suricata
detect-rfb-secresult.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
30 #include "detect-rfb-secresult.h"
31 #include "util-unittest.h"
32 
33 #include "rust.h"
34 
35 #define PARSE_REGEX "\\S[A-z]"
36 static DetectParseRegex parse_regex;
37 
38 static int rfb_secresult_id = 0;
39 
40 static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx,
41  Flow *f, uint8_t flags, void *state,
42  void *txv, const Signature *s,
43  const SigMatchCtx *ctx);
44 static int DetectRfbSecresultSetup (DetectEngineCtx *, Signature *, const char *);
45 #ifdef UNITTESTS
46 static void RfbSecresultRegisterTests(void);
47 #endif
49 
50 static int DetectEngineInspectRfbSecresultGeneric(DetectEngineCtx *de_ctx,
51  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
52  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
53 
54 typedef struct DetectRfbSecresultData_ {
55  uint32_t result; /** result code */
57 
58 /**
59  * \brief Registration function for rfb.secresult: keyword
60  */
62 {
63  sigmatch_table[DETECT_AL_RFB_SECRESULT].name = "rfb.secresult";
64  sigmatch_table[DETECT_AL_RFB_SECRESULT].desc = "match RFB security result";
65  sigmatch_table[DETECT_AL_RFB_SECRESULT].url = "/rules/rfb-keywords.html#rfb-secresult";
66  sigmatch_table[DETECT_AL_RFB_SECRESULT].AppLayerTxMatch = DetectRfbSecresultMatch;
67  sigmatch_table[DETECT_AL_RFB_SECRESULT].Setup = DetectRfbSecresultSetup;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_AL_RFB_SECRESULT].RegisterTests = RfbSecresultRegisterTests;
71 #endif
72  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
73 
75  DetectEngineInspectRfbSecresultGeneric, NULL);
76 
77  rfb_secresult_id = DetectBufferTypeGetByName("rfb.secresult");
78 }
79 
80 static int DetectEngineInspectRfbSecresultGeneric(DetectEngineCtx *de_ctx,
81  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
82  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
83 {
85  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
86 }
87 
88 enum {
93 };
94 
95 /**
96  * \struct DetectRfbSecresult_
97  * DetectRfbSecresult_ is used to store values
98  */
99 
101  const char *result;
102  uint16_t code;
103 } results[] = {
104  { "ok", RFB_SECRESULT_OK, },
105  { "fail", RFB_SECRESULT_FAIL, },
106  { "toomany", RFB_SECRESULT_TOOMANY, },
107  { "unknown", RFB_SECRESULT_UNKNOWN, },
108  { NULL, 0 },
109 };
110 
111 /**
112  * \internal
113  * \brief Function to match security result of a RFB TX
114  *
115  * \param det_ctx Pointer to the pattern matcher thread.
116  * \param f Pointer to the current flow.
117  * \param flags Flags.
118  * \param state App layer state.
119  * \param txv Pointer to the RFBTransaction.
120  * \param s Pointer to the Signature.
121  * \param ctx Pointer to the sigmatch that we will cast into DetectRfbSecresultData.
122  *
123  * \retval 0 no match.
124  * \retval 1 match.
125  */
126 static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx,
127  Flow *f, uint8_t flags, void *state,
128  void *txv, const Signature *s,
129  const SigMatchCtx *ctx)
130 {
131  const DetectRfbSecresultData *de = (const DetectRfbSecresultData *)ctx;
132  uint32_t resultcode;
133  int ret = 0;
134 
135  if (!de)
136  return 0;
137 
138  ret = rs_rfb_tx_get_secresult(txv, &resultcode);
139  if (ret == 0) {
140  return 0;
141  }
142 
143  if (de->result < 3) {
144  /* we are asking for a defined code... */
145  if (resultcode == de->result) {
146  /* ... which needs to match */
147  return 1;
148  }
149  } else {
150  /* we are asking for an unknown code */
151  if (resultcode > 2) {
152  /* match any unknown code */
153  return 1;
154  }
155  }
156 
157  return 0;
158 }
159 
160 /**
161  * \internal
162  * \brief This function is used to parse options passed via rfb.secresults: keyword
163  *
164  * \param rawstr Pointer to the user provided secresult options
165  *
166  * \retval de pointer to DetectRfbSecresultData on success
167  * \retval NULL on failure
168  */
169 static DetectRfbSecresultData *DetectRfbSecresultParse (const char *rawstr)
170 {
171  int i;
172  DetectRfbSecresultData *de = NULL;
173  int ret = 0, found = 0;
174 
175  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
176  if (ret < 1) {
177  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
178  goto error;
179  }
180 
181  for(i = 0; results[i].result != NULL; i++) {
182  if((strcasecmp(results[i].result,rawstr)) == 0) {
183  found = 1;
184  break;
185  }
186  }
187 
188  if(found == 0) {
189  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown secresult value %s", rawstr);
190  goto error;
191  }
192 
194  if (unlikely(de == NULL))
195  goto error;
196 
197  de->result = results[i].code;
198 
199  return de;
200 
201 error:
202  if (de) SCFree(de);
203  return NULL;
204 }
205 
206 /**
207  * \internal
208  * \brief this function is used to add the parsed secresult into the current signature
209  *
210  * \param de_ctx pointer to the Detection Engine Context
211  * \param s pointer to the Current Signature
212  * \param rawstr pointer to the user provided secresult options
213  *
214  * \retval 0 on Success
215  * \retval -1 on Failure
216  */
217 static int DetectRfbSecresultSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
218 {
219  DetectRfbSecresultData *de = NULL;
220  SigMatch *sm = NULL;
221 
223  return -1;
224 
225  de = DetectRfbSecresultParse(rawstr);
226  if (de == NULL)
227  goto error;
228 
229  sm = SigMatchAlloc();
230  if (sm == NULL)
231  goto error;
232 
234  sm->ctx = (SigMatchCtx *)de;
235 
236  SigMatchAppendSMToList(s, sm, rfb_secresult_id);
237 
238  return 0;
239 
240 error:
241  if (de) SCFree(de);
242  if (sm) SCFree(sm);
243  return -1;
244 }
245 
246 /**
247  * \internal
248  * \brief this function will free memory associated with DetectRfbSecresultData
249  *
250  * \param de pointer to DetectRfbSecresultData
251  */
253 {
255  if(de) SCFree(de);
256 }
257 
258 /*
259  * ONLY TESTS BELOW THIS COMMENT
260  */
261 
262 #ifdef UNITTESTS
263 /**
264  * \test RfbSecresultTestParse01 is a test for a valid secresult value
265  */
266 static int RfbSecresultTestParse01 (void)
267 {
268  DetectRfbSecresultData *de = DetectRfbSecresultParse("fail");
269 
270  FAIL_IF_NULL(de);
271 
272  DetectRfbSecresultFree(NULL, de);
273 
274  PASS;
275 }
276 
277 /**
278  * \test RfbSecresultTestParse02 is a test for an invalid secresult value
279  */
280 static int RfbSecresultTestParse02 (void)
281 {
282  DetectRfbSecresultData *de = DetectRfbSecresultParse("invalidopt");
283 
285 
286  PASS;
287 }
288 
289 /**
290  * \brief this function registers unit tests for RfbSecresult
291  */
292 void RfbSecresultRegisterTests(void)
293 {
294  UtRegisterTest("RfbSecresultTestParse01", RfbSecresultTestParse01);
295  UtRegisterTest("RfbSecresultTestParse02", RfbSecresultTestParse02);
296 }
297 #endif /* UNITTESTS */
DETECT_AL_RFB_SECRESULT
@ DETECT_AL_RFB_SECRESULT
Definition: detect-engine-register.h:253
DetectRfbSecresultData_::result
uint32_t result
Definition: detect-rfb-secresult.c:55
DetectEngineAppInspectionEngine_
Definition: detect.h:397
SigTableElmt_::url
const char * url
Definition: detect.h:1204
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1489
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2435
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1191
DetectRfbSecresultRegister
void DetectRfbSecresultRegister(void)
Registration function for rfb.secresult: keyword.
Definition: detect-rfb-secresult.c:61
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-rfb-secresult.c:35
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1575
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1201
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectRfbSecresult_::result
const char * result
Definition: detect-rfb-secresult.c:101
Flow_
Flow data structure.
Definition: flow.h:353
results
struct DetectRfbSecresult_ results[]
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:758
DetectRfbSecresultData_
Definition: detect-rfb-secresult.c:54
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1172
rust.h
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
util-unittest.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:829
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1003
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2558
detect.h
de
int de
Definition: app-layer-htp.c:527
DetectRfbSecresult_::code
uint16_t code
Definition: detect-rfb-secresult.c:102
RFB_SECRESULT_FAIL
@ RFB_SECRESULT_FAIL
Definition: detect-rfb-secresult.c:90
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
RFB_SECRESULT_TOOMANY
@ RFB_SECRESULT_TOOMANY
Definition: detect-rfb-secresult.c:91
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:174
conf.h
DetectRfbSecresultFree
void DetectRfbSecresultFree(DetectEngineCtx *, void *)
Definition: detect-rfb-secresult.c:252
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:321
detect-rfb-secresult.h
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:414
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:517
SigMatch_
a single match condition for a signature
Definition: detect.h:320
RFB_SECRESULT_UNKNOWN
@ RFB_SECRESULT_UNKNOWN
Definition: detect-rfb-secresult.c:92
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:54
RFB_SECRESULT_OK
@ RFB_SECRESULT_OK
Definition: detect-rfb-secresult.c:89
DetectRfbSecresultData
struct DetectRfbSecresultData_ DetectRfbSecresultData
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DetectRfbSecresult_
Definition: detect-rfb-secresult.c:100
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193