suricata
detect-mqtt-protocol-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha@steinbiss.name>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
29 #include "detect-engine-content-inspection.h"
30 #include "detect-engine-uint.h"
31 #include "detect-mqtt-protocol-version.h"
32 #include "util-byte.h"
33 #include "util-unittest.h"
34 
35 #include "rust.h"
36 
37 static int mqtt_protocol_version_id = 0;
38 
39 static int DetectMQTTProtocolVersionMatch(DetectEngineThreadCtx *det_ctx,
40  Flow *f, uint8_t flags, void *state,
41  void *txv, const Signature *s,
42  const SigMatchCtx *ctx);
43 static int DetectMQTTProtocolVersionSetup (DetectEngineCtx *, Signature *, const char *);
44 void MQTTProtocolVersionRegisterTests(void);
45 void DetectMQTTProtocolVersionFree(DetectEngineCtx *de_ctx, void *);
46 
47 static int DetectEngineInspectMQTTProtocolVersionGeneric(DetectEngineCtx *de_ctx,
48  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
49  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
50 
51 /**
52  * \brief Registration function for mqtt.protocol_version: keyword
53  */
54 void DetectMQTTProtocolVersionRegister (void)
55 {
56  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].name = "mqtt.protocol_version";
57  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].desc = "match MQTT protocol version";
58  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].url = "/rules/mqtt-keywords.html#mqtt-protocol-version";
59  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].AppLayerTxMatch = DetectMQTTProtocolVersionMatch;
60  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].Setup = DetectMQTTProtocolVersionSetup;
61  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].Free = DetectMQTTProtocolVersionFree;
62 #ifdef UNITTESTS
63  sigmatch_table[DETECT_AL_MQTT_PROTOCOL_VERSION].RegisterTests = MQTTProtocolVersionRegisterTests;
64 #endif
65 
66  DetectAppLayerInspectEngineRegister2("mqtt.protocol_version", ALPROTO_MQTT, SIG_FLAG_TOSERVER,
67  1, DetectEngineInspectMQTTProtocolVersionGeneric, NULL);
68 
69  mqtt_protocol_version_id = DetectBufferTypeGetByName("mqtt.protocol_version");
70 }
71 
72 static int DetectEngineInspectMQTTProtocolVersionGeneric(DetectEngineCtx *de_ctx,
73  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
74  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
75 {
76  return DetectEngineInspectGenericList(
77  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
78 }
79 
80 /**
81  * \internal
82  * \brief Function to match protocol version of an MQTT Tx
83  *
84  * \param det_ctx Pointer to the pattern matcher thread.
85  * \param f Pointer to the current flow.
86  * \param flags Flags.
87  * \param state App layer state.
88  * \param txv Pointer to the transaction.
89  * \param s Pointer to the Signature.
90  * \param ctx Pointer to the sigmatch that we will cast into DetectMQTTProtocolVersionData.
91  *
92  * \retval 0 no match.
93  * \retval 1 match.
94  */
95 static int DetectMQTTProtocolVersionMatch(DetectEngineThreadCtx *det_ctx,
96  Flow *f, uint8_t flags, void *state,
97  void *txv, const Signature *s,
98  const SigMatchCtx *ctx)
99 {
100  const DetectU8Data *de = (const DetectU8Data *)ctx;
101  uint8_t version;
102 
103  version = rs_mqtt_tx_get_protocol_version(state);
104 
105  return DetectU8Match(version, de);
106 }
107 
108 /**
109  * \internal
110  * \brief this function is used to add the parsed sigmatch into the current signature
111  *
112  * \param de_ctx pointer to the Detection Engine Context
113  * \param s pointer to the Current Signature
114  * \param rawstr pointer to the user provided options
115  *
116  * \retval 0 on Success
117  * \retval -1 on Failure
118  */
119 static int DetectMQTTProtocolVersionSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
120 {
121  SigMatch *sm = NULL;
122  DetectU8Data *de = NULL;
123 
124  if (DetectSignatureSetAppProto(s, ALPROTO_MQTT) < 0)
125  return -1;
126 
127  de = DetectU8Parse(rawstr);
128  if (de == NULL)
129  return -1;
130 
131  sm = SigMatchAlloc();
132  if (sm == NULL)
133  goto error;
134 
135  sm->type = DETECT_AL_MQTT_PROTOCOL_VERSION;
136  sm->ctx = (SigMatchCtx *)de;
137 
138  SigMatchAppendSMToList(s, sm, mqtt_protocol_version_id);
139 
140  return 0;
141 
142 error:
143  if (de != NULL)
144  SCFree(de);
145  if (sm != NULL)
146  SCFree(sm);
147  return -1;
148 }
149 
150 /**
151  * \internal
152  * \brief this function will free memory associated with DetectMQTTProtocolVersionData
153  *
154  * \param de pointer to DetectMQTTProtocolVersionData
155  */
156 void DetectMQTTProtocolVersionFree(DetectEngineCtx *de_ctx, void *de_ptr)
157 {
158  if (de_ptr != NULL)
159  SCFree(de_ptr);
160 }
161 
162 /*
163  * ONLY TESTS BELOW THIS COMMENT
164  */
165 
166 #ifdef UNITTESTS
167 /**
168  * \test MQTTProtocolVersionTestParse01 is a test for a valid value
169  *
170  * \retval 1 on success
171  * \retval 0 on failure
172  */
173 static int MQTTProtocolVersionTestParse01 (void)
174 {
175  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
176  FAIL_IF_NULL(de_ctx);
177 
178  Signature *sig = DetectEngineAppendSig(de_ctx,
179  "alert ip any any -> any any (mqtt.protocol_version:3; sid:1; rev:1;)");
180  FAIL_IF_NULL(sig);
181 
182  sig = DetectEngineAppendSig(de_ctx,
183  "alert ip any any -> any any (mqtt.protocol_version:3; sid:2; rev:1;)");
184  FAIL_IF_NULL(sig);
185 
186  DetectEngineCtxFree(de_ctx);
187 
188  PASS;
189 }
190 
191 /**
192  * \test MQTTProtocolVersionTestParse02 is a test for a valid value
193  *
194  * \retval 1 on success
195  * \retval 0 on failure
196  */
197 static int MQTTProtocolVersionTestParse02 (void)
198 {
199  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
200  FAIL_IF_NULL(de_ctx);
201 
202  Signature *sig = DetectEngineAppendSig(de_ctx,
203  "alert ip any any -> any any (mqtt.protocol_version:>3; sid:1; rev:1;)");
204  FAIL_IF_NULL(sig);
205 
206  sig = DetectEngineAppendSig(de_ctx,
207  "alert ip any any -> any any (mqtt.protocol_version:<44; sid:2; rev:1;)");
208  FAIL_IF_NULL(sig);
209 
210  DetectEngineCtxFree(de_ctx);
211 
212  PASS;
213 }
214 
215 /**
216  * \test MQTTProtocolVersionTestParse03 is a test for an invalid value
217  *
218  * \retval 1 on success
219  * \retval 0 on failure
220  */
221 static int MQTTProtocolVersionTestParse03 (void)
222 {
223  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
224  FAIL_IF_NULL(de_ctx);
225 
226  Signature *sig = DetectEngineAppendSig(de_ctx,
227  "alert ip any any -> any any (mqtt.protocol_version:; sid:1; rev:1;)");
228  FAIL_IF_NOT_NULL(sig);
229 
230  DetectEngineCtxFree(de_ctx);
231 
232  PASS;
233 }
234 
235 /**
236  * \test MQTTProtocolVersionTestParse04 is a test for an invalid value
237  *
238  * \retval 1 on success
239  * \retval 0 on failure
240  */
241 static int MQTTProtocolVersionTestParse04 (void)
242 {
243  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
244  FAIL_IF_NULL(de_ctx);
245 
246  Signature *sig = DetectEngineAppendSig(de_ctx,
247  "alert ip any any -> any any (mqtt.protocol_version:<444; sid:1; rev:1;)");
248  FAIL_IF_NOT_NULL(sig);
249 
250  DetectEngineCtxFree(de_ctx);
251 
252  PASS;
253 }
254 
255 #endif /* UNITTESTS */
256 
257 /**
258  * \brief this function registers unit tests for MQTTProtocolVersion
259  */
260 void MQTTProtocolVersionRegisterTests(void)
261 {
262 #ifdef UNITTESTS
263  UtRegisterTest("MQTTProtocolVersionTestParse01", MQTTProtocolVersionTestParse01);
264  UtRegisterTest("MQTTProtocolVersionTestParse02", MQTTProtocolVersionTestParse02);
265  UtRegisterTest("MQTTProtocolVersionTestParse03", MQTTProtocolVersionTestParse03);
266  UtRegisterTest("MQTTProtocolVersionTestParse04", MQTTProtocolVersionTestParse04);
267 #endif /* UNITTESTS */
268 }
util-byte.h
detect-engine-uint.h
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
DetectMQTTProtocolVersionRegister
void DetectMQTTProtocolVersionRegister(void)
Registration function for mqtt.protocol_version: keyword.
Definition: detect-mqtt-protocol-version.c:54
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
SigTableElmt_::name
const char * name
Definition: detect.h:1267
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1238
rust.h
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectU8Data *du8)
Definition: detect-engine-uint.c:294
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
DetectU8Data_
Definition: detect-engine-uint.h:52
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
de
uint8_t de
Definition: app-layer-htp.c:563
detect.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
conf.h
DETECT_AL_MQTT_PROTOCOL_VERSION
@ DETECT_AL_MQTT_PROTOCOL_VERSION
Definition: detect-engine-register.h:276
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2420
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
version
uint8_t version
Definition: decode-gre.h:1
MQTTProtocolVersionRegisterTests
void MQTTProtocolVersionRegisterTests(void)
this function registers unit tests for MQTTProtocolVersion
Definition: detect-mqtt-protocol-version.c:260
DetectU8Parse
DetectU8Data * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:370
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
DetectMQTTProtocolVersionFree
void DetectMQTTProtocolVersionFree(DetectEngineCtx *de_ctx, void *)
Definition: detect-mqtt-protocol-version.c:156
detect-mqtt-protocol-version.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259