suricata
detect-sameip.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the sameip keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-build.h"
34 
35 #include "detect-sameip.h"
36 
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 
40 static int DetectSameipMatch(DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectSameipSetup(DetectEngineCtx *, Signature *, const char *);
43 #ifdef UNITTESTS
44 static void DetectSameipRegisterTests(void);
45 #endif
46 
47 /**
48  * \brief Registration function for sameip: keyword
49  * \todo add support for no_stream and stream_only
50  */
52 {
53  sigmatch_table[DETECT_SAMEIP].name = "sameip";
54  sigmatch_table[DETECT_SAMEIP].desc = "check if the IP address of the source is the same as the IP address of the destination";
55  sigmatch_table[DETECT_SAMEIP].url = "/rules/header-keywords.html#sameip";
56  sigmatch_table[DETECT_SAMEIP].Match = DetectSameipMatch;
57  sigmatch_table[DETECT_SAMEIP].Setup = DetectSameipSetup;
58 #ifdef UNITTESTS
59  sigmatch_table[DETECT_SAMEIP].RegisterTests = DetectSameipRegisterTests;
60 #endif
62 }
63 
64 /**
65  * \internal
66  * \brief This function is used to match packets with same src/dst IPs
67  *
68  * \param t pointer to thread vars
69  * \param det_ctx pointer to the pattern matcher thread
70  * \param p pointer to the current packet
71  * \param m pointer to the sigmatch that we will cast into DetectSameipData
72  *
73  * \retval 0 no match
74  * \retval 1 match
75  */
76 static int DetectSameipMatch(DetectEngineThreadCtx *det_ctx,
77  Packet *p, const Signature *s, const SigMatchCtx *ctx)
78 {
79  return CMP_ADDR(&p->src, &p->dst) ? 1 : 0;
80 }
81 
82 /**
83  * \internal
84  * \brief this function is used to add the sameip option into the signature
85  *
86  * \param de_ctx pointer to the Detection Engine Context
87  * \param s pointer to the Current Signature
88  * \param optstr pointer to the user provided options
89  *
90  * \retval 0 on Success
91  * \retval -1 on Failure
92  */
93 static int DetectSameipSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
94 {
95 
96  /* Get this into a SigMatch and put it in the Signature. */
97 
99  goto error;
100  }
102 
103  return 0;
104 
105 error:
106  return -1;
107 }
108 
109 #ifdef UNITTESTS
110 #include "detect-engine-alert.h"
111 
112 /* NOTE: No parameters, so no parse tests */
113 
114 /**
115  * \internal
116  * \brief This test tests sameip success and failure.
117  */
118 static int DetectSameipSigTest01(void)
119 {
120  uint8_t *buf = (uint8_t *)
121  "GET / HTTP/1.0\r\n"
122  "\r\n";
123  uint16_t buflen = strlen((char *)buf);
124  Packet *p1 = NULL;
125  Packet *p2 = NULL;
126  ThreadVars th_v;
127  DetectEngineThreadCtx *det_ctx;
128 
129  memset(&th_v, 0, sizeof(th_v));
130 
131  /* First packet has same IPs */
132  p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "1.2.3.4");
133 
134  /* Second packet does not have same IPs */
135  p2 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "4.3.2.1");
136 
139 
140  de_ctx->flags |= DE_QUIET;
141 
143  "alert tcp any any -> any any "
144  "(msg:\"Testing sameip\"; sameip; sid:1;)");
146 
148  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
149 
150  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
151  FAIL_IF(PacketAlertCheck(p1, 1) == 0);
152 
153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
154  FAIL_IF(PacketAlertCheck(p2, 1) != 0);
155 
156  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
158 
159  PASS;
160 }
161 
162 /**
163  * \internal
164  * \brief This function registers unit tests for DetectSameip
165  */
166 static void DetectSameipRegisterTests(void)
167 {
168  UtRegisterTest("DetectSameipSigTest01", DetectSameipSigTest01);
169 }
170 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1312
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
SigTableElmt_::name
const char * name
Definition: detect.h:1309
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:400
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1303
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectSameipRegister
void DetectSameipRegister(void)
Registration function for sameip: keyword.
Definition: detect-sameip.c:51
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1950
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1294
util-unittest.h
util-unittest-helper.h
detect-sameip.h
decode.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3365
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2289
Signature_::flags
uint32_t flags
Definition: detect.h:604
Packet_
Definition: decode.h:476
detect-engine-build.h
DETECT_SAMEIP
@ DETECT_SAMEIP
Definition: detect-engine-register.h:105
detect-engine-alert.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2145
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
CMP_ADDR
#define CMP_ADDR(a1, a2)
Definition: decode.h:218
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:851
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
Packet_::dst
Address dst
Definition: decode.h:481
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1493
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:845
Packet_::src
Address src
Definition: decode.h:480
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1301
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:250