suricata
detect-reference.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Implements the reference keyword support
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 
34 #include "decode.h"
35 #include "flow-var.h"
36 #include "decode-events.h"
37 #include "stream-tcp.h"
38 
39 #include "util-reference-config.h"
40 #include "detect-reference.h"
41 
42 #include "util-unittest.h"
43 #include "util-byte.h"
44 #include "util-debug.h"
45 
46 #define PARSE_REGEX "^\\s*([A-Za-z0-9]+)\\s*,\"?\\s*\"?\\s*([a-zA-Z0-9\\-_\\.\\/\\?\\=]+)\"?\\s*\"?"
47 
48 static DetectParseRegex parse_regex;
49 
50 #ifdef UNITTESTS
51 static void ReferenceRegisterTests(void);
52 #endif
53 static int DetectReferenceSetup(DetectEngineCtx *, Signature *s, const char *str);
54 
55 /**
56  * \brief Registration function for the reference: keyword
57  */
59 {
60  sigmatch_table[DETECT_REFERENCE].name = "reference";
61  sigmatch_table[DETECT_REFERENCE].desc = "direct to places where information about the rule can be found";
62  sigmatch_table[DETECT_REFERENCE].url = "/rules/meta.html#reference";
63  sigmatch_table[DETECT_REFERENCE].Setup = DetectReferenceSetup;
64 #ifdef UNITTESTS
65  sigmatch_table[DETECT_REFERENCE].RegisterTests = ReferenceRegisterTests;
66 #endif
67  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
68 }
69 
70 /**
71  * \brief Free a Reference object
72  */
74 {
75  SCEnter();
76 
77  if (ref->reference != NULL) {
78  SCFree(ref->reference);
79  }
80  SCFree(ref);
81 
82  SCReturn;
83 }
84 
85 /**
86  * \internal
87  * \brief This function is used to parse reference options passed via reference: keyword
88  *
89  * \param rawstr Pointer to the user provided reference options.
90  *
91  * \retval ref Pointer to signature reference on success.
92  * \retval NULL On failure.
93  */
94 static DetectReference *DetectReferenceParse(const char *rawstr, DetectEngineCtx *de_ctx)
95 {
96  SCEnter();
97 
98  int ret = 0, res = 0;
99  size_t pcre2len;
100  char key[REFERENCE_SYSTEM_NAME_MAX] = "";
101  char content[REFERENCE_CONTENT_NAME_MAX] = "";
102 
103  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
104  if (ret < 2) {
105  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unable to parse \"reference\" "
106  "keyword argument - \"%s\". Invalid argument.", rawstr);
107  return NULL;
108  }
109 
110  DetectReference *ref = SCCalloc(1, sizeof(DetectReference));
111  if (unlikely(ref == NULL)) {
112  return NULL;
113  }
114 
115  pcre2len = sizeof(key);
116  res = pcre2_substring_copy_bynumber(parse_regex.match, 1, (PCRE2_UCHAR8 *)key, &pcre2len);
117  if (res < 0) {
118  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
119  goto error;
120  }
121 
122  pcre2len = sizeof(content);
123  res = pcre2_substring_copy_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 *)content, &pcre2len);
124  if (res < 0) {
125  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
126  goto error;
127  }
128 
129  if (strlen(key) == 0 || strlen(content) == 0)
130  goto error;
131 
132  SCRConfReference *lookup_ref_conf = SCRConfGetReference(key, de_ctx);
133  if (lookup_ref_conf != NULL) {
134  ref->key = lookup_ref_conf->url;
135  } else {
138  "unknown reference key \"%s\"", key);
139  goto error;
140  }
141 
143  "unknown reference key \"%s\"", key);
144 
145  char str[2048];
146  snprintf(str, sizeof(str), "config reference: %s undefined\n", key);
147 
148  if (SCRConfAddReference(de_ctx, str) < 0)
149  goto error;
150  lookup_ref_conf = SCRConfGetReference(key, de_ctx);
151  if (lookup_ref_conf == NULL)
152  goto error;
153  }
154 
155  /* make a copy so we can free pcre's substring */
156  ref->reference = SCStrdup(content);
157  if (ref->reference == NULL) {
158  SCLogError(SC_ERR_MEM_ALLOC, "strdup failed: %s", strerror(errno));
159  goto error;
160  }
161 
162  /* free the substrings */
163  SCReturnPtr(ref, "Reference");
164 
165 error:
166  DetectReferenceFree(ref);
167  SCReturnPtr(NULL, "Reference");
168 }
169 
170 /**
171  * \internal
172  * \brief Used to add the parsed reference into the current signature.
173  *
174  * \param de_ctx Pointer to the Detection Engine Context.
175  * \param s Pointer to the Current Signature.
176  * \param m Pointer to the Current SigMatch.
177  * \param rawstr Pointer to the user provided reference options.
178  *
179  * \retval 0 On Success.
180  * \retval -1 On Failure.
181  */
182 static int DetectReferenceSetup(DetectEngineCtx *de_ctx, Signature *s,
183  const char *rawstr)
184 {
185  SCEnter();
186 
187  DetectReference *sig_refs = NULL;
188 
189  DetectReference *ref = DetectReferenceParse(rawstr, de_ctx);
190  if (ref == NULL)
191  SCReturnInt(-1);
192 
193  SCLogDebug("ref %s %s", ref->key, ref->reference);
194 
195  if (s->references == NULL) {
196  s->references = ref;
197  } else {
198  sig_refs = s->references;
199  while (sig_refs->next != NULL) {
200  sig_refs = sig_refs->next;
201  }
202  sig_refs->next = ref;
203  ref->next = NULL;
204  }
205 
206  SCReturnInt(0);
207 }
208 
209 /***************************************Unittests******************************/
210 
211 #ifdef UNITTESTS
212 
213 /**
214  * \test one valid reference.
215  *
216  * \retval 1 on succces.
217  * \retval 0 on failure.
218  */
219 static int DetectReferenceParseTest01(void)
220 {
223  de_ctx->flags |= DE_QUIET;
224 
226  FAIL_IF_NULL(fd);
228 
229  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
230  "(msg:\"One reference\"; reference:one,001-2010; sid:2;)");
231  FAIL_IF_NULL(s);
233 
234  DetectReference *ref = s->references;
235  FAIL_IF (strcmp(ref->key, "http://www.one.com") != 0);
236  FAIL_IF (strcmp(ref->reference, "001-2010") != 0);
237 
239  PASS;
240 }
241 
242 /**
243  * \test for two valid references.
244  *
245  * \retval 1 on succces.
246  * \retval 0 on failure.
247  */
248 static int DetectReferenceParseTest02(void)
249 {
252  de_ctx->flags |= DE_QUIET;
253 
255  FAIL_IF_NULL(fd);
257 
258  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
259  "(msg:\"Two references\"; "
260  "reference:one,openinfosecdoundation.txt; "
261  "reference:two,001-2010; sid:2;)");
262  FAIL_IF_NULL(s);
265 
266  DetectReference *ref = s->references;
267  FAIL_IF (strcmp(ref->key, "http://www.one.com") != 0);
268  FAIL_IF (strcmp(ref->reference, "openinfosecdoundation.txt") != 0);
269 
270  ref = s->references->next;
271  FAIL_IF (strcmp(ref->key, "http://www.two.com") != 0);
272  FAIL_IF (strcmp(ref->reference, "001-2010") != 0);
273 
275  PASS;
276 }
277 
278 /**
279  * \test parsing: invalid reference.
280  *
281  * \retval 1 on succces.
282  * \retval 0 on failure.
283  */
284 static int DetectReferenceParseTest03(void)
285 {
288  de_ctx->flags |= DE_QUIET;
289 
291  FAIL_IF_NULL(fd);
293 
294  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
295  "(msg:\"invalid ref\"; "
296  "reference:unknownkey,001-2010; sid:2;)");
297  FAIL_IF_NULL(s);
299  PASS;
300 }
301 
302 static void ReferenceRegisterTests(void)
303 {
304  UtRegisterTest("DetectReferenceParseTest01", DetectReferenceParseTest01);
305  UtRegisterTest("DetectReferenceParseTest02", DetectReferenceParseTest02);
306  UtRegisterTest("DetectReferenceParseTest03", DetectReferenceParseTest03);
307 }
308 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1238
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1235
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DetectReferenceFree
void DetectReferenceFree(DetectReference *ref)
Free a Reference object.
Definition: detect-reference.c:73
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
util-unittest.h
detect-reference.h
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DETECT_REFERENCE
@ DETECT_REFERENCE
Definition: detect-engine-register.h:59
util-reference-config.h
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2611
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
Signature_::references
DetectReference * references
Definition: detect.h:604
detect.h
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:301
DetectReference_
Signature reference list.
Definition: detect-reference.h:31
REFERENCE_SYSTEM_NAME_MAX
#define REFERENCE_SYSTEM_NAME_MAX
Definition: util-reference-config.h:29
SCReturn
#define SCReturn
Definition: util-debug.h:300
SCRConfLoadReferenceConfigFile
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
Definition: util-reference-config.c:496
DetectReference_::reference
char * reference
Definition: detect-reference.h:35
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:314
DetectReferenceRegister
void DetectReferenceRegister(void)
Registration function for the reference: keyword.
Definition: detect-reference.c:58
SCRConfAddReference
int SCRConfAddReference(DetectEngineCtx *de_ctx, const char *line)
Parses a line from the reference config file and adds it to Reference Config hash table DetectEngineC...
Definition: util-reference-config.c:230
DetectReference_::next
struct DetectReference_ * next
Definition: detect-reference.h:37
SCRConfGetReference
SCRConfReference * SCRConfGetReference(const char *rconf_name, DetectEngineCtx *de_ctx)
Gets the reference config from the corresponding hash table stored in the Detection Engine Context's ...
Definition: util-reference-config.c:527
decode-events.h
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SC_ERR_REFERENCE_UNKNOWN
@ SC_ERR_REFERENCE_UNKNOWN
Definition: util-error.h:182
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
SCRConfReference_
Holds a reference from the file - reference.config.
Definition: util-reference-config.h:35
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-reference.c:46
str
#define str(s)
Definition: suricata-common.h:280
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:242
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectReference_::key
char * key
Definition: detect-reference.h:33
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
SCRConfReference_::url
char * url
Definition: util-reference-config.h:39
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
suricata.h
SCRConfGenerateValidDummyReferenceConfigFD01
FILE * SCRConfGenerateValidDummyReferenceConfigFD01(void)
Creates a dummy reference config, with all valid references, for testing purposes.
Definition: util-reference-config.c:549
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
REFERENCE_CONTENT_NAME_MAX
#define REFERENCE_CONTENT_NAME_MAX
Definition: util-reference-config.h:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
flow-var.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227