suricata
detect-tcp-window.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements the window keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-tcp-window.h"
33 #include "flow.h"
34 #include "flow-var.h"
35 
36 #include "util-debug.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-byte.h"
40 
41 /**
42  * \brief Regex for parsing our window option
43  */
44 #define PARSE_REGEX "^\\s*([!])?\\s*([0-9]{1,9}+)\\s*$"
45 
46 static DetectParseRegex parse_regex;
47 
48 static int DetectWindowMatch(DetectEngineThreadCtx *, Packet *,
49  const Signature *, const SigMatchCtx *);
50 static int DetectWindowSetup(DetectEngineCtx *, Signature *, const char *);
51 #ifdef UNITTESTS
52 static void DetectWindowRegisterTests(void);
53 #endif
54 void DetectWindowFree(DetectEngineCtx *, void *);
55 
56 /**
57  * \brief Registration function for window: keyword
58  */
60 {
61  sigmatch_table[DETECT_WINDOW].name = "tcp.window";
63  sigmatch_table[DETECT_WINDOW].desc = "check for a specific TCP window size";
64  sigmatch_table[DETECT_WINDOW].url = "/rules/header-keywords.html#window";
65  sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch;
66  sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup;
68 #ifdef UNITTESTS
69  sigmatch_table[DETECT_WINDOW].RegisterTests = DetectWindowRegisterTests;
70 #endif
71  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
72 }
73 
74 /**
75  * \brief This function is used to match the window size on a packet
76  *
77  * \param t pointer to thread vars
78  * \param det_ctx pointer to the pattern matcher thread
79  * \param p pointer to the current packet
80  * \param m pointer to the sigmatch that we will cast into DetectWindowData
81  *
82  * \retval 0 no match
83  * \retval 1 match
84  */
85 static int DetectWindowMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
86  const Signature *s, const SigMatchCtx *ctx)
87 {
88  const DetectWindowData *wd = (const DetectWindowData *)ctx;
89 
91  if (!(PacketIsTCP(p)) || wd == NULL) {
92  return 0;
93  }
94 
95  const uint16_t window = TCP_GET_RAW_WINDOW(PacketGetTCP(p));
96  if ((!wd->negated && wd->size == window) || (wd->negated && wd->size != window)) {
97  return 1;
98  }
99 
100  return 0;
101 }
102 
103 /**
104  * \brief This function is used to parse window options passed via window: keyword
105  *
106  * \param de_ctx Pointer to the detection engine context
107  * \param windowstr Pointer to the user provided window options (negation! and size)
108  *
109  * \retval wd pointer to DetectWindowData on success
110  * \retval NULL on failure
111  */
112 static DetectWindowData *DetectWindowParse(DetectEngineCtx *de_ctx, const char *windowstr)
113 {
114  DetectWindowData *wd = NULL;
115  int res = 0;
116  size_t pcre2len;
117 
118  pcre2_match_data *match = NULL;
119  int ret = DetectParsePcreExec(&parse_regex, &match, windowstr, 0, 0);
120  if (ret < 1 || ret > 3) {
121  SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, windowstr);
122  goto error;
123  }
124 
125  wd = SCMalloc(sizeof(DetectWindowData));
126  if (unlikely(wd == NULL))
127  goto error;
128 
129  if (ret > 1) {
130  char copy_str[128] = "";
131  pcre2len = sizeof(copy_str);
132  res = SC_Pcre2SubstringCopy(match, 1, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
133  if (res < 0) {
134  SCLogError("pcre2_substring_copy_bynumber failed");
135  goto error;
136  }
137 
138  /* Detect if it's negated */
139  if (copy_str[0] == '!')
140  wd->negated = 1;
141  else
142  wd->negated = 0;
143 
144  if (ret > 2) {
145  pcre2len = sizeof(copy_str);
146  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
147  if (res < 0) {
148  SCLogError("pcre2_substring_copy_bynumber failed");
149  goto error;
150  }
151 
152  /* Get the window size if it's a valid value (in packets, we
153  * should alert if this doesn't happen from decode) */
154  if (StringParseUint16(&wd->size, 10, 0, copy_str) < 0) {
155  goto error;
156  }
157  }
158  }
159 
160  pcre2_match_data_free(match);
161  return wd;
162 
163 error:
164  if (match) {
165  pcre2_match_data_free(match);
166  }
167  if (wd != NULL)
169  return NULL;
170 
171 }
172 
173 /**
174  * \brief this function is used to add the parsed window sizedata into the current signature
175  *
176  * \param de_ctx pointer to the Detection Engine Context
177  * \param s pointer to the Current Signature
178  * \param windowstr pointer to the user provided window options
179  *
180  * \retval 0 on Success
181  * \retval -1 on Failure
182  */
183 static int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *windowstr)
184 {
185  DetectWindowData *wd = NULL;
186 
187  wd = DetectWindowParse(de_ctx, windowstr);
188  if (wd == NULL) goto error;
189 
190  /* Okay so far so good, lets get this into a SigMatch
191  * and put it in the Signature. */
192 
194  NULL) {
195  goto error;
196  }
198 
199  return 0;
200 
201 error:
202  if (wd != NULL)
204  return -1;
205 
206 }
207 
208 /**
209  * \brief this function will free memory associated with DetectWindowData
210  *
211  * \param wd pointer to DetectWindowData
212  */
214 {
215  DetectWindowData *wd = (DetectWindowData *)ptr;
216  SCFree(wd);
217 }
218 
219 #ifdef UNITTESTS /* UNITTESTS */
220 
221 /**
222  * \test DetectWindowTestParse01 is a test to make sure that we set the size correctly
223  * when given valid window opt
224  */
225 static int DetectWindowTestParse01 (void)
226 {
227  DetectWindowData *wd = NULL;
228  wd = DetectWindowParse(NULL, "35402");
229  FAIL_IF_NULL(wd);
230  FAIL_IF_NOT(wd->size == 35402);
231 
232  DetectWindowFree(NULL, wd);
233  PASS;
234 }
235 
236 /**
237  * \test DetectWindowTestParse02 is a test for setting the window opt negated
238  */
239 static int DetectWindowTestParse02 (void)
240 {
241  DetectWindowData *wd = NULL;
242  wd = DetectWindowParse(NULL, "!35402");
243  FAIL_IF_NULL(wd);
244  FAIL_IF_NOT(wd->negated == 1);
245  FAIL_IF_NOT(wd->size == 35402);
246 
247  DetectWindowFree(NULL, wd);
248  PASS;
249 }
250 
251 /**
252  * \test DetectWindowTestParse03 is a test to check for an empty value
253  */
254 static int DetectWindowTestParse03 (void)
255 {
256  DetectWindowData *wd = NULL;
257  wd = DetectWindowParse(NULL, "");
258  FAIL_IF_NOT_NULL(wd);
259 
260  DetectWindowFree(NULL, wd);
261  PASS;
262 }
263 
264 /**
265  * \test DetectWindowTestParse03 is a test to check for a big value
266  */
267 static int DetectWindowTestParse04 (void)
268 {
269  DetectWindowData *wd = NULL;
270  wd = DetectWindowParse(NULL, "1235402");
271  FAIL_IF_NOT_NULL(wd);
272 
273  DetectWindowFree(NULL, wd);
274  PASS;
275 }
276 
277 /**
278  * \test DetectWindowTestPacket01 is a test to check window with constructed packets
279  */
280 static int DetectWindowTestPacket01 (void)
281 {
282  uint8_t *buf = (uint8_t *)"Hi all!";
283  uint16_t buflen = strlen((char *)buf);
284  Packet *p[3];
285  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
286  p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
287  p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP);
288 
289  FAIL_IF(p[0] == NULL || p[1] == NULL || p[2] == NULL);
290 
291  /* TCP wwindow = 40 */
292  p[0]->l4.hdrs.tcph->th_win = htons(40);
293 
294  /* TCP window = 41 */
295  p[1]->l4.hdrs.tcph->th_win = htons(41);
296 
297  const char *sigs[2];
298  sigs[0]= "alert tcp any any -> any any (msg:\"Testing window 1\"; window:40; sid:1;)";
299  sigs[1]= "alert tcp any any -> any any (msg:\"Testing window 2\"; window:41; sid:2;)";
300 
301  uint32_t sid[2] = {1, 2};
302 
303  uint32_t results[3][2] = {
304  /* packet 0 match sid 1 but should not match sid 2 */
305  {1, 0},
306  /* packet 1 should not match */
307  {0, 1},
308  /* packet 2 should not match */
309  {0, 0} };
310  FAIL_IF(UTHGenericTest(p, 3, sigs, sid, (uint32_t *)results, 2) == 0);
311 
312  UTHFreePackets(p, 3);
313  PASS;
314 }
315 
316 /**
317  * \brief this function registers unit tests for DetectWindow
318  */
319 void DetectWindowRegisterTests(void)
320 {
321  UtRegisterTest("DetectWindowTestParse01", DetectWindowTestParse01);
322  UtRegisterTest("DetectWindowTestParse02", DetectWindowTestParse02);
323  UtRegisterTest("DetectWindowTestParse03", DetectWindowTestParse03);
324  UtRegisterTest("DetectWindowTestParse04", DetectWindowTestParse04);
325  UtRegisterTest("DetectWindowTestPacket01", DetectWindowTestPacket01);
326 }
327 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1312
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1299
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1309
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1321
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
TCPHdr_::th_win
uint16_t th_win
Definition: decode-tcp.h:156
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
DetectWindowFree
void DetectWindowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectWindowData
Definition: detect-tcp-window.c:213
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2645
DetectWindowData_
Definition: detect-tcp-window.h:21
TCP_GET_RAW_WINDOW
#define TCP_GET_RAW_WINDOW(tcph)
Definition: decode-tcp.h:83
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1294
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectWindowRegister
void DetectWindowRegister(void)
Registration function for window: keyword.
Definition: detect-tcp-window.c:59
DetectEngineThreadCtx_
Definition: detect.h:1098
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2771
DetectWindowData_::negated
uint8_t negated
Definition: detect-tcp-window.h:22
detect.h
detect-tcp-window.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
Signature_::flags
uint32_t flags
Definition: detect.h:604
Packet_
Definition: decode.h:476
Packet_::l4
struct PacketL4 l4
Definition: decode.h:570
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our window option.
Definition: detect-tcp-window.c:44
DetectWindowData_::size
uint16_t size
Definition: detect-tcp-window.h:23
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
SigTableElmt_::alias
const char * alias
Definition: detect.h:1310
suricata-common.h
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perform a generic check taking care of as maximum common unittest eleme...
Definition: util-unittest-helper.c:565
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
PacketL4::L4Hdrs::tcph
TCPHdr * tcph
Definition: decode.h:444
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
PacketL4::hdrs
union PacketL4::L4Hdrs hdrs
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2747
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DETECT_WINDOW
@ DETECT_WINDOW
Definition: detect-engine-register.h:40
flow.h
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1301
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:250
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450