suricata
detect-reference.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Implements the reference keyword support
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 
34 #include "decode.h"
35 #include "flow-var.h"
36 #include "decode-events.h"
37 #include "stream-tcp.h"
38 
39 #include "util-reference-config.h"
40 #include "detect-reference.h"
41 
42 #include "util-unittest.h"
43 #include "util-byte.h"
44 #include "util-debug.h"
45 
46 /* Breakout key and scheme (optional) and domain/path (mandatory) */
47 #define PARSE_REGEX \
48  "^\\s*([A-Za-z0-9]+)\\s*,\"?\\s*\"?\\s*([a-zA-Z]+:\\/\\/)?([a-zA-Z0-9\\-_\\.\\/" \
49  "\\?\\=]+)\"?\\s*\"?"
50 
51 static DetectParseRegex parse_regex;
52 
53 #ifdef UNITTESTS
54 static void ReferenceRegisterTests(void);
55 #endif
56 static int DetectReferenceSetup(DetectEngineCtx *, Signature *s, const char *str);
57 
58 /**
59  * \brief Registration function for the reference: keyword
60  */
61 void DetectReferenceRegister(void)
62 {
63  sigmatch_table[DETECT_REFERENCE].name = "reference";
64  sigmatch_table[DETECT_REFERENCE].desc = "direct to places where information about the rule can be found";
65  sigmatch_table[DETECT_REFERENCE].url = "/rules/meta.html#reference";
66  sigmatch_table[DETECT_REFERENCE].Setup = DetectReferenceSetup;
67 #ifdef UNITTESTS
68  sigmatch_table[DETECT_REFERENCE].RegisterTests = ReferenceRegisterTests;
69 #endif
70  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
71 }
72 
73 /**
74  * \brief Free a Reference object
75  */
76 void DetectReferenceFree(DetectReference *ref)
77 {
78  SCEnter();
79 
80  if (ref->key)
81  SCFree(ref->key);
82 
83  if (ref->reference != NULL) {
84  SCFree(ref->reference);
85  }
86  SCFree(ref);
87 
88  SCReturn;
89 }
90 
91 /**
92  * \internal
93  * \brief This function is used to parse reference options passed via reference: keyword
94  *
95  * \param rawstr Pointer to the user provided reference options.
96  *
97  * \retval ref Pointer to signature reference on success.
98  * \retval NULL On failure.
99  */
100 static DetectReference *DetectReferenceParse(const char *rawstr, DetectEngineCtx *de_ctx)
101 {
102  SCEnter();
103 
104  int res = 0;
105  size_t pcre2len;
106  char key[REFERENCE_SYSTEM_NAME_MAX] = "";
107  char scheme[REFERENCE_SYSTEM_NAME_MAX] = "";
108  char uri[REFERENCE_CONTENT_NAME_MAX] = "";
109 
110  pcre2_match_data *match = NULL;
111  int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
112  if (ret != 4) {
113  SCLogError("Unable to parse \"reference\" "
114  "keyword argument - \"%s\". Invalid argument.",
115  rawstr);
116  if (match) {
117  pcre2_match_data_free(match);
118  }
119  return NULL;
120  }
121 
122  DetectReference *ref = SCCalloc(1, sizeof(DetectReference));
123  if (unlikely(ref == NULL)) {
124  pcre2_match_data_free(match);
125  return NULL;
126  }
127 
128  /* Position 1 = key (mandatory) */
129  pcre2len = sizeof(key);
130  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)key, &pcre2len);
131  if (res < 0) {
132  SCLogError("pcre2_substring_copy_bynumber key failed");
133  goto error;
134  }
135 
136  /* Position 2 = scheme (optional) */
137  pcre2len = sizeof(scheme);
138  (void)pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)scheme, &pcre2len);
139 
140  /* Position 3 = domain-path (mandatory) */
141  pcre2len = sizeof(uri);
142  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)uri, &pcre2len);
143  if (res < 0) {
144  SCLogError("pcre2_substring_copy_bynumber domain-path failed");
145  goto error;
146  }
147 
148  size_t ref_len = strlen(uri);
149  /* no key, reference -- return an error */
150  if (strlen(key) == 0 || ref_len == 0)
151  goto error;
152 
153  if (strlen(scheme)) {
154  SCLogConfig("scheme value %s overrides key %s", scheme, key);
155  ref->key = SCStrdup(scheme);
156  /* already bound checked to be REFERENCE_SYSTEM_NAME_MAX or less */
157  ref->key_len = (uint16_t)strlen(scheme);
158  } else {
159 
160  SCRConfReference *lookup_ref_conf = SCRConfGetReference(key, de_ctx);
161  if (lookup_ref_conf != NULL) {
162  ref->key = SCStrdup(lookup_ref_conf->url);
163  /* already bound checked to be REFERENCE_SYSTEM_NAME_MAX or less */
164  ref->key_len = (uint16_t)strlen(ref->key);
165  } else {
166  if (SigMatchStrictEnabled(DETECT_REFERENCE)) {
167  SCLogError("unknown reference key \"%s\"", key);
168  goto error;
169  }
170 
171  SCLogWarning("unknown reference key \"%s\"", key);
172 
173  char str[2048];
174  snprintf(str, sizeof(str), "config reference: %s undefined\n", key);
175 
176  if (SCRConfAddReference(de_ctx, str) < 0)
177  goto error;
178  lookup_ref_conf = SCRConfGetReference(key, de_ctx);
179  if (lookup_ref_conf == NULL)
180  goto error;
181  }
182  }
183 
184  /* make a copy so we can free pcre's substring */
185  ref->reference = SCStrdup(uri);
186  if (ref->reference == NULL) {
187  SCLogError("strdup failed: %s", strerror(errno));
188  goto error;
189  }
190 
191  /* already bound checked to be REFERENCE_CONTENT_NAME_MAX or less */
192  ref->reference_len = (uint16_t)ref_len;
193 
194  pcre2_match_data_free(match);
195  /* free the substrings */
196  SCReturnPtr(ref, "Reference");
197 
198 error:
199  if (match) {
200  pcre2_match_data_free(match);
201  }
202  DetectReferenceFree(ref);
203  SCReturnPtr(NULL, "Reference");
204 }
205 
206 /**
207  * \internal
208  * \brief Used to add the parsed reference into the current signature.
209  *
210  * \param de_ctx Pointer to the Detection Engine Context.
211  * \param s Pointer to the Current Signature.
212  * \param m Pointer to the Current SigMatch.
213  * \param rawstr Pointer to the user provided reference options.
214  *
215  * \retval 0 On Success.
216  * \retval -1 On Failure.
217  */
218 static int DetectReferenceSetup(DetectEngineCtx *de_ctx, Signature *s,
219  const char *rawstr)
220 {
221  SCEnter();
222 
223  DetectReference *sig_refs = NULL;
224 
225  DetectReference *ref = DetectReferenceParse(rawstr, de_ctx);
226  if (ref == NULL)
227  SCReturnInt(-1);
228 
229  SCLogDebug("ref %s %s", ref->key, ref->reference);
230 
231  if (s->references == NULL) {
232  s->references = ref;
233  } else {
234  sig_refs = s->references;
235  while (sig_refs->next != NULL) {
236  sig_refs = sig_refs->next;
237  }
238  sig_refs->next = ref;
239  ref->next = NULL;
240  }
241 
242  SCReturnInt(0);
243 }
244 
245 /***************************************Unittests******************************/
246 
247 #ifdef UNITTESTS
248 
249 /**
250  * \test one valid reference.
251  *
252  * \retval 1 on success.
253  * \retval 0 on failure.
254  */
255 static int DetectReferenceParseTest01(void)
256 {
257  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
258  FAIL_IF_NULL(de_ctx);
259  de_ctx->flags |= DE_QUIET;
260 
261  FILE *fd = SCRConfGenerateValidDummyReferenceConfigFD01();
262  FAIL_IF_NULL(fd);
263  SCRConfLoadReferenceConfigFile(de_ctx, fd);
264 
265  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
266  "(msg:\"One reference\"; reference:one,001-2010; sid:2;)");
267  FAIL_IF_NULL(s);
268  FAIL_IF_NULL(s->references);
269 
270  DetectReference *ref = s->references;
271  FAIL_IF (strcmp(ref->key, "http://www.one.com") != 0);
272  FAIL_IF (strcmp(ref->reference, "001-2010") != 0);
273 
274  DetectEngineCtxFree(de_ctx);
275  PASS;
276 }
277 
278 /**
279  * \test for two valid references.
280  *
281  * \retval 1 on success.
282  * \retval 0 on failure.
283  */
284 static int DetectReferenceParseTest02(void)
285 {
286  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
287  FAIL_IF_NULL(de_ctx);
288  de_ctx->flags |= DE_QUIET;
289 
290  FILE *fd = SCRConfGenerateValidDummyReferenceConfigFD01();
291  FAIL_IF_NULL(fd);
292  SCRConfLoadReferenceConfigFile(de_ctx, fd);
293 
294  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
295  "(msg:\"Two references\"; "
296  "reference:one,openinfosecdoundation.txt; "
297  "reference:two,001-2010; sid:2;)");
298  FAIL_IF_NULL(s);
299  FAIL_IF_NULL(s->references);
300  FAIL_IF_NULL(s->references->next);
301 
302  DetectReference *ref = s->references;
303  FAIL_IF (strcmp(ref->key, "http://www.one.com") != 0);
304  FAIL_IF (strcmp(ref->reference, "openinfosecdoundation.txt") != 0);
305 
306  ref = s->references->next;
307  FAIL_IF (strcmp(ref->key, "http://www.two.com") != 0);
308  FAIL_IF (strcmp(ref->reference, "001-2010") != 0);
309 
310  DetectEngineCtxFree(de_ctx);
311  PASS;
312 }
313 
314 /**
315  * \test parsing: invalid reference.
316  *
317  * \retval 1 on success.
318  * \retval 0 on failure.
319  */
320 static int DetectReferenceParseTest03(void)
321 {
322  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
323  FAIL_IF_NULL(de_ctx);
324  de_ctx->flags |= DE_QUIET;
325 
326  FILE *fd = SCRConfGenerateValidDummyReferenceConfigFD01();
327  FAIL_IF_NULL(fd);
328  SCRConfLoadReferenceConfigFile(de_ctx, fd);
329 
330  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
331  "(msg:\"invalid ref\"; "
332  "reference:unknownkey,001-2010; sid:2;)");
333  FAIL_IF_NULL(s);
334  DetectEngineCtxFree(de_ctx);
335  PASS;
336 }
337 
338 static void ReferenceRegisterTests(void)
339 {
340  UtRegisterTest("DetectReferenceParseTest01", DetectReferenceParseTest01);
341  UtRegisterTest("DetectReferenceParseTest02", DetectReferenceParseTest02);
342  UtRegisterTest("DetectReferenceParseTest03", DetectReferenceParseTest03);
343 }
344 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1422
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1421
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1419
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectReferenceFree
void DetectReferenceFree(DetectReference *ref)
Free a Reference object.
Definition: detect-reference.c:76
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:919
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2624
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3468
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3414
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1404
util-unittest.h
detect-reference.h
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectReference_::key_len
uint16_t key_len
Definition: detect-reference.h:40
DETECT_REFERENCE
@ DETECT_REFERENCE
Definition: detect-engine-register.h:100
util-reference-config.h
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3594
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
Signature_::references
DetectReference * references
Definition: detect.h:730
detect.h
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:412
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
DetectReference_
Signature reference list.
Definition: detect-reference.h:30
REFERENCE_SYSTEM_NAME_MAX
#define REFERENCE_SYSTEM_NAME_MAX
Definition: util-reference-config.h:29
SCReturn
#define SCReturn
Definition: util-debug.h:273
DetectReference_::reference_len
uint16_t reference_len
Definition: detect-reference.h:41
SCRConfLoadReferenceConfigFile
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
Definition: util-reference-config.c:485
DetectReference_::reference
char * reference
Definition: detect-reference.h:34
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
DetectReferenceRegister
void DetectReferenceRegister(void)
Registration function for the reference: keyword.
Definition: detect-reference.c:61
SCRConfAddReference
int SCRConfAddReference(DetectEngineCtx *de_ctx, const char *line)
Parses a line from the reference config file and adds it to Reference Config hash table DetectEngineC...
Definition: util-reference-config.c:220
DetectReference_::next
struct DetectReference_ * next
Definition: detect-reference.h:43
SCRConfGetReference
SCRConfReference * SCRConfGetReference(const char *rconf_name, DetectEngineCtx *de_ctx)
Gets the reference config from the corresponding hash table stored in the Detection Engine Context's ...
Definition: util-reference-config.c:516
decode-events.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
SCRConfReference_
Holds a reference from the file - reference.config.
Definition: util-reference-config.h:35
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-reference.c:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectReference_::key
char * key
Definition: detect-reference.h:32
detect-parse.h
Signature_
Signature container.
Definition: detect.h:657
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2585
SCRConfReference_::url
char * url
Definition: util-reference-config.h:39
suricata.h
SCRConfGenerateValidDummyReferenceConfigFD01
FILE * SCRConfGenerateValidDummyReferenceConfigFD01(void)
Creates a dummy reference config, with all valid references, for testing purposes.
Definition: util-reference-config.c:538
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:921
REFERENCE_CONTENT_NAME_MAX
#define REFERENCE_CONTENT_NAME_MAX
Definition: util-reference-config.h:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1411