suricata
detect-tcp-window.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements the window keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-tcp-window.h"
34 #include "flow.h"
35 #include "flow-var.h"
36 
37 #include "util-debug.h"
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-byte.h"
41 
42 /**
43  * \brief Regex for parsing our window option
44  */
45 #define PARSE_REGEX "^\\s*([!])?\\s*([0-9]{1,9}+)\\s*$"
46 
47 static DetectParseRegex parse_regex;
48 
49 static int DetectWindowMatch(DetectEngineThreadCtx *, Packet *,
50  const Signature *, const SigMatchCtx *);
51 static int DetectWindowSetup(DetectEngineCtx *, Signature *, const char *);
52 void DetectWindowRegisterTests(void);
53 void DetectWindowFree(void *);
54 
55 /**
56  * \brief Registration function for window: keyword
57  */
59 {
60  sigmatch_table[DETECT_WINDOW].name = "tcp.window";
62  sigmatch_table[DETECT_WINDOW].desc = "check for a specific TCP window size";
63  sigmatch_table[DETECT_WINDOW].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#window";
64  sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch;
65  sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup;
68 
69  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
70 }
71 
72 /**
73  * \brief This function is used to match the window size on a packet
74  *
75  * \param t pointer to thread vars
76  * \param det_ctx pointer to the pattern matcher thread
77  * \param p pointer to the current packet
78  * \param m pointer to the sigmatch that we will cast into DetectWindowData
79  *
80  * \retval 0 no match
81  * \retval 1 match
82  */
83 static int DetectWindowMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
84  const Signature *s, const SigMatchCtx *ctx)
85 {
86  const DetectWindowData *wd = (const DetectWindowData *)ctx;
87 
88  if ( !(PKT_IS_TCP(p)) || wd == NULL || PKT_IS_PSEUDOPKT(p)) {
89  return 0;
90  }
91 
92  if ( (!wd->negated && wd->size == TCP_GET_WINDOW(p)) || (wd->negated && wd->size != TCP_GET_WINDOW(p))) {
93  return 1;
94  }
95 
96  return 0;
97 }
98 
99 /**
100  * \brief This function is used to parse window options passed via window: keyword
101  *
102  * \param windowstr Pointer to the user provided window options (negation! and size)
103  *
104  * \retval wd pointer to DetectWindowData on success
105  * \retval NULL on failure
106  */
107 static DetectWindowData *DetectWindowParse(const char *windowstr)
108 {
109  DetectWindowData *wd = NULL;
110  int ret = 0, res = 0;
111  int ov[MAX_SUBSTRINGS];
112 
113  ret = DetectParsePcreExec(&parse_regex, windowstr, 0, 0, ov, MAX_SUBSTRINGS);
114  if (ret < 1 || ret > 3) {
115  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, windowstr);
116  goto error;
117  }
118 
119  wd = SCMalloc(sizeof(DetectWindowData));
120  if (unlikely(wd == NULL))
121  goto error;
122 
123  if (ret > 1) {
124  char copy_str[128] = "";
125  res = pcre_copy_substring((char *)windowstr, ov, MAX_SUBSTRINGS, 1,
126  copy_str, sizeof(copy_str));
127  if (res < 0) {
128  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
129  goto error;
130  }
131 
132  /* Detect if it's negated */
133  if (copy_str[0] == '!')
134  wd->negated = 1;
135  else
136  wd->negated = 0;
137 
138  if (ret > 2) {
139  res = pcre_copy_substring((char *)windowstr, ov, MAX_SUBSTRINGS, 2,
140  copy_str, sizeof(copy_str));
141  if (res < 0) {
142  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
143  goto error;
144  }
145 
146  /* Get the window size if it's a valid value (in packets, we
147  * should alert if this doesn't happend from decode) */
148  if (StringParseUint16(&wd->size, 10, 0, copy_str) < 0) {
149  goto error;
150  }
151  }
152  }
153 
154  return wd;
155 
156 error:
157  if (wd != NULL)
158  DetectWindowFree(wd);
159  return NULL;
160 
161 }
162 
163 /**
164  * \brief this function is used to add the parsed window sizedata into the current signature
165  *
166  * \param de_ctx pointer to the Detection Engine Context
167  * \param s pointer to the Current Signature
168  * \param windowstr pointer to the user provided window options
169  *
170  * \retval 0 on Success
171  * \retval -1 on Failure
172  */
173 static int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *windowstr)
174 {
175  DetectWindowData *wd = NULL;
176  SigMatch *sm = NULL;
177 
178  wd = DetectWindowParse(windowstr);
179  if (wd == NULL) goto error;
180 
181  /* Okay so far so good, lets get this into a SigMatch
182  * and put it in the Signature. */
183  sm = SigMatchAlloc();
184  if (sm == NULL)
185  goto error;
186 
187  sm->type = DETECT_WINDOW;
188  sm->ctx = (SigMatchCtx *)wd;
189 
192 
193  return 0;
194 
195 error:
196  if (wd != NULL) DetectWindowFree(wd);
197  if (sm != NULL) SCFree(sm);
198  return -1;
199 
200 }
201 
202 /**
203  * \brief this function will free memory associated with DetectWindowData
204  *
205  * \param wd pointer to DetectWindowData
206  */
207 void DetectWindowFree(void *ptr)
208 {
209  DetectWindowData *wd = (DetectWindowData *)ptr;
210  SCFree(wd);
211 }
212 
213 #ifdef UNITTESTS /* UNITTESTS */
214 
215 /**
216  * \test DetectWindowTestParse01 is a test to make sure that we set the size correctly
217  * when given valid window opt
218  */
219 static int DetectWindowTestParse01 (void)
220 {
221  int result = 0;
222  DetectWindowData *wd = NULL;
223  wd = DetectWindowParse("35402");
224  if (wd != NULL &&wd->size==35402) {
225  DetectWindowFree(wd);
226  result = 1;
227  }
228 
229  return result;
230 }
231 
232 /**
233  * \test DetectWindowTestParse02 is a test for setting the window opt negated
234  */
235 static int DetectWindowTestParse02 (void)
236 {
237  int result = 0;
238  DetectWindowData *wd = NULL;
239  wd = DetectWindowParse("!35402");
240  if (wd != NULL) {
241  if (wd->negated == 1 && wd->size==35402) {
242  result = 1;
243  } else {
244  printf("expected wd->negated=1 and wd->size=35402\n");
245  }
246  DetectWindowFree(wd);
247  }
248 
249  return result;
250 }
251 
252 /**
253  * \test DetectWindowTestParse03 is a test to check for an empty value
254  */
255 static int DetectWindowTestParse03 (void)
256 {
257  int result = 0;
258  DetectWindowData *wd = NULL;
259  wd = DetectWindowParse("");
260  if (wd == NULL) {
261  result = 1;
262  } else {
263  printf("expected a NULL pointer (It was an empty string)\n");
264  }
265  DetectWindowFree(wd);
266 
267  return result;
268 }
269 
270 /**
271  * \test DetectWindowTestParse03 is a test to check for a big value
272  */
273 static int DetectWindowTestParse04 (void)
274 {
275  int result = 0;
276  DetectWindowData *wd = NULL;
277  wd = DetectWindowParse("1235402");
278  if (wd != NULL) {
279  printf("expected a NULL pointer (It was exceeding the MAX window size)\n");
280  DetectWindowFree(wd);
281  }else
282  result=1;
283 
284  return result;
285 }
286 
287 /**
288  * \test DetectWindowTestPacket01 is a test to check window with constructed packets
289  */
290 static int DetectWindowTestPacket01 (void)
291 {
292  int result = 0;
293  uint8_t *buf = (uint8_t *)"Hi all!";
294  uint16_t buflen = strlen((char *)buf);
295  Packet *p[3];
296  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
297  p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
298  p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP);
299 
300  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
301  goto end;
302 
303  /* TCP wwindow = 40 */
304  p[0]->tcph->th_win = htons(40);
305 
306  /* TCP window = 41 */
307  p[1]->tcph->th_win = htons(41);
308 
309  const char *sigs[2];
310  sigs[0]= "alert tcp any any -> any any (msg:\"Testing window 1\"; window:40; sid:1;)";
311  sigs[1]= "alert tcp any any -> any any (msg:\"Testing window 2\"; window:41; sid:2;)";
312 
313  uint32_t sid[2] = {1, 2};
314 
315  uint32_t results[3][2] = {
316  /* packet 0 match sid 1 but should not match sid 2 */
317  {1, 0},
318  /* packet 1 should not match */
319  {0, 1},
320  /* packet 2 should not match */
321  {0, 0} };
322  result = UTHGenericTest(p, 3, sigs, sid, (uint32_t *) results, 2);
323 
324  UTHFreePackets(p, 3);
325 end:
326  return result;
327 }
328 
329 #endif /* UNITTESTS */
330 
331 /**
332  * \brief this function registers unit tests for DetectWindow
333  */
335 {
336  #ifdef UNITTESTS /* UNITTESTS */
337  UtRegisterTest("DetectWindowTestParse01", DetectWindowTestParse01);
338  UtRegisterTest("DetectWindowTestParse02", DetectWindowTestParse02);
339  UtRegisterTest("DetectWindowTestParse03", DetectWindowTestParse03);
340  UtRegisterTest("DetectWindowTestParse04", DetectWindowTestParse04);
341  UtRegisterTest("DetectWindowTestPacket01", DetectWindowTestPacket01);
342  #endif /* UNITTESTS */
343 }
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1204
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:324
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
SigTableElmt_::name
const char * name
Definition: detect.h:1201
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1115
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectWindowRegisterTests
void DetectWindowRegisterTests(void)
this function registers unit tests for DetectWindow
Definition: detect-tcp-window.c:334
results
struct DetectRfbSecresult_ results[]
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
DetectWindowData_
Definition: detect-tcp-window.h:24
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
util-unittest.h
util-unittest-helper.h
TCP_GET_WINDOW
#define TCP_GET_WINDOW(p)
Definition: decode-tcp.h:114
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:254
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectWindowRegister
void DetectWindowRegister(void)
Registration function for window: keyword.
Definition: detect-tcp-window.c:58
DetectEngineThreadCtx_
Definition: detect.h:1004
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
DetectWindowData_::negated
uint8_t negated
Definition: detect-tcp-window.h:25
detect.h
detect-tcp-window.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
Signature_::flags
uint32_t flags
Definition: detect.h:523
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our window option.
Definition: detect-tcp-window.c:45
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DetectWindowData_::size
uint16_t size
Definition: detect-tcp-window.h:26
DetectWindowFree
void DetectWindowFree(void *)
this function will free memory associated with DetectWindowData
Definition: detect-tcp-window.c:207
SigMatch_::type
uint8_t type
Definition: detect.h:319
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
SigTableElmt_::alias
const char * alias
Definition: detect.h:1202
suricata-common.h
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:523
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DOC_URL
#define DOC_URL
Definition: suricata.h:86
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
Definition: util-unittest-helper.c:575
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
DETECT_WINDOW
@ DETECT_WINDOW
Definition: detect-engine-register.h:38
flow.h
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393