suricata
detect-reference.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Implements the reference keyword support
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 
34 #include "decode.h"
35 #include "flow-var.h"
36 #include "decode-events.h"
37 #include "stream-tcp.h"
38 
39 #include "util-reference-config.h"
40 #include "detect-reference.h"
41 
42 #include "util-unittest.h"
43 #include "util-byte.h"
44 #include "util-debug.h"
45 
46 #define PARSE_REGEX "^\\s*([A-Za-z0-9]+)\\s*,\"?\\s*\"?\\s*([a-zA-Z0-9\\-_\\.\\/\\?\\=]+)\"?\\s*\"?"
47 
48 static pcre *parse_regex;
49 static pcre_extra *parse_regex_study;
50 
51 static int DetectReferenceSetup(DetectEngineCtx *, Signature *s, const char *str);
52 
53 /**
54  * \brief Registration function for the reference: keyword
55  */
57 {
58  sigmatch_table[DETECT_REFERENCE].name = "reference";
59  sigmatch_table[DETECT_REFERENCE].desc = "direct to places where information about the rule can be found";
60  sigmatch_table[DETECT_REFERENCE].url = DOC_URL DOC_VERSION "/rules/meta.html#reference";
62  sigmatch_table[DETECT_REFERENCE].Setup = DetectReferenceSetup;
65 
66  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
67 }
68 
69 /**
70  * \brief Free a Reference object
71  */
73 {
74  SCEnter();
75 
76  if (ref->reference != NULL) {
77  SCFree(ref->reference);
78  }
79  SCFree(ref);
80 
81  SCReturn;
82 }
83 
84 /**
85  * \internal
86  * \brief This function is used to parse reference options passed via reference: keyword
87  *
88  * \param rawstr Pointer to the user provided reference options.
89  *
90  * \retval ref Pointer to signature reference on success.
91  * \retval NULL On failure.
92  */
93 static DetectReference *DetectReferenceParse(const char *rawstr, DetectEngineCtx *de_ctx)
94 {
95  SCEnter();
96 
97  DetectReference *ref = NULL;
98 #define MAX_SUBSTRINGS 30
99  int ret = 0, res = 0;
100  int ov[MAX_SUBSTRINGS];
101  char key[64] = "";
102  char content[1024] = "";
103 
104  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr),
105  0, 0, ov, MAX_SUBSTRINGS);
106  if (ret < 2) {
107  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unable to parse \"reference\" "
108  "keyword argument - \"%s\". Invalid argument.", rawstr);
109  goto error;
110  }
111 
112  ref = SCMalloc(sizeof(DetectReference));
113  if (unlikely(ref == NULL)) {
114  goto error;
115  }
116  memset(ref, 0, sizeof(DetectReference));
117 
118  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, key, sizeof(key));
119  if (res < 0) {
120  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
121  goto error;
122  }
123 
124  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, content, sizeof(content));
125  if (res < 0) {
126  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
127  goto error;
128  }
129 
130  if (strlen(key) == 0 || strlen(content) == 0)
131  goto error;
132 
133  SCRConfReference *lookup_ref_conf = SCRConfGetReference(key, de_ctx);
134  if (lookup_ref_conf != NULL) {
135  ref->key = lookup_ref_conf->url;
136  } else {
137  SCLogError(SC_ERR_REFERENCE_UNKNOWN, "unknown reference key \"%s\". "
138  "Supported keys are defined in reference.config file. Please "
139  "have a look at the conf param \"reference-config-file\"", key);
140  goto error;
141  }
142 
143  /* make a copy so we can free pcre's substring */
144  ref->reference = SCStrdup((char *)content);
145  if (ref->reference == NULL) {
146  SCLogError(SC_ERR_MEM_ALLOC, "strdup failed: %s", strerror(errno));
147  goto error;
148  }
149 
150  /* free the substrings */
151  SCReturnPtr(ref, "Reference");
152 
153 error:
154  if (ref != NULL)
155  DetectReferenceFree(ref);
156 
157  SCReturnPtr(NULL, "Reference");
158 }
159 
160 /**
161  * \internal
162  * \brief Used to add the parsed reference into the current signature.
163  *
164  * \param de_ctx Pointer to the Detection Engine Context.
165  * \param s Pointer to the Current Signature.
166  * \param m Pointer to the Current SigMatch.
167  * \param rawstr Pointer to the user provided reference options.
168  *
169  * \retval 0 On Success.
170  * \retval -1 On Failure.
171  */
172 static int DetectReferenceSetup(DetectEngineCtx *de_ctx, Signature *s,
173  const char *rawstr)
174 {
175  SCEnter();
176 
177  DetectReference *ref = NULL;
178  DetectReference *sig_refs = NULL;
179 
180  ref = DetectReferenceParse(rawstr, de_ctx);
181  if (ref == NULL)
182  goto error;
183 
184  SCLogDebug("ref %s %s", ref->key, ref->reference);
185 
186  if (s->references == NULL) {
187  s->references = ref;
188  } else {
189  sig_refs = s->references;
190  while (sig_refs->next != NULL) {
191  sig_refs = sig_refs->next;
192  }
193  sig_refs->next = ref;
194  ref->next = NULL;
195  }
196 
197  SCReturnInt(0);
198 
199 error:
200  SCReturnInt(-1);
201 }
202 
203 /***************************************Unittests******************************/
204 
205 #ifdef UNITTESTS
206 
207 /**
208  * \test one valid reference.
209  *
210  * \retval 1 on succces.
211  * \retval 0 on failure.
212  */
213 static int DetectReferenceParseTest01(void)
214 {
215  int result = 0;
216  Signature *s = NULL;
217  DetectReference *ref = NULL;
218 
220  if (de_ctx == NULL) {
221  goto cleanup;
222  }
223  de_ctx->flags |= DE_QUIET;
224 
226  SCRConfLoadReferenceConfigFile(de_ctx, fd);
227 
228  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
229  "(msg:\"One reference\"; reference:one,001-2010; sid:2;)");
230  if (s == NULL) {
231  goto cleanup;
232  }
233 
234  if (s->references == NULL) {
235  goto cleanup;
236  }
237 
238  ref = s->references;
239  if (strcmp(ref->key, "http://www.one.com") != 0 ||
240  strcmp(ref->reference, "001-2010") != 0) {
241  goto cleanup;
242  }
243 
244  result = 1;
245 
246 cleanup:
247  if (de_ctx != NULL) {
248  DetectEngineCtxFree(de_ctx);
249  }
250  return result;
251 
252 }
253 
254 /**
255  * \test for two valid references.
256  *
257  * \retval 1 on succces.
258  * \retval 0 on failure.
259  */
260 static int DetectReferenceParseTest02(void)
261 {
262  int result = 0;
263  Signature *s = NULL;
264 
266  if (de_ctx == NULL) {
267  goto cleanup;
268  }
269  de_ctx->flags |= DE_QUIET;
270 
272  SCRConfLoadReferenceConfigFile(de_ctx, fd);
273 
274  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
275  "(msg:\"Two references\"; "
276  "reference:one,openinfosecdoundation.txt; "
277  "reference:two,001-2010; sid:2;)");
278  if (s == NULL) {
279  printf("sig parse failed: ");
280  goto cleanup;
281  }
282 
283  if (s->references == NULL || s->references->next == NULL) {
284  printf("no ref or not enough refs: ");
285  goto cleanup;
286  }
287 
288  if (strcmp(s->references->key, "http://www.one.com") != 0 ||
289  strcmp(s->references->reference, "openinfosecdoundation.txt") != 0) {
290  printf("first ref failed: ");
291  goto cleanup;
292  }
293 
294  if (strcmp(s->references->next->key, "http://www.two.com") != 0 ||
295  strcmp(s->references->next->reference, "001-2010") != 0) {
296  printf("second ref failed: ");
297  goto cleanup;
298  }
299 
300  result = 1;
301 
302 cleanup:
303  if (de_ctx != NULL) {
304  DetectEngineCtxFree(de_ctx);
305  }
306  return result;
307 }
308 
309 /**
310  * \test parsing: invalid reference.
311  *
312  * \retval 1 on succces.
313  * \retval 0 on failure.
314  */
315 static int DetectReferenceParseTest03(void)
316 {
317  int result = 0;
318  Signature *s = NULL;
320  if (de_ctx == NULL) {
321  goto cleanup;
322  }
323  de_ctx->flags |= DE_QUIET;
324 
326  SCRConfLoadReferenceConfigFile(de_ctx, fd);
327 
328  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
329  "(msg:\"invalid ref\"; "
330  "reference:unknownkey,001-2010; sid:2;)");
331  if (s != NULL) {
332  printf("sig parsed even though it's invalid: ");
333  goto cleanup;
334  }
335 
336  result = 1;
337 
338 cleanup:
339  if (de_ctx != NULL) {
340  DetectEngineCtxFree(de_ctx);
341  }
342  return result;
343 }
344 
345 #endif /* UNITTESTS */
346 
348 {
349 #ifdef UNITTESTS
350  UtRegisterTest("DetectReferenceParseTest01", DetectReferenceParseTest01);
351  UtRegisterTest("DetectReferenceParseTest02", DetectReferenceParseTest02);
352  UtRegisterTest("DetectReferenceParseTest03", DetectReferenceParseTest03);
353 #endif /* UNITTESTS */
354 
355  return;
356 }
DetectReference * references
Definition: detect.h:557
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define SCLogDebug(...)
Definition: util-debug.h:335
#define MAX_SUBSTRINGS
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:729
void ReferenceRegisterTests(void)
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
void DetectReferenceFree(DetectReference *ref)
Free a Reference object.
main detection engine ctx
Definition: detect.h:723
#define DE_QUIET
Definition: detect.h:296
#define str(s)
uint8_t flags
Definition: detect.h:724
void(* Free)(void *)
Definition: detect.h:1154
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SCEnter(...)
Definition: util-debug.h:337
struct DetectReference_ * next
FILE * SCRConfGenerateValidDummyReferenceConfigFD01(void)
Creates a dummy reference config, with all valid references, for testing purposes.
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1165
#define SCMalloc(a)
Definition: util-mem.h:166
Holds a reference from the file - reference.config.
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
SCRConfReference * SCRConfGetReference(const char *rconf_name, DetectEngineCtx *de_ctx)
Gets the refernce config from the corresponding hash table stored in the Detection Engine Context&#39;s r...
void DetectReferenceRegister(void)
Registration function for the reference: keyword.
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
const char * url
Definition: detect.h:1166
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
Signature reference list.
#define SCStrdup(a)
Definition: util-mem.h:212
#define DOC_URL
Definition: suricata.h:86
#define SCReturn
Definition: util-debug.h:339
#define PARSE_REGEX
#define DOC_VERSION
Definition: suricata.h:91
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1155
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
DetectEngineCtx * DetectEngineCtxInit(void)