suricata
detect-sameip.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the sameip keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 
35 #include "detect-sameip.h"
36 
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 
40 static int DetectSameipMatch(DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectSameipSetup(DetectEngineCtx *, Signature *, const char *);
43 #ifdef UNITTESTS
44 static void DetectSameipRegisterTests(void);
45 #endif
46 
47 /**
48  * \brief Registration function for sameip: keyword
49  * \todo add support for no_stream and stream_only
50  */
52 {
53  sigmatch_table[DETECT_SAMEIP].name = "sameip";
54  sigmatch_table[DETECT_SAMEIP].desc = "check if the IP address of the source is the same as the IP address of the destination";
55  sigmatch_table[DETECT_SAMEIP].url = "/rules/header-keywords.html#sameip";
56  sigmatch_table[DETECT_SAMEIP].Match = DetectSameipMatch;
57  sigmatch_table[DETECT_SAMEIP].Setup = DetectSameipSetup;
58 #ifdef UNITTESTS
59  sigmatch_table[DETECT_SAMEIP].RegisterTests = DetectSameipRegisterTests;
60 #endif
62 }
63 
64 /**
65  * \internal
66  * \brief This function is used to match packets with same src/dst IPs
67  *
68  * \param t pointer to thread vars
69  * \param det_ctx pointer to the pattern matcher thread
70  * \param p pointer to the current packet
71  * \param m pointer to the sigmatch that we will cast into DetectSameipData
72  *
73  * \retval 0 no match
74  * \retval 1 match
75  */
76 static int DetectSameipMatch(DetectEngineThreadCtx *det_ctx,
77  Packet *p, const Signature *s, const SigMatchCtx *ctx)
78 {
79  return CMP_ADDR(&p->src, &p->dst) ? 1 : 0;
80 }
81 
82 /**
83  * \internal
84  * \brief this function is used to add the sameip option into the signature
85  *
86  * \param de_ctx pointer to the Detection Engine Context
87  * \param s pointer to the Current Signature
88  * \param optstr pointer to the user provided options
89  *
90  * \retval 0 on Success
91  * \retval -1 on Failure
92  */
93 static int DetectSameipSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
94 {
95  SigMatch *sm = NULL;
96 
97  /* Get this into a SigMatch and put it in the Signature. */
98  sm = SigMatchAlloc();
99  if (sm == NULL)
100  goto error;
101 
102  sm->type = DETECT_SAMEIP;
103  sm->ctx = NULL;
104 
107 
108  return 0;
109 
110 error:
111  if (sm != NULL)
112  SCFree(sm);
113  return -1;
114 
115 }
116 
117 #ifdef UNITTESTS
118 
119 /* NOTE: No parameters, so no parse tests */
120 
121 /**
122  * \internal
123  * \brief This test tests sameip success and failure.
124  */
125 static int DetectSameipSigTest01(void)
126 {
127  uint8_t *buf = (uint8_t *)
128  "GET / HTTP/1.0\r\n"
129  "\r\n";
130  uint16_t buflen = strlen((char *)buf);
131  Packet *p1 = NULL;
132  Packet *p2 = NULL;
133  ThreadVars th_v;
134  DetectEngineThreadCtx *det_ctx;
135  int result = 0;
136 
137  memset(&th_v, 0, sizeof(th_v));
138 
139  /* First packet has same IPs */
140  p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "1.2.3.4");
141 
142  /* Second packet does not have same IPs */
143  p2 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "4.3.2.1");
144 
146  if (de_ctx == NULL) {
147  goto end;
148  }
149 
150  de_ctx->flags |= DE_QUIET;
151 
153  "alert tcp any any -> any any "
154  "(msg:\"Testing sameip\"; sameip; sid:1;)");
155  if (de_ctx->sig_list == NULL) {
156  goto end;
157  }
158 
160  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
161 
162  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
163  if (PacketAlertCheck(p1, 1) == 0) {
164  printf("sid 2 did not alert, but should have: ");
165  goto cleanup;
166  }
167 
168  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
169  if (PacketAlertCheck(p2, 1) != 0) {
170  printf("sid 2 alerted, but should not have: ");
171  goto cleanup;
172  }
173 
174  result = 1;
175 
176 cleanup:
179 
180  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
182 
183 end:
184  return result;
185 }
186 
187 /**
188  * \internal
189  * \brief This function registers unit tests for DetectSameip
190  */
191 static void DetectSameipRegisterTests(void)
192 {
193  UtRegisterTest("DetectSameipSigTest01", DetectSameipSigTest01);
194 }
195 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1214
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigTableElmt_::name
const char * name
Definition: detect.h:1211
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:418
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectSameipRegister
void DetectSameipRegister(void)
Registration function for sameip: keyword.
Definition: detect-sameip.c:51
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
util-unittest-helper.h
detect-sameip.h
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
Signature_::flags
uint32_t flags
Definition: detect.h:529
Packet_
Definition: decode.h:414
DETECT_SAMEIP
@ DETECT_SAMEIP
Definition: detect-engine-register.h:75
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
CMP_ADDR
#define CMP_ADDR(a1, a2)
Definition: decode.h:245
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
Packet_::dst
Address dst
Definition: decode.h:419
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1380
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:418
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223