suricata
detect-template-buffer.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /*
19  * TODO: Update the \author in this file and detect-template-buffer.h.
20  * TODO: Update description in the \file section below.
21  * TODO: Remove SCLogNotice statements or convert to debug.
22  */
23 
24 /**
25  * \file
26  *
27  * \author FirstName LastName <yourname@domain>
28  *
29  * Set up of the "template_buffer" keyword to allow content
30  * inspections on the decoded template application layer buffers.
31  */
32 
33 #include "suricata-common.h"
34 #include "conf.h"
35 #include "detect.h"
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-mpm.h"
40 #include "app-layer-template.h"
41 #include "detect-template-buffer.h"
42 
43 static int DetectTemplateBufferSetup(DetectEngineCtx *, Signature *, const char *);
44 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
45  const DetectEngineTransforms *transforms,
46  Flow *_f, const uint8_t flow_flags,
47  void *txv, const int list_id);
48 #ifdef UNITTESTS
49 static void DetectTemplateBufferRegisterTests(void);
50 #endif
51 static int g_template_buffer_id = 0;
52 
54 {
55  /* TEMPLATE_START_REMOVE */
56  if (ConfGetNode("app-layer.protocols.template") == NULL) {
57  return;
58  }
59  /* TEMPLATE_END_REMOVE */
60  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].name = "template_buffer";
62  "Template content modififier to match on the template buffers";
63  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].Setup = DetectTemplateBufferSetup;
64 #ifdef UNITTESTS
66  DetectTemplateBufferRegisterTests;
67 #endif
68 
70 
71  /* register inspect engines - these are called per signature */
72  DetectAppLayerInspectEngineRegister2("template_buffer",
75  DetectAppLayerInspectEngineRegister2("template_buffer",
78 
79  /* register mpm engines - these are called in the prefilter stage */
80  DetectAppLayerMpmRegister2("template_buffer", SIG_FLAG_TOSERVER, 0,
82  ALPROTO_TEMPLATE, 0);
83  DetectAppLayerMpmRegister2("template_buffer", SIG_FLAG_TOCLIENT, 0,
85  ALPROTO_TEMPLATE, 0);
86 
87 
88  g_template_buffer_id = DetectBufferTypeGetByName("template_buffer");
89 
90  SCLogNotice("Template application layer detect registered.");
91 }
92 
93 static int DetectTemplateBufferSetup(DetectEngineCtx *de_ctx, Signature *s,
94  const char *str)
95 {
96  /* store list id. Content, pcre, etc will be added to the list at this
97  * id. */
98  s->init_data->list = g_template_buffer_id;
99 
100  /* set the app proto for this signature. This means it will only be
101  * evaluated against flows that are ALPROTO_TEMPLATE */
103  return -1;
104 
105  return 0;
106 }
107 
108 /** \internal
109  * \brief get the data to inspect from the transaction.
110  * This function gets the data, sets up the InspectionBuffer object
111  * and applies transformations (if any).
112  *
113  * \retval buffer or NULL in case of error
114  */
115 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
116  const DetectEngineTransforms *transforms,
117  Flow *_f, const uint8_t flow_flags,
118  void *txv, const int list_id)
119 {
120  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
121  if (buffer->inspect == NULL) {
122  const TemplateTransaction *tx = (TemplateTransaction *)txv;
123  const uint8_t *data = NULL;
124  uint32_t data_len = 0;
125 
126  if (flow_flags & STREAM_TOSERVER) {
127  data = tx->request_buffer;
128  data_len = tx->request_buffer_len;
129  } else if (flow_flags & STREAM_TOCLIENT) {
130  data = tx->response_buffer;
131  data_len = tx->response_buffer_len;
132  } else {
133  return NULL; /* no buffer */
134  }
135 
136  InspectionBufferSetup(buffer, data, data_len);
137  InspectionBufferApplyTransforms(buffer, transforms);
138  }
139 
140  return buffer;
141 }
142 
143 #ifdef UNITTESTS
145 #endif
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
SignatureInitData * init_data
Definition: detect.h:586
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
void DetectTemplateBufferRegister(void)
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1193
Signature container.
Definition: detect.h:517
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
main detection engine ctx
Definition: detect.h:756
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:233
#define SIG_FLAG_TOSERVER
Definition: detect.h:232
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
#define STREAM_TOCLIENT
Definition: stream.h:32
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const char * desc
Definition: detect.h:1195
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1362
#define STREAM_TOSERVER
Definition: stream.h:31
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
const uint8_t * inspect
Definition: detect.h:338
uint16_t flags
Definition: detect.h:1187
Flow data structure.
Definition: flow.h:325
void(* RegisterTests)(void)
Definition: detect.h:1185