suricata
detect-mqtt-flags.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha@steinbiss.name>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
30 #include "detect-mqtt-flags.h"
31 #include "util-unittest.h"
32 
33 #include "rust.h"
34 
35 #define PARSE_REGEX "(?: *,?!?(?:retain|dup))+"
36 static DetectParseRegex parse_regex;
37 
38 static int mqtt_flags_id = 0;
39 
40 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
41  Flow *f, uint8_t flags, void *state,
42  void *txv, const Signature *s,
43  const SigMatchCtx *ctx);
44 static int DetectMQTTFlagsSetup (DetectEngineCtx *, Signature *, const char *);
45 void MQTTFlagsRegisterTests(void);
47 
48 typedef struct DetectMQTTFlagsData_ {
49  MQTTFlagState retain, dup;
51 
52 /**
53  * \brief Registration function for mqtt.flags: keyword
54  */
56 {
58  sigmatch_table[DETECT_AL_MQTT_FLAGS].desc = "match MQTT fixed header flags";
59  sigmatch_table[DETECT_AL_MQTT_FLAGS].url = "/rules/mqtt-keywords.html#mqtt-flags";
60  sigmatch_table[DETECT_AL_MQTT_FLAGS].AppLayerTxMatch = DetectMQTTFlagsMatch;
61  sigmatch_table[DETECT_AL_MQTT_FLAGS].Setup = DetectMQTTFlagsSetup;
63 #ifdef UNITTESTS
65 #endif
66 
67  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
68 
71 
72  mqtt_flags_id = DetectBufferTypeGetByName("mqtt.flags");
73 }
74 
75 /**
76  * \internal
77  * \brief Function to match fixed header flags of an MQTT Tx
78  *
79  * \param det_ctx Pointer to the pattern matcher thread.
80  * \param f Pointer to the current flow.
81  * \param flags Flags.
82  * \param state App layer state.
83  * \param txv Pointer to the transaction.
84  * \param s Pointer to the Signature.
85  * \param ctx Pointer to the sigmatch that we will cast into DetectMQTTFlagsData.
86  *
87  * \retval 0 no match.
88  * \retval 1 match.
89  */
90 static int DetectMQTTFlagsMatch(DetectEngineThreadCtx *det_ctx,
91  Flow *f, uint8_t flags, void *state,
92  void *txv, const Signature *s,
93  const SigMatchCtx *ctx)
94 {
95  const DetectMQTTFlagsData *de = (const DetectMQTTFlagsData *)ctx;
96 
97  if (!de)
98  return 0;
99 
100  return rs_mqtt_tx_has_flags(txv, de->retain, de->dup);
101 }
102 
103 /**
104  * \internal
105  * \brief This function is used to parse options passed via mqtt.flags: keyword
106  *
107  * \param rawstr Pointer to the user provided options
108  *
109  * \retval de pointer to DetectMQTTFlagsData on success
110  * \retval NULL on failure
111  */
112 static DetectMQTTFlagsData *DetectMQTTFlagsParse(const char *rawstr)
113 {
114 
116  if (unlikely(de == NULL))
117  return NULL;
118 
119  pcre2_match_data *match = NULL;
120  int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
121  if (ret < 1) {
122  SCLogError("invalid flag definition: %s", rawstr);
123  if (match) {
124  pcre2_match_data_free(match);
125  }
126  SCFree(de);
127  return NULL;
128  }
129 
130  de->retain = de->dup = MQTT_DONT_CARE;
131 
132  char copy[strlen(rawstr)+1];
133  strlcpy(copy, rawstr, sizeof(copy));
134  char *xsaveptr = NULL;
135 
136  /* Iterate through comma-separated string... */
137  char *flagv = strtok_r(copy, ",", &xsaveptr);
138  while (flagv != NULL) {
139  /* skip blanks */
140  while (*flagv != '\0' && isblank(*flagv)) {
141  flagv++;
142  }
143  if (strlen(flagv) < 2) {
144  /* flags have a minimum length */
145  SCLogError("malformed flag value: %s", flagv);
146  goto error;
147  } else {
148  int offset = 0;
149  MQTTFlagState fs_to_set = MQTT_MUST_BE_SET;
150  if (flagv[0] == '!') {
151  /* negated flag */
152  offset = 1; /* skip negation operator during comparison */
153  fs_to_set = MQTT_CANT_BE_SET;
154  }
155  if (strcmp(flagv+offset, "dup") == 0) {
156  if (de->dup != MQTT_DONT_CARE) {
157  SCLogError("duplicate flag definition: %s", flagv);
158  goto error;
159  }
160  de->dup = fs_to_set;
161  } else if (strcmp(flagv+offset, "retain") == 0) {
162  if (de->retain != MQTT_DONT_CARE) {
163  SCLogError("duplicate flag definition: %s", flagv);
164  goto error;
165  }
166  de->retain = fs_to_set;
167  } else {
168  SCLogError("invalid flag definition: %s", flagv);
169  goto error;
170  }
171  }
172  flagv = strtok_r(NULL, ",", &xsaveptr);
173  }
174 
175  pcre2_match_data_free(match);
176  return de;
177 
178 error:
179  if (match) {
180  pcre2_match_data_free(match);
181  }
182  if (de)
183  SCFree(de);
184  return NULL;
185 }
186 
187 /**
188  * \internal
189  * \brief this function is used to add the parsed type query into the current signature
190  *
191  * \param de_ctx pointer to the Detection Engine Context
192  * \param s pointer to the Current Signature
193  * \param rawstr pointer to the user provided options
194  *
195  * \retval 0 on Success
196  * \retval -1 on Failure
197  */
198 static int DetectMQTTFlagsSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
199 {
200  DetectMQTTFlagsData *de = NULL;
201 
203  return -1;
204 
205  de = DetectMQTTFlagsParse(rawstr);
206  if (de == NULL)
207  goto error;
208 
209  if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_MQTT_FLAGS, (SigMatchCtx *)de, mqtt_flags_id) ==
210  NULL) {
211  goto error;
212  }
213 
214  return 0;
215 
216 error:
217  if (de != NULL)
218  SCFree(de);
219  return -1;
220 }
221 
222 /**
223  * \internal
224  * \brief this function will free memory associated with DetectMQTTFlagsData
225  *
226  * \param de pointer to DetectMQTTFlagsData
227  */
229 {
230  if (de_ptr != NULL)
231  SCFree(de_ptr);
232 }
233 
234 /*
235  * ONLY TESTS BELOW THIS COMMENT
236  */
237 
238 #ifdef UNITTESTS
239 /**
240  * \test MQTTFlagsTestParse01 is a test for a valid value
241  *
242  * \retval 1 on success
243  * \retval 0 on failure
244  */
245 static int MQTTFlagsTestParse01 (void)
246 {
247  DetectMQTTFlagsData *de = NULL;
248 
249  de = DetectMQTTFlagsParse("retain");
250  FAIL_IF_NULL(de);
251  DetectMQTTFlagsFree(NULL, de);
252 
253  de = DetectMQTTFlagsParse("dup");
254  FAIL_IF_NULL(de);
255  DetectMQTTFlagsFree(NULL, de);
256 
257  de = DetectMQTTFlagsParse("retain,dup");
258  FAIL_IF_NULL(de);
259  DetectMQTTFlagsFree(NULL, de);
260 
261  de = DetectMQTTFlagsParse("dup, retain");
262  FAIL_IF_NULL(de);
263  DetectMQTTFlagsFree(NULL, de);
264 
265  PASS;
266 }
267 
268 /**
269  * \test MQTTFlagsTestParse02 is a test for a valid value
270  *
271  * \retval 1 on success
272  * \retval 0 on failure
273  */
274 static int MQTTFlagsTestParse02 (void)
275 {
276  DetectMQTTFlagsData *de = NULL;
277  de = DetectMQTTFlagsParse("retain,!dup");
278  FAIL_IF_NULL(de);
279  DetectMQTTFlagsFree(NULL, de);
280 
281  PASS;
282 }
283 
284 /**
285  * \test MQTTFlagsTestParse03 is a test for an invalid value
286  *
287  * \retval 1 on success
288  * \retval 0 on failure
289  */
290 static int MQTTFlagsTestParse03 (void)
291 {
292  DetectMQTTFlagsData *de = NULL;
293  de = DetectMQTTFlagsParse("ref");
294  if (de) {
295  DetectMQTTFlagsFree(NULL, de);
296  FAIL;
297  }
298 
299  PASS;
300 }
301 
302 /**
303  * \test MQTTFlagsTestParse04 is a test for an invalid value
304  *
305  * \retval 1 on success
306  * \retval 0 on failure
307  */
308 static int MQTTFlagsTestParse04 (void)
309 {
310  DetectMQTTFlagsData *de = NULL;
311  de = DetectMQTTFlagsParse("dup,!");
312  if (de) {
313  DetectMQTTFlagsFree(NULL, de);
314  FAIL;
315  }
316 
317  PASS;
318 }
319 
320 /**
321  * \test MQTTFlagsTestParse05 is a test for an invalid value
322  *
323  * \retval 1 on success
324  * \retval 0 on failure
325  */
326 static int MQTTFlagsTestParse05 (void)
327 {
328  DetectMQTTFlagsData *de = NULL;
329  de = DetectMQTTFlagsParse("dup,!dup");
330  if (de) {
331  DetectMQTTFlagsFree(NULL, de);
332  FAIL;
333  }
334 
335  de = DetectMQTTFlagsParse("!retain,retain");
336  if (de) {
337  DetectMQTTFlagsFree(NULL, de);
338  FAIL;
339  }
340 
341  PASS;
342 }
343 
344 
345 #endif /* UNITTESTS */
346 
347 /**
348  * \brief this function registers unit tests for MQTTFlags
349  */
351 {
352 #ifdef UNITTESTS
353  UtRegisterTest("MQTTFlagsTestParse01", MQTTFlagsTestParse01);
354  UtRegisterTest("MQTTFlagsTestParse02", MQTTFlagsTestParse02);
355  UtRegisterTest("MQTTFlagsTestParse03", MQTTFlagsTestParse03);
356  UtRegisterTest("MQTTFlagsTestParse04", MQTTFlagsTestParse04);
357  UtRegisterTest("MQTTFlagsTestParse05", MQTTFlagsTestParse05);
358 #endif /* UNITTESTS */
359 }
detect-mqtt-flags.h
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectMQTTFlagsData_::retain
MQTTFlagState retain
Definition: detect-mqtt-flags.c:49
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1293
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1264
rust.h
DETECT_AL_MQTT_FLAGS
@ DETECT_AL_MQTT_FLAGS
Definition: detect-engine-register.h:301
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1119
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:263
DetectMQTTFlagsData_::dup
MQTTFlagState dup
Definition: detect-mqtt-flags.c:49
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
de
uint8_t de
Definition: app-layer-htp.c:580
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
detect.h
MQTTFlagsRegisterTests
void MQTTFlagsRegisterTests(void)
this function registers unit tests for MQTTFlags
Definition: detect-mqtt-flags.c:350
DetectMQTTFlagsData_
Definition: detect-mqtt-flags.c:48
conf.h
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectMQTTFlagsRegister
void DetectMQTTFlagsRegister(void)
Registration function for mqtt.flags: keyword.
Definition: detect-mqtt-flags.c:55
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectMQTTFlagsFree
void DetectMQTTFlagsFree(DetectEngineCtx *de_ctx, void *)
Definition: detect-mqtt-flags.c:228
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2126
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:216
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectMQTTFlagsData
struct DetectMQTTFlagsData_ DetectMQTTFlagsData
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-mqtt-flags.c:35