suricata
detect-snmp-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pierre Chifflier <chifflier@wzdftpd.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "conf.h"
26 #include "detect.h"
27 #include "detect-parse.h"
28 #include "detect-engine.h"
30 #include "detect-snmp-version.h"
31 #include "detect-engine-uint.h"
32 #include "app-layer-parser.h"
33 #include "rust.h"
34 
35 
36 static int DetectSNMPVersionSetup (DetectEngineCtx *, Signature *s, const char *str);
37 static void DetectSNMPVersionFree(DetectEngineCtx *, void *);
38 #ifdef UNITTESTS
39 static void DetectSNMPVersionRegisterTests(void);
40 #endif
41 static int g_snmp_version_buffer_id = 0;
42 
43 static int DetectSNMPVersionMatch (DetectEngineThreadCtx *, Flow *,
44  uint8_t, void *, void *, const Signature *,
45  const SigMatchCtx *);
46 
47 /**
48  * \brief Registration function for snmp.procedure keyword.
49  */
51 {
52  sigmatch_table[DETECT_AL_SNMP_VERSION].name = "snmp.version";
53  sigmatch_table[DETECT_AL_SNMP_VERSION].desc = "match SNMP version";
54  sigmatch_table[DETECT_AL_SNMP_VERSION].url = "/rules/snmp-keywords.html#snmp-version";
56  sigmatch_table[DETECT_AL_SNMP_VERSION].AppLayerTxMatch = DetectSNMPVersionMatch;
57  sigmatch_table[DETECT_AL_SNMP_VERSION].Setup = DetectSNMPVersionSetup;
58  sigmatch_table[DETECT_AL_SNMP_VERSION].Free = DetectSNMPVersionFree;
59 #ifdef UNITTESTS
60  sigmatch_table[DETECT_AL_SNMP_VERSION].RegisterTests = DetectSNMPVersionRegisterTests;
61 #endif
62 
65 
68 
69  g_snmp_version_buffer_id = DetectBufferTypeGetByName("snmp.version");
70 }
71 
72 /**
73  * \internal
74  * \brief Function to match version of a TX
75  *
76  * \param t Pointer to thread vars.
77  * \param det_ctx Pointer to the pattern matcher thread.
78  * \param f Pointer to the current flow.
79  * \param flags Flags.
80  * \param state App layer state.
81  * \param s Pointer to the Signature.
82  * \param m Pointer to the sigmatch that we will cast into
83  * DetectU32Data.
84  *
85  * \retval 0 no match.
86  * \retval 1 match.
87  */
88 static int DetectSNMPVersionMatch (DetectEngineThreadCtx *det_ctx,
89  Flow *f, uint8_t flags, void *state,
90  void *txv, const Signature *s,
91  const SigMatchCtx *ctx)
92 {
93  SCEnter();
94 
95  const DetectU32Data *dd = (const DetectU32Data *)ctx;
96  uint32_t version;
97  rs_snmp_tx_get_version(txv, &version);
98  SCLogDebug("version %u mode %u ref_version %d", version, dd->mode, dd->arg1);
99  if (DetectU32Match(version, dd))
100  SCReturnInt(1);
101  SCReturnInt(0);
102 }
103 
104 /**
105  * \internal
106  * \brief Function to parse options passed via snmp.version keywords.
107  *
108  * \param rawstr Pointer to the user provided options.
109  *
110  * \retval dd pointer to DetectU32Data on success.
111  * \retval NULL on failure.
112  */
113 static DetectU32Data *DetectSNMPVersionParse(const char *rawstr)
114 {
115  return DetectU32Parse(rawstr);
116 }
117 
118 
119 
120 /**
121  * \brief Function to add the parsed snmp version field into the current signature.
122  *
123  * \param de_ctx Pointer to the Detection Engine Context.
124  * \param s Pointer to the Current Signature.
125  * \param rawstr Pointer to the user provided flags options.
126  * \param type Defines if this is notBefore or notAfter.
127  *
128  * \retval 0 on Success.
129  * \retval -1 on Failure.
130  */
131 static int DetectSNMPVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
132  const char *rawstr)
133 {
134  DetectU32Data *dd = NULL;
135  SigMatch *sm = NULL;
136 
138  return -1;
139 
140  dd = DetectSNMPVersionParse(rawstr);
141  if (dd == NULL) {
142  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
143  goto error;
144  }
145 
146  /* okay so far so good, lets get this into a SigMatch
147  * and put it in the Signature. */
148  sm = SigMatchAlloc();
149  if (sm == NULL)
150  goto error;
151 
153  sm->ctx = (void *)dd;
154 
155  SCLogDebug("snmp.version %d", dd->arg1);
156  SigMatchAppendSMToList(s, sm, g_snmp_version_buffer_id);
157  return 0;
158 
159 error:
160  DetectSNMPVersionFree(de_ctx, dd);
161  return -1;
162 }
163 
164 /**
165  * \internal
166  * \brief Function to free memory associated with DetectU32Data.
167  *
168  * \param de_ptr Pointer to DetectU32Data.
169  */
170 static void DetectSNMPVersionFree(DetectEngineCtx *de_ctx, void *ptr)
171 {
172  rs_detect_u32_free(ptr);
173 }
174 
175 
176 #ifdef UNITTESTS
178 #endif /* UNITTESTS */
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1248
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
DETECT_AL_SNMP_VERSION
@ DETECT_AL_SNMP_VERSION
Definition: detect-engine-register.h:281
detect-engine.h
DetectU32Match
int DetectU32Match(const uint32_t parg, const DetectUintData_u32 *du32)
Definition: detect-engine-uint.c:31
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1235
SigTableElmt_::name
const char * name
Definition: detect.h:1245
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DetectU32Parse
DetectUintData_u32 * DetectU32Parse(const char *u32str)
This function is used to parse u32 options passed via some u32 keyword.
Definition: detect-engine-uint.c:45
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1216
rust.h
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:231
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1086
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:53
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:230
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect.h
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:227
conf.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1213
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:309
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:315
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectU32Data
DetectUintData_u32 DetectU32Data
Definition: detect-engine-uint.h:41
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
version
uint8_t version
Definition: decode-gre.h:1
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1951
detect-snmp-version.h
str
#define str(s)
Definition: suricata-common.h:272
detect-parse.h
DetectSNMPVersionRegister
void DetectSNMPVersionRegister(void)
Registration function for snmp.procedure keyword.
Definition: detect-snmp-version.c:50
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
detect-snmp-version.c
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237