240  *
241  * \retval 1 on success
242  * \retval 0 on failure
243  */
244 static int MQTTFlagsTestParse01 (void)
245 {
246  DetectMQTTFlagsData *de = NULL;
247 
248  de = DetectMQTTFlagsParse("retain");
249  FAIL_IF_NULL(de);
250  DetectMQTTFlagsFree(NULL, de);
251 
252  de = DetectMQTTFlagsParse("dup");
253  FAIL_IF_NULL(de);
254  DetectMQTTFlagsFree(NULL, de);
255 
256  de = DetectMQTTFlagsParse("retain,dup");
257  FAIL_IF_NULL(de);
258  DetectMQTTFlagsFree(NULL, de);
259 
260  de = DetectMQTTFlagsParse("dup, retain");
261  FAIL_IF_NULL(de);
262  DetectMQTTFlagsFree(NULL, de);
263 
264  PASS;
265 }
266 
267 /**
268  * \test MQTTFlagsTestParse02 is a test for a valid value
269  *
270  * \retval 1 on success
271  * \retval 0 on failure
272  */
273 static int MQTTFlagsTestParse02 (void)
274 {
275  DetectMQTTFlagsData *de = NULL;
276  de = DetectMQTTFlagsParse("retain,!dup");
277  FAIL_IF_NULL(de);
278  DetectMQTTFlagsFree(NULL, de);
279 
280  PASS;
281 }
282 
283 /**
284  * \test MQTTFlagsTestParse03 is a test for an invalid value
285  *
286  * \retval 1 on success
287  * \retval 0 on failure
288  */
289 static int MQTTFlagsTestParse03 (void)
290 {
291  DetectMQTTFlagsData *de = NULL;
292  de = DetectMQTTFlagsParse("ref");
293  if (de) {
294  DetectMQTTFlagsFree(NULL, de);
295  FAIL;
296  }
297 
298  PASS;
299 }
300 
301 /**
302  * \test MQTTFlagsTestParse04 is a test for an invalid value
303  *
304  * \retval 1 on success
305  * \retval 0 on failure
306  */
307 static int MQTTFlagsTestParse04 (void)
308 {
309  DetectMQTTFlagsData *de = NULL;
310  de = DetectMQTTFlagsParse("dup,!");
311  if (de) {
312  DetectMQTTFlagsFree(NULL, de);
313  FAIL;
314  }
315 
316  PASS;
317 }
318 
319 /**
320  * \test MQTTFlagsTestParse05 is a test for an invalid value
321  *
322  * \retval 1 on success
323  * \retval 0 on failure
324  */
325 static int MQTTFlagsTestParse05 (void)
326 {
327  DetectMQTTFlagsData *de = NULL;
328  de = DetectMQTTFlagsParse("dup,!dup");
329  if (de) {
330  DetectMQTTFlagsFree(NULL, de);
331  FAIL;
332  }
333 
334  de = DetectMQTTFlagsParse("!retain,retain");
335  if (de) {
336  DetectMQTTFlagsFree(NULL, de);
337  FAIL;
338  }
339 
340  PASS;
341 }
342 
343 
344 #endif /* UNITTESTS */
345 
346 /**
347  * \brief this function registers unit tests for MQTTFlags
348  */
350 {
351 #ifdef UNITTESTS
352  UtRegisterTest("MQTTFlagsTestParse01", MQTTFlagsTestParse01);
353  UtRegisterTest("MQTTFlagsTestParse02", MQTTFlagsTestParse02);
354  UtRegisterTest("MQTTFlagsTestParse03", MQTTFlagsTestParse03);
355  UtRegisterTest("MQTTFlagsTestParse04", MQTTFlagsTestParse04);
356  UtRegisterTest("MQTTFlagsTestParse05", MQTTFlagsTestParse05);
357 #endif /* UNITTESTS */
358 }
detect-mqtt-flags.h
SigTableElmt_::url
const char * url
Definition: detect.h:1248
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectMQTTFlagsData_::retain
MQTTFlagState retain
Definition: detect-mqtt-flags.c:49
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2475
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1235
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1245
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1216
rust.h
DETECT_AL_MQTT_FLAGS
@ DETECT_AL_MQTT_FLAGS
Definition: detect-engine-register.h:285
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1086
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:230
DetectMQTTFlagsData_::dup
MQTTFlagState dup
Definition: detect-mqtt-flags.c:49
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
de
uint8_t de
Definition: app-layer-htp.c:568
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2598
detect.h
MQTTFlagsRegisterTests
void MQTTFlagsRegisterTests(void)
this function registers unit tests for MQTTFlags
Definition: detect-mqtt-flags.c:349
DetectMQTTFlagsData_
Definition: detect-mqtt-flags.c:48
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:227
conf.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:309
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectMQTTFlagsRegister
void DetectMQTTFlagsRegister(void)
Registration function for mqtt.flags: keyword.
Definition: detect-mqtt-flags.c:55
SigMatch_::type
uint16_t type
Definition: detect.h:315
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
DetectMQTTFlagsFree
void DetectMQTTFlagsFree(DetectEngineCtx *de_ctx, void *)
Definition: detect-mqtt-flags.c:227
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1951
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
DetectMQTTFlagsData
struct DetectMQTTFlagsData_ DetectMQTTFlagsData
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-mqtt-flags.c:35