suricata
detect-mqtt-protocol-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha@steinbiss.name>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
29 #include "detect-engine-content-inspection.h"
30 #include "detect-engine-uint.h"
31 #include "detect-mqtt-protocol-version.h"
32 #include "util-byte.h"
33 #include "util-unittest.h"
34 
35 #include "rust-bindings.h"
36 
37 static int mqtt_protocol_version_id = 0;
38 
39 static int DetectMQTTProtocolVersionMatch(DetectEngineThreadCtx *det_ctx,
40  Flow *f, uint8_t flags, void *state,
41  void *txv, const Signature *s,
42  const SigMatchCtx *ctx);
43 static int DetectMQTTProtocolVersionSetup (DetectEngineCtx *, Signature *, const char *);
44 void MQTTProtocolVersionRegisterTests(void);
45 void DetectMQTTProtocolVersionFree(DetectEngineCtx *de_ctx, void *);
46 
47 static int DetectEngineInspectMQTTProtocolVersionGeneric(ThreadVars *tv,
48  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
49  const Signature *s, const SigMatchData *smd,
50  Flow *f, uint8_t flags, void *alstate,
51  void *txv, uint64_t tx_id);
52 
53 /**
54  * \brief Registration function for mqtt.protocol_version: keyword
55  */
56 void DetectMQTTProtocolVersionRegister (void)
57 {
58  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].name = "mqtt.protocol_version";
59  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].desc = "match MQTT protocol version";
60  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].url = "/rules/mqtt-keywords.html#mqtt-protocol-version";
61  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].AppLayerTxMatch = DetectMQTTProtocolVersionMatch;
62  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].Setup = DetectMQTTProtocolVersionSetup;
63  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].Free = DetectMQTTProtocolVersionFree;
64 #ifdef UNITTESTS
65  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].RegisterTests = MQTTProtocolVersionRegisterTests;
66 #endif
67 
68  DetectAppLayerInspectEngineRegister("mqtt.protocol_version",
69  ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1,
70  DetectEngineInspectMQTTProtocolVersionGeneric);
71 
72  mqtt_protocol_version_id = DetectBufferTypeGetByName("mqtt.protocol_version");
73 }
74 
75 static int DetectEngineInspectMQTTProtocolVersionGeneric(ThreadVars *tv,
76  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
77  const Signature *s, const SigMatchData *smd,
78  Flow *f, uint8_t flags, void *alstate,
79  void *txv, uint64_t tx_id)
80 {
81  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
82  f, flags, alstate, txv, tx_id);
83 }
84 
85 /**
86  * \internal
87  * \brief Function to match protocol version of an MQTT Tx
88  *
89  * \param det_ctx Pointer to the pattern matcher thread.
90  * \param f Pointer to the current flow.
91  * \param flags Flags.
92  * \param state App layer state.
93  * \param txv Pointer to the transaction.
94  * \param s Pointer to the Signature.
95  * \param ctx Pointer to the sigmatch that we will cast into DetectMQTTProtocolVersionData.
96  *
97  * \retval 0 no match.
98  * \retval 1 match.
99  */
100 static int DetectMQTTProtocolVersionMatch(DetectEngineThreadCtx *det_ctx,
101  Flow *f, uint8_t flags, void *state,
102  void *txv, const Signature *s,
103  const SigMatchCtx *ctx)
104 {
105  const DetectU8Data *de = (const DetectU8Data *)ctx;
106  uint8_t version;
107 
108  version = rs_mqtt_tx_get_protocol_version(state);
109 
110  return DetectU8Match(version, de);
111 }
112 
113 /**
114  * \internal
115  * \brief this function is used to add the parsed sigmatch into the current signature
116  *
117  * \param de_ctx pointer to the Detection Engine Context
118  * \param s pointer to the Current Signature
119  * \param rawstr pointer to the user provided options
120  *
121  * \retval 0 on Success
122  * \retval -1 on Failure
123  */
124 static int DetectMQTTProtocolVersionSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
125 {
126  SigMatch *sm = NULL;
127  DetectU8Data *de = NULL;
128 
129  if (DetectSignatureSetAppProto(s, ALPROTO_MQTT) < 0)
130  return -1;
131 
132  de = DetectU8Parse(rawstr);
133  if (de == NULL)
134  return -1;
135 
136  sm = SigMatchAlloc();
137  if (sm == NULL)
138  goto error;
139 
140  sm->type = DETECT_AL_MQTT_PROTOCOL_VERSION;
141  sm->ctx = (SigMatchCtx *)de;
142 
143  SigMatchAppendSMToList(s, sm, mqtt_protocol_version_id);
144 
145  return 0;
146 
147 error:
148  if (de != NULL)
149  SCFree(de);
150  if (sm != NULL)
151  SCFree(sm);
152  return -1;
153 }
154 
155 /**
156  * \internal
157  * \brief this function will free memory associated with DetectMQTTProtocolVersionData
158  *
159  * \param de pointer to DetectMQTTProtocolVersionData
160  */
161 void DetectMQTTProtocolVersionFree(DetectEngineCtx *de_ctx, void *de_ptr)
162 {
163  if (de_ptr != NULL)
164  SCFree(de_ptr);
165 }
166 
167 /*
168  * ONLY TESTS BELOW THIS COMMENT
169  */
170 
171 #ifdef UNITTESTS
172 /**
173  * \test MQTTProtocolVersionTestParse01 is a test for a valid value
174  *
175  * \retval 1 on success
176  * \retval 0 on failure
177  */
178 static int MQTTProtocolVersionTestParse01 (void)
179 {
180  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
181  FAIL_IF_NULL(de_ctx);
182 
183  Signature *sig = DetectEngineAppendSig(de_ctx,
184  "alert ip any any -> any any (mqtt.protocol_version:3; sid:1; rev:1;)");
185  FAIL_IF_NULL(sig);
186 
187  sig = DetectEngineAppendSig(de_ctx,
188  "alert ip any any -> any any (mqtt.protocol_version:3; sid:2; rev:1;)");
189  FAIL_IF_NULL(sig);
190 
191  DetectEngineCtxFree(de_ctx);
192 
193  PASS;
194 }
195 
196 /**
197  * \test MQTTProtocolVersionTestParse02 is a test for a valid value
198  *
199  * \retval 1 on success
200  * \retval 0 on failure
201  */
202 static int MQTTProtocolVersionTestParse02 (void)
203 {
204  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
205  FAIL_IF_NULL(de_ctx);
206 
207  Signature *sig = DetectEngineAppendSig(de_ctx,
208  "alert ip any any -> any any (mqtt.protocol_version:>3; sid:1; rev:1;)");
209  FAIL_IF_NULL(sig);
210 
211  sig = DetectEngineAppendSig(de_ctx,
212  "alert ip any any -> any any (mqtt.protocol_version:<44; sid:2; rev:1;)");
213  FAIL_IF_NULL(sig);
214 
215  DetectEngineCtxFree(de_ctx);
216 
217  PASS;
218 }
219 
220 /**
221  * \test MQTTProtocolVersionTestParse03 is a test for an invalid value
222  *
223  * \retval 1 on success
224  * \retval 0 on failure
225  */
226 static int MQTTProtocolVersionTestParse03 (void)
227 {
228  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
229  FAIL_IF_NULL(de_ctx);
230 
231  Signature *sig = DetectEngineAppendSig(de_ctx,
232  "alert ip any any -> any any (mqtt.protocol_version:; sid:1; rev:1;)");
233  FAIL_IF_NOT_NULL(sig);
234 
235  DetectEngineCtxFree(de_ctx);
236 
237  PASS;
238 }
239 
240 /**
241  * \test MQTTProtocolVersionTestParse04 is a test for an invalid value
242  *
243  * \retval 1 on success
244  * \retval 0 on failure
245  */
246 static int MQTTProtocolVersionTestParse04 (void)
247 {
248  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
249  FAIL_IF_NULL(de_ctx);
250 
251  Signature *sig = DetectEngineAppendSig(de_ctx,
252  "alert ip any any -> any any (mqtt.protocol_version:<444; sid:1; rev:1;)");
253  FAIL_IF_NOT_NULL(sig);
254 
255  DetectEngineCtxFree(de_ctx);
256 
257  PASS;
258 }
259 
260 #endif /* UNITTESTS */
261 
262 /**
263  * \brief this function registers unit tests for MQTTProtocolVersion
264  */
265 void MQTTProtocolVersionRegisterTests(void)
266 {
267 #ifdef UNITTESTS
268  UtRegisterTest("MQTTProtocolVersionTestParse01", MQTTProtocolVersionTestParse01);
269  UtRegisterTest("MQTTProtocolVersionTestParse02", MQTTProtocolVersionTestParse02);
270  UtRegisterTest("MQTTProtocolVersionTestParse03", MQTTProtocolVersionTestParse03);
271  UtRegisterTest("MQTTProtocolVersionTestParse04", MQTTProtocolVersionTestParse04);
272 #endif /* UNITTESTS */
273 }
util-byte.h
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
DetectMQTTProtocolVersionRegister
void DetectMQTTProtocolVersionRegister(void)
Registration function for mqtt.protocol_version: keyword.
Definition: detect-mqtt-protocol-version.c:56
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectU8Data *du8)
Definition: detect-engine-uint.c:234
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
DetectU8Data_
Definition: detect-engine-uint.h:50
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
de
int de
Definition: app-layer-htp.c:575
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
conf.h
DETECT_AL_MQTT_PROTOCOL_VERSION
@ DETECT_AL_MQTT_PROTOCOL_VERSION
Definition: detect-engine-register.h:273
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:321
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2361
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
version
uint8_t version
Definition: decode-gre.h:1
MQTTProtocolVersionRegisterTests
void MQTTProtocolVersionRegisterTests(void)
this function registers unit tests for MQTTProtocolVersion
Definition: detect-mqtt-protocol-version.c:265
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
DetectU8Parse
DetectU8Data * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:55
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
DetectMQTTProtocolVersionFree
void DetectMQTTProtocolVersionFree(DetectEngineCtx *de_ctx, void *)
Definition: detect-mqtt-protocol-version.c:161
detect-mqtt-protocol-version.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203