suricata
detect-quic-cyu-hash.c
Go to the documentation of this file.
1 /* Copyright (C) 2021-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  *
20  * Implements the quic.cyu.hash sticky buffer
21  */
22 
23 #include "suricata-common.h"
24 #include "detect.h"
25 #include "detect-parse.h"
26 #include "detect-content.h"
27 
28 #include "detect-engine.h"
29 #include "detect-engine-mpm.h"
32 #include "detect-quic-cyu-hash.h"
33 #include "detect-engine-build.h"
34 #include "rust.h"
35 #include "util-profiling.h"
36 
37 #ifdef UNITTESTS
38 static void DetectQuicCyuHashRegisterTests(void);
39 #endif
40 
41 #define KEYWORD_NAME "quic.cyu.hash"
42 #define KEYWORD_DOC "quic-cyu.html#quic-cyu-hash"
43 #define BUFFER_NAME "quic.cyu.hash"
44 #define BUFFER_DESC "QUIC CYU Hash"
45 static int g_buffer_id = 0;
46 
48  uint32_t local_id; /**< used as index into thread inspect array */
49  void *txv;
50 };
51 
52 static int DetectQuicCyuHashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
53 {
54  if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0)
55  return -1;
56 
58  return -1;
59 
60  return 0;
61 }
62 
63 static InspectionBuffer *QuicHashGetData(DetectEngineThreadCtx *det_ctx,
64  const DetectEngineTransforms *transforms, Flow *f, struct QuicHashGetDataArgs *cbdata,
65  int list_id)
66 {
67  SCEnter();
68 
69  InspectionBuffer *buffer =
70  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
71  if (buffer == NULL)
72  return NULL;
73  if (buffer->initialized)
74  return buffer;
75 
76  const uint8_t *data;
77  uint32_t data_len;
78  if (rs_quic_tx_get_cyu_hash(cbdata->txv, (uint16_t)cbdata->local_id, &data, &data_len) == 0) {
80  return NULL;
81  }
82 
83  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
84 
85  SCReturnPtr(buffer, "InspectionBuffer");
86 }
87 
88 static uint8_t DetectEngineInspectQuicHash(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
89  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
90  void *alstate, void *txv, uint64_t tx_id)
91 {
92  uint32_t local_id = 0;
93 
94  const DetectEngineTransforms *transforms = NULL;
95  if (!engine->mpm) {
96  transforms = engine->v2.transforms;
97  }
98 
99  while (1) {
100  struct QuicHashGetDataArgs cbdata = {
101  local_id,
102  txv,
103  };
104  InspectionBuffer *buffer =
105  QuicHashGetData(det_ctx, transforms, f, &cbdata, engine->sm_list);
106  if (buffer == NULL || buffer->inspect == NULL)
107  break;
108 
109  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
110  buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
112  if (match) {
114  }
115  local_id++;
116  }
118 }
119 
120 typedef struct PrefilterMpmQuicHash {
121  int list_id;
122  const MpmCtx *mpm_ctx;
125 
126 /** \brief QuicHash Mpm prefilter callback
127  *
128  * \param det_ctx detection engine thread ctx
129  * \param p packet to inspect
130  * \param f flow to inspect
131  * \param txv tx to inspect
132  * \param pectx inspection context
133  */
134 static void PrefilterTxQuicHash(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
135  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
136 {
137  SCEnter();
138 
139  const PrefilterMpmQuicHash *ctx = (const PrefilterMpmQuicHash *)pectx;
140  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
141  const int list_id = ctx->list_id;
142 
143  uint32_t local_id = 0;
144  while (1) {
145  // loop until we get a NULL
146 
147  struct QuicHashGetDataArgs cbdata = { local_id, txv };
148  InspectionBuffer *buffer = QuicHashGetData(det_ctx, ctx->transforms, f, &cbdata, list_id);
149  if (buffer == NULL)
150  break;
151 
152  if (buffer->inspect_len >= mpm_ctx->minlen) {
153  (void)mpm_table[mpm_ctx->mpm_type].Search(
154  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
155  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
156  }
157 
158  local_id++;
159  }
160 }
161 
162 static void PrefilterMpmQuicHashFree(void *ptr)
163 {
164  SCFree(ptr);
165 }
166 
167 static int PrefilterMpmQuicHashRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
168  const DetectBufferMpmRegistry *mpm_reg, int list_id)
169 {
170  PrefilterMpmQuicHash *pectx = SCCalloc(1, sizeof(*pectx));
171  if (pectx == NULL)
172  return -1;
173  pectx->list_id = list_id;
174  pectx->mpm_ctx = mpm_ctx;
175  pectx->transforms = &mpm_reg->transforms;
176 
177  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxQuicHash, mpm_reg->app_v2.alproto,
178  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMpmQuicHashFree, mpm_reg->pname);
179 }
180 
181 static bool DetectQuicHashValidateCallback(const Signature *s, const char **sigerror)
182 {
183  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
184  if (s->init_data->buffers[x].id != (uint32_t)g_buffer_id)
185  continue;
186  const SigMatch *sm = s->init_data->buffers[x].head;
187  for (; sm != NULL; sm = sm->next) {
188  if (sm->type != DETECT_CONTENT)
189  continue;
190 
191  const DetectContentData *cd = (DetectContentData *)sm->ctx;
192 
193  if (cd->flags & DETECT_CONTENT_NOCASE) {
194  *sigerror = BUFFER_NAME " should not be used together with "
195  "nocase, since the rule is automatically "
196  "lowercased anyway which makes nocase redundant.";
197  SCLogWarning("rule %u: %s", s->id, *sigerror);
198  }
199 
200  if (cd->content_len != 32) {
201  *sigerror = "Invalid length of the specified" BUFFER_NAME " (should "
202  "be 32 characters long). This rule will therefore "
203  "never match.";
204  SCLogWarning("rule %u: %s", s->id, *sigerror);
205  return false;
206  }
207  for (size_t i = 0; i < cd->content_len; ++i) {
208  if (!isxdigit(cd->content[i])) {
209  *sigerror = "Invalid " BUFFER_NAME
210  " string (should be string of hexadecimal characters)."
211  "This rule will therefore never match.";
212  SCLogWarning("rule %u: %s", s->id, *sigerror);
213  return false;
214  }
215  }
216  }
217  }
218  return true;
219 }
220 
222 {
223  /* quic.cyu.hash sticky buffer */
225  sigmatch_table[DETECT_AL_QUIC_CYU_HASH].desc = "sticky buffer to match on the QUIC CYU hash";
227  sigmatch_table[DETECT_AL_QUIC_CYU_HASH].Setup = DetectQuicCyuHashSetup;
229 #ifdef UNITTESTS
230  sigmatch_table[DETECT_AL_QUIC_CYU_HASH].RegisterTests = DetectQuicCyuHashRegisterTests;
231 #endif
232 
234  BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterMpmQuicHashRegister, NULL, ALPROTO_QUIC, 1);
235 
237  BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 0, DetectEngineInspectQuicHash, NULL);
238 
240 
241  g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
242 
243  DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectQuicHashValidateCallback);
244 
246 }
247 
248 #ifdef UNITTESTS
249 #include "app-layer-parser.h"
250 #include "util-unittest.h"
251 #include "util-unittest-helper.h"
252 #include "flow-util.h"
253 #include "detect-engine-alert.h"
254 
255 /**
256  * \test DetectQuicCyuHashTest01 is a test for a valid quic packet, matching
257  * on the cyu hash
258  *
259  * \retval 1 on success
260  * \retval 0 on failure
261  */
262 static int DetectQuicCyuHashTest01(void)
263 {
264  /* quic packet */
265  uint8_t buf[] = { 0xc3, 0x51, 0x30, 0x34, 0x36, 0x50, 0x76, 0xd8, 0x63, 0xb7, 0x54, 0xf7, 0xab,
266  0x32, 0x00, 0x00, 0x00, 0x01, 0x54, 0xfd, 0xf4, 0x79, 0x48, 0x76, 0xd0, 0x87, 0x58, 0x8d,
267  0x26, 0x8f, 0xa0, 0x01, 0x04, 0x00, 0x43, 0x48, 0x4c, 0x4f, 0x11, 0x00, 0x00, 0x00, 0x50,
268  0x41, 0x44, 0x00, 0xe4, 0x02, 0x00, 0x00, 0x53, 0x4e, 0x49, 0x00, 0xf7, 0x02, 0x00, 0x00,
269  0x56, 0x45, 0x52, 0x00, 0xfb, 0x02, 0x00, 0x00, 0x43, 0x43, 0x53, 0x00, 0x0b, 0x03, 0x00,
270  0x00, 0x55, 0x41, 0x49, 0x44, 0x2c, 0x03, 0x00, 0x00, 0x54, 0x43, 0x49, 0x44, 0x30, 0x03,
271  0x00, 0x00, 0x50, 0x44, 0x4d, 0x44, 0x34, 0x03, 0x00, 0x00, 0x53, 0x4d, 0x48, 0x4c, 0x38,
272  0x03, 0x00, 0x00, 0x49, 0x43, 0x53, 0x4c, 0x3c, 0x03, 0x00, 0x00, 0x4e, 0x4f, 0x4e, 0x50,
273  0x5c, 0x03, 0x00, 0x00, 0x4d, 0x49, 0x44, 0x53, 0x60, 0x03, 0x00, 0x00, 0x53, 0x43, 0x4c,
274  0x53, 0x64, 0x03, 0x00, 0x00, 0x43, 0x53, 0x43, 0x54, 0x64, 0x03, 0x00, 0x00, 0x43, 0x4f,
275  0x50, 0x54, 0x64, 0x03, 0x00, 0x00, 0x49, 0x52, 0x54, 0x54, 0x68, 0x03, 0x00, 0x00, 0x43,
276  0x46, 0x43, 0x57, 0x6c, 0x03, 0x00, 0x00, 0x53, 0x46, 0x43, 0x57, 0x70, 0x03, 0x00, 0x00,
277  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
278  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
279  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
280  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
281  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
282  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
283  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
284  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
285  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
286  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
287  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
288  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
289  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
290  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
291  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
292  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
293  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
294  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
295  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
296  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
297  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
298  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
299  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
300  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
301  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
302  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
303  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
304  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
305  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
306  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
307  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
308  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
309  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
310  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
311  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
312  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
313  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
314  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
315  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
316  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
317  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
318  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
319  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
320  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
321  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
322  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
323  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
324  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
325  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
326  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73, 0x31, 0x2e, 0x67,
327  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x51, 0x30, 0x34, 0x36, 0x01, 0xe8,
328  0x81, 0x60, 0x92, 0x92, 0x1a, 0xe8, 0x7e, 0xed, 0x80, 0x86, 0xa2, 0x15, 0x82, 0x91, 0x43,
329  0x68, 0x72, 0x6f, 0x6d, 0x65, 0x2f, 0x37, 0x39, 0x2e, 0x30, 0x2e, 0x33, 0x39, 0x34, 0x35,
330  0x2e, 0x31, 0x31, 0x37, 0x20, 0x4c, 0x69, 0x6e, 0x75, 0x78, 0x20, 0x78, 0x38, 0x36, 0x5f,
331  0x36, 0x34, 0x00, 0x00, 0x00, 0x00, 0x58, 0x35, 0x30, 0x39, 0x01, 0x00, 0x00, 0x00, 0x1e,
332  0x00, 0x00, 0x00, 0x82, 0x88, 0x09, 0x00, 0xfa, 0x0f, 0xde, 0xb7, 0x2e, 0x7e, 0x6c, 0x78,
333  0xcc, 0x09, 0x65, 0xab, 0x06, 0x0c, 0x31, 0x05, 0xfa, 0xd9, 0xa2, 0x0b, 0xdd, 0x74, 0x5c,
334  0x28, 0xdf, 0x7b, 0x74, 0x23, 0x64, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1d, 0x43,
335  0x00, 0x00, 0x00, 0x00, 0xf0, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
336  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
337  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
338  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
339  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
340  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
341  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
342  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
343  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
344  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
345  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
346  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
347  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
348  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
349  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
350  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
351  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
352  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
353  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
354  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
355  0x00, 0x00 };
356 
357  Flow f;
358  void *quic_state = NULL;
359  Packet *p = NULL;
360  Signature *s = NULL;
361  ThreadVars tv;
362  DetectEngineThreadCtx *det_ctx = NULL;
364 
365  memset(&tv, 0, sizeof(ThreadVars));
366  memset(&f, 0, sizeof(Flow));
367 
368  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP, "192.168.1.5", "192.168.1.1", 41424, 443);
369 
370  FLOW_INITIALIZE(&f);
371  f.flags |= FLOW_IPV4;
372  f.proto = IPPROTO_UDP;
374 
375  p->flow = &f;
376  p->flags |= PKT_HAS_FLOW;
378  f.alproto = ALPROTO_QUIC;
379 
383  de_ctx->flags |= DE_QUIET;
384 
386  "alert quic any any -> any any "
387  "(msg:\"Test QUIC CYU hash\"; "
388  "quic.cyu.hash; content:\"910a5e3a4d51593bd59a44611544f209\"; "
389  "sid:1;)");
390  FAIL_IF_NULL(s);
391 
393  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
394 
395  int r = AppLayerParserParse(
396  NULL, alp_tctx, &f, ALPROTO_QUIC, STREAM_TOSERVER, buf, sizeof(buf));
397  if (r != 0) {
398  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
399  FAIL;
400  }
401 
402  quic_state = f.alstate;
403  FAIL_IF_NULL(quic_state);
404 
405  /* do detect */
406  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
407 
408  if (!(PacketAlertCheck(p, 1))) {
409  printf("sig 1 didn't alert, but it should have: ");
410  FAIL;
411  }
412 
413  if (alp_tctx != NULL)
415  if (det_ctx != NULL)
416  DetectEngineThreadCtxDeinit(&tv, det_ctx);
417  if (de_ctx != NULL)
419  if (de_ctx != NULL)
421 
422  FLOW_DESTROY(&f);
423  UTHFreePacket(p);
424  PASS;
425 }
426 
427 static void DetectQuicCyuHashRegisterTests(void)
428 {
429  UtRegisterTest("DetectQuicCyuHashTest01", DetectQuicCyuHashTest01);
430 }
431 
432 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectEngineAppInspectionEngine_
Definition: detect.h:427
SigTableElmt_::url
const char * url
Definition: detect.h:1299
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:530
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:431
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1298
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
flow-util.h
QuicHashGetDataArgs::local_id
uint32_t local_id
Definition: detect-quic-cyu-hash.c:48
SigTableElmt_::name
const char * name
Definition: detect.h:1296
PrefilterMpmQuicHash
Definition: detect-quic-cyu-hash.c:120
InspectionBuffer::initialized
bool initialized
Definition: detect.h:378
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1448
DetectQuicCyuHashRegister
void DetectQuicCyuHashRegister(void)
Definition: detect-quic-cyu-hash.c:221
DetectEngineTransforms
Definition: detect.h:409
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
Flow_::proto
uint8_t proto
Definition: flow.h:373
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:51
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1335
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
InspectionBuffer
Definition: detect.h:374
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1204
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1290
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1022
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
PrefilterMpmQuicHash::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-quic-cyu-hash.c:122
KEYWORD_DOC
#define KEYWORD_DOC
Definition: detect-quic-cyu-hash.c:42
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
rust.h
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:680
PrefilterMpmQuicHash
struct PrefilterMpmQuicHash PrefilterMpmQuicHash
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
PrefilterMpmQuicHash::transforms
const DetectEngineTransforms * transforms
Definition: detect-quic-cyu-hash.c:123
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1897
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@88::@90 app_v2
DetectContentData_
Definition: detect-content.h:93
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1281
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:693
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1072
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:433
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:266
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1546
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
Definition: detect-engine.c:1284
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
BUFFER_DESC
#define BUFFER_DESC
Definition: detect-quic-cyu-hash.c:44
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:354
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:842
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:376
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
util-profiling.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:97
Packet_
Definition: decode.h:437
DETECT_AL_QUIC_CYU_HASH
@ DETECT_AL_QUIC_CYU_HASH
Definition: detect-engine-register.h:320
detect-engine-build.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:665
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:168
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@85 v2
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1203
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
detect-engine-content-inspection.h
detect-quic-cyu-hash.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:444
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1358
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:287
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-quic-cyu-hash.c:43
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
QuicHashGetDataArgs
Definition: detect-quic-cyu-hash.c:47
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
SigMatch_::type
uint16_t type
Definition: detect.h:351
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1559
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:377
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:586
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:375
PrefilterMpmQuicHash::list_id
int list_id
Definition: detect-quic-cyu-hash.c:121
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
Signature_::id
uint32_t id
Definition: detect.h:631
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:523
Signature_
Signature container.
Definition: detect.h:596
SigMatch_
a single match condition for a signature
Definition: detect.h:350
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:441
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
QuicHashGetDataArgs::txv
void * txv
Definition: detect-quic-cyu-hash.c:49
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1499
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1476
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:169
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
KEYWORD_NAME
#define KEYWORD_NAME
Definition: detect-quic-cyu-hash.c:41
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1169
MpmCtx_
Definition: util-mpm.h:88
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:723
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:587
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1288
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:682