suricata
detect-sameip.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the sameip keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 
35 #include "detect-sameip.h"
36 
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 
40 static int DetectSameipMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectSameipSetup(DetectEngineCtx *, Signature *, const char *);
43 static void DetectSameipRegisterTests(void);
44 
45 /**
46  * \brief Registration function for sameip: keyword
47  * \todo add support for no_stream and stream_only
48  */
50 {
51  sigmatch_table[DETECT_SAMEIP].name = "sameip";
52  sigmatch_table[DETECT_SAMEIP].desc = "check if the IP address of the source is the same as the IP address of the destination";
53  sigmatch_table[DETECT_SAMEIP].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#sameip";
54  sigmatch_table[DETECT_SAMEIP].Match = DetectSameipMatch;
55  sigmatch_table[DETECT_SAMEIP].Setup = DetectSameipSetup;
57  sigmatch_table[DETECT_SAMEIP].RegisterTests = DetectSameipRegisterTests;
59 }
60 
61 /**
62  * \internal
63  * \brief This function is used to match packets with same src/dst IPs
64  *
65  * \param t pointer to thread vars
66  * \param det_ctx pointer to the pattern matcher thread
67  * \param p pointer to the current packet
68  * \param m pointer to the sigmatch that we will cast into DetectSameipData
69  *
70  * \retval 0 no match
71  * \retval 1 match
72  */
73 static int DetectSameipMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
74  Packet *p, const Signature *s, const SigMatchCtx *ctx)
75 {
76  return CMP_ADDR(&p->src, &p->dst) ? 1 : 0;
77 }
78 
79 /**
80  * \internal
81  * \brief this function is used to add the sameip option into the signature
82  *
83  * \param de_ctx pointer to the Detection Engine Context
84  * \param s pointer to the Current Signature
85  * \param optstr pointer to the user provided options
86  *
87  * \retval 0 on Success
88  * \retval -1 on Failure
89  */
90 static int DetectSameipSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
91 {
92  SigMatch *sm = NULL;
93 
94  /* Get this into a SigMatch and put it in the Signature. */
95  sm = SigMatchAlloc();
96  if (sm == NULL)
97  goto error;
98 
99  sm->type = DETECT_SAMEIP;
100  sm->ctx = NULL;
101 
104 
105  return 0;
106 
107 error:
108  if (sm != NULL)
109  SCFree(sm);
110  return -1;
111 
112 }
113 
114 #ifdef UNITTESTS
115 
116 /* NOTE: No parameters, so no parse tests */
117 
118 /**
119  * \internal
120  * \brief This test tests sameip success and failure.
121  */
122 static int DetectSameipSigTest01(void)
123 {
124  uint8_t *buf = (uint8_t *)
125  "GET / HTTP/1.0\r\n"
126  "\r\n";
127  uint16_t buflen = strlen((char *)buf);
128  Packet *p1 = NULL;
129  Packet *p2 = NULL;
130  ThreadVars th_v;
131  DetectEngineThreadCtx *det_ctx;
132  int result = 0;
133 
134  memset(&th_v, 0, sizeof(th_v));
135 
136  /* First packet has same IPs */
137  p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "1.2.3.4");
138 
139  /* Second packet does not have same IPs */
140  p2 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "4.3.2.1");
141 
143  if (de_ctx == NULL) {
144  goto end;
145  }
146 
147  de_ctx->flags |= DE_QUIET;
148 
149  de_ctx->sig_list = SigInit(de_ctx,
150  "alert tcp any any -> any any "
151  "(msg:\"Testing sameip\"; sameip; sid:1;)");
152  if (de_ctx->sig_list == NULL) {
153  goto end;
154  }
155 
156  SigGroupBuild(de_ctx);
157  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
158 
159  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
160  if (PacketAlertCheck(p1, 1) == 0) {
161  printf("sid 2 did not alert, but should have: ");
162  goto cleanup;
163  }
164 
165  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
166  if (PacketAlertCheck(p2, 1) != 0) {
167  printf("sid 2 alerted, but should not have: ");
168  goto cleanup;
169  }
170 
171  result = 1;
172 
173 cleanup:
174  SigGroupCleanup(de_ctx);
175  SigCleanSignatures(de_ctx);
176 
177  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
178  DetectEngineCtxFree(de_ctx);
179 
180 end:
181  return result;
182 }
183 
184 #endif /* UNITTESTS */
185 
186 /**
187  * \internal
188  * \brief This function registers unit tests for DetectSameip
189  */
190 static void DetectSameipRegisterTests(void)
191 {
192 #ifdef UNITTESTS
193  UtRegisterTest("DetectSameipSigTest01", DetectSameipSigTest01);
194 #endif /* UNITTESTS */
195 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint32_t flags
Definition: detect.h:493
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:726
Address dst
Definition: decode.h:412
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:230
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
main detection engine ctx
Definition: detect.h:720
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:298
uint8_t flags
Definition: detect.h:721
void(* Free)(void *)
Definition: detect.h:1151
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:325
const char * desc
Definition: detect.h:1162
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
SigMatchCtx * ctx
Definition: detect.h:327
#define CMP_ADDR(a1, a2)
Definition: decode.h:238
#define SCFree(a)
Definition: util-mem.h:236
#define SIGMATCH_NOOPT
Definition: detect.h:1328
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
const char * url
Definition: detect.h:1163
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
Per thread variable structure.
Definition: threadvars.h:57
#define DOC_VERSION
Definition: suricata.h:91
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports...
uint16_t flags
Definition: detect.h:1154
void DetectSameipRegister(void)
Registration function for sameip: keyword.
Definition: detect-sameip.c:49
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
Address src
Definition: decode.h:411
DetectEngineCtx * DetectEngineCtxInit(void)