suricata
detect-reference.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Implements the reference keyword support
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 
34 #include "decode.h"
35 #include "flow-var.h"
36 #include "decode-events.h"
37 #include "stream-tcp.h"
38 
39 #include "util-reference-config.h"
40 #include "detect-reference.h"
41 
42 #include "util-unittest.h"
43 #include "util-byte.h"
44 #include "util-debug.h"
45 
46 #define PARSE_REGEX "^\\s*([A-Za-z0-9]+)\\s*,\"?\\s*\"?\\s*([a-zA-Z0-9\\-_\\.\\/\\?\\=]+)\"?\\s*\"?"
47 
48 static pcre *parse_regex;
49 static pcre_extra *parse_regex_study;
50 
51 #ifdef UNITTESTS
52 static void ReferenceRegisterTests(void);
53 #endif
54 static int DetectReferenceSetup(DetectEngineCtx *, Signature *s, const char *str);
55 
56 /**
57  * \brief Registration function for the reference: keyword
58  */
60 {
61  sigmatch_table[DETECT_REFERENCE].name = "reference";
62  sigmatch_table[DETECT_REFERENCE].desc = "direct to places where information about the rule can be found";
63  sigmatch_table[DETECT_REFERENCE].url = DOC_URL DOC_VERSION "/rules/meta.html#reference";
64  sigmatch_table[DETECT_REFERENCE].Setup = DetectReferenceSetup;
65 #ifdef UNITTESTS
66  sigmatch_table[DETECT_REFERENCE].RegisterTests = ReferenceRegisterTests;
67 #endif
68  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
69 }
70 
71 /**
72  * \brief Free a Reference object
73  */
75 {
76  SCEnter();
77 
78  if (ref->reference != NULL) {
79  SCFree(ref->reference);
80  }
81  SCFree(ref);
82 
83  SCReturn;
84 }
85 
86 /**
87  * \internal
88  * \brief This function is used to parse reference options passed via reference: keyword
89  *
90  * \param rawstr Pointer to the user provided reference options.
91  *
92  * \retval ref Pointer to signature reference on success.
93  * \retval NULL On failure.
94  */
95 static DetectReference *DetectReferenceParse(const char *rawstr, DetectEngineCtx *de_ctx)
96 {
97  SCEnter();
98 
99 #define MAX_SUBSTRINGS 30
100  int ret = 0, res = 0;
101  int ov[MAX_SUBSTRINGS];
102  char key[REFERENCE_SYSTEM_NAME_MAX] = "";
103  char content[REFERENCE_CONTENT_NAME_MAX] = "";
104 
105  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr),
106  0, 0, ov, MAX_SUBSTRINGS);
107  if (ret < 2) {
108  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unable to parse \"reference\" "
109  "keyword argument - \"%s\". Invalid argument.", rawstr);
110  return NULL;
111  }
112 
113  DetectReference *ref = SCCalloc(1, sizeof(DetectReference));
114  if (unlikely(ref == NULL)) {
115  return NULL;
116  }
117 
118  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, key, sizeof(key));
119  if (res < 0) {
120  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
121  goto error;
122  }
123 
124  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, content, sizeof(content));
125  if (res < 0) {
126  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
127  goto error;
128  }
129 
130  if (strlen(key) == 0 || strlen(content) == 0)
131  goto error;
132 
133  SCRConfReference *lookup_ref_conf = SCRConfGetReference(key, de_ctx);
134  if (lookup_ref_conf != NULL) {
135  ref->key = lookup_ref_conf->url;
136  } else {
139  "unknown reference key \"%s\"", key);
140  goto error;
141  }
142 
144  "unknown reference key \"%s\"", key);
145 
146  char str[2048];
147  snprintf(str, sizeof(str), "config reference: %s undefined\n", key);
148 
149  if (SCRConfAddReference(de_ctx, str) < 0)
150  goto error;
151  lookup_ref_conf = SCRConfGetReference(key, de_ctx);
152  if (lookup_ref_conf == NULL)
153  goto error;
154  }
155 
156  /* make a copy so we can free pcre's substring */
157  ref->reference = SCStrdup(content);
158  if (ref->reference == NULL) {
159  SCLogError(SC_ERR_MEM_ALLOC, "strdup failed: %s", strerror(errno));
160  goto error;
161  }
162 
163  /* free the substrings */
164  SCReturnPtr(ref, "Reference");
165 
166 error:
167  DetectReferenceFree(ref);
168  SCReturnPtr(NULL, "Reference");
169 }
170 
171 /**
172  * \internal
173  * \brief Used to add the parsed reference into the current signature.
174  *
175  * \param de_ctx Pointer to the Detection Engine Context.
176  * \param s Pointer to the Current Signature.
177  * \param m Pointer to the Current SigMatch.
178  * \param rawstr Pointer to the user provided reference options.
179  *
180  * \retval 0 On Success.
181  * \retval -1 On Failure.
182  */
183 static int DetectReferenceSetup(DetectEngineCtx *de_ctx, Signature *s,
184  const char *rawstr)
185 {
186  SCEnter();
187 
188  DetectReference *sig_refs = NULL;
189 
190  DetectReference *ref = DetectReferenceParse(rawstr, de_ctx);
191  if (ref == NULL)
192  SCReturnInt(-1);
193 
194  SCLogDebug("ref %s %s", ref->key, ref->reference);
195 
196  if (s->references == NULL) {
197  s->references = ref;
198  } else {
199  sig_refs = s->references;
200  while (sig_refs->next != NULL) {
201  sig_refs = sig_refs->next;
202  }
203  sig_refs->next = ref;
204  ref->next = NULL;
205  }
206 
207  SCReturnInt(0);
208 }
209 
210 /***************************************Unittests******************************/
211 
212 #ifdef UNITTESTS
213 
214 /**
215  * \test one valid reference.
216  *
217  * \retval 1 on succces.
218  * \retval 0 on failure.
219  */
220 static int DetectReferenceParseTest01(void)
221 {
223  FAIL_IF_NULL(de_ctx);
224  de_ctx->flags |= DE_QUIET;
225 
227  FAIL_IF_NULL(fd);
228  SCRConfLoadReferenceConfigFile(de_ctx, fd);
229 
230  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
231  "(msg:\"One reference\"; reference:one,001-2010; sid:2;)");
232  FAIL_IF_NULL(s);
234 
235  DetectReference *ref = s->references;
236  FAIL_IF (strcmp(ref->key, "http://www.one.com") != 0);
237  FAIL_IF (strcmp(ref->reference, "001-2010") != 0);
238 
239  DetectEngineCtxFree(de_ctx);
240  PASS;
241 }
242 
243 /**
244  * \test for two valid references.
245  *
246  * \retval 1 on succces.
247  * \retval 0 on failure.
248  */
249 static int DetectReferenceParseTest02(void)
250 {
252  FAIL_IF_NULL(de_ctx);
253  de_ctx->flags |= DE_QUIET;
254 
256  FAIL_IF_NULL(fd);
257  SCRConfLoadReferenceConfigFile(de_ctx, fd);
258 
259  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
260  "(msg:\"Two references\"; "
261  "reference:one,openinfosecdoundation.txt; "
262  "reference:two,001-2010; sid:2;)");
263  FAIL_IF_NULL(s);
266 
267  DetectReference *ref = s->references;
268  FAIL_IF (strcmp(ref->key, "http://www.one.com") != 0);
269  FAIL_IF (strcmp(ref->reference, "openinfosecdoundation.txt") != 0);
270 
271  ref = s->references->next;
272  FAIL_IF (strcmp(ref->key, "http://www.two.com") != 0);
273  FAIL_IF (strcmp(ref->reference, "001-2010") != 0);
274 
275  DetectEngineCtxFree(de_ctx);
276  PASS;
277 }
278 
279 /**
280  * \test parsing: invalid reference.
281  *
282  * \retval 1 on succces.
283  * \retval 0 on failure.
284  */
285 static int DetectReferenceParseTest03(void)
286 {
288  FAIL_IF_NULL(de_ctx);
289  de_ctx->flags |= DE_QUIET;
290 
292  FAIL_IF_NULL(fd);
293  SCRConfLoadReferenceConfigFile(de_ctx, fd);
294 
295  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
296  "(msg:\"invalid ref\"; "
297  "reference:unknownkey,001-2010; sid:2;)");
298  FAIL_IF_NULL(s);
299  DetectEngineCtxFree(de_ctx);
300  PASS;
301 }
302 
303 static void ReferenceRegisterTests(void)
304 {
305  UtRegisterTest("DetectReferenceParseTest01", DetectReferenceParseTest01);
306  UtRegisterTest("DetectReferenceParseTest02", DetectReferenceParseTest02);
307  UtRegisterTest("DetectReferenceParseTest03", DetectReferenceParseTest03);
308 }
309 #endif /* UNITTESTS */
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
DetectReference * references
Definition: detect.h:585
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
#define MAX_SUBSTRINGS
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
int SCRConfAddReference(DetectEngineCtx *de_ctx, const char *line)
Parses a line from the reference config file and adds it to Reference Config hash table DetectEngineC...
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
#define REFERENCE_SYSTEM_NAME_MAX
void DetectReferenceFree(DetectReference *ref)
Free a Reference object.
main detection engine ctx
Definition: detect.h:761
#define DE_QUIET
Definition: detect.h:292
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:253
uint8_t flags
Definition: detect.h:762
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SCEnter(...)
Definition: util-debug.h:337
struct DetectReference_ * next
FILE * SCRConfGenerateValidDummyReferenceConfigFD01(void)
Creates a dummy reference config, with all valid references, for testing purposes.
#define REFERENCE_CONTENT_NAME_MAX
#define SCReturnInt(x)
Definition: util-debug.h:341
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:295
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
const char * desc
Definition: detect.h:1202
Holds a reference from the file - reference.config.
#define SCFree(a)
Definition: util-mem.h:322
PoolThreadReserved res
SCRConfReference * SCRConfGetReference(const char *rconf_name, DetectEngineCtx *de_ctx)
Gets the refernce config from the corresponding hash table stored in the Detection Engine Context&#39;s r...
void DetectReferenceRegister(void)
Registration function for the reference: keyword.
const char * url
Definition: detect.h:1203
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
Signature reference list.
#define SCStrdup(a)
Definition: util-mem.h:268
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DOC_URL
Definition: suricata.h:86
#define SCReturn
Definition: util-debug.h:339
#define PARSE_REGEX
#define DOC_VERSION
Definition: suricata.h:91
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1192
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
DetectEngineCtx * DetectEngineCtxInit(void)