suricata
detect-template-rust-buffer.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /*
19  * TODO: Update the \author in this file and detect-template.h.
20  * TODO: Update description in the \file section below.
21  * TODO: Remove SCLogNotice statements or convert to debug.
22  */
23 
24 /**
25  * \file
26  *
27  * \author FirstName LastName <yourname@domain>
28  *
29  * Set up of the "template_rust" keyword to allow content
30  * inspections on the decoded template application layer buffers.
31  */
32 
33 #include "suricata-common.h"
34 #include "conf.h"
35 #include "detect.h"
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-template-rust-buffer.h"
40 #include "app-layer-parser.h"
41 #include "detect-engine-build.h"
42 #include "rust.h"
43 
44 #ifdef UNITTESTS
45 static void DetectTemplateRustBufferRegisterTests(void);
46 #endif
47 static int g_template_rust_id = 0;
48 
49 static int DetectTemplateRustBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
50 {
51  s->init_data->list = g_template_rust_id;
52 
53  if (DetectSignatureSetAppProto(s, ALPROTO_TEMPLATE) != 0)
54  return -1;
55 
56  return 0;
57 }
58 
59 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
60  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flags, void *txv,
61  const int list_id)
62 {
63  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
64  if (!buffer->initialized) {
65  uint32_t data_len = 0;
66  const uint8_t *data = NULL;
67  if (flags & STREAM_TOSERVER) {
68  rs_template_get_request_buffer(txv, &data, &data_len);
69  } else {
70  rs_template_get_response_buffer(txv, &data, &data_len);
71  }
72  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
73  InspectionBufferApplyTransforms(buffer, transforms);
74  }
75  return buffer;
76 }
77 
78 void DetectTemplateRustBufferRegister(void)
79 {
80  /* TEMPLATE_START_REMOVE */
81  if (ConfGetNode("app-layer.protocols.template-rust") == NULL) {
82  return;
83  }
84  /* TEMPLATE_END_REMOVE */
85  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].name = "template_rust_buffer";
86  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].desc =
87  "Template content modifier to match on the template buffers";
88  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].Setup = DetectTemplateRustBufferSetup;
89 #ifdef UNITTESTS
90  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].RegisterTests = DetectTemplateRustBufferRegisterTests;
91 #endif
92  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].flags |= SIGMATCH_NOOPT;
93 
94  /* register inspect engines */
95  DetectAppLayerInspectEngineRegister("template_buffer", ALPROTO_TEMPLATE, SIG_FLAG_TOSERVER, 0,
96  DetectEngineInspectBufferGeneric, GetData);
97  DetectAppLayerInspectEngineRegister("template_buffer", ALPROTO_TEMPLATE, SIG_FLAG_TOCLIENT, 0,
98  DetectEngineInspectBufferGeneric, GetData);
99 
100  g_template_rust_id = DetectBufferTypeGetByName("template_buffer");
101 
102  SCLogNotice("Template application layer detect registered.");
103 }
104 
105 #ifdef UNITTESTS
106 
107 #include "util-unittest.h"
108 #include "util-unittest-helper.h"
109 #include "flow-util.h"
110 #include "stream-tcp.h"
111 #include "detect-engine-alert.h"
112 
113 static int DetectTemplateRustBufferTest(void)
114 {
115  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
116  DetectEngineThreadCtx *det_ctx = NULL;
117  DetectEngineCtx *de_ctx = NULL;
118  Flow f;
119  Packet *p;
120  TcpSession tcp;
121  ThreadVars tv;
122  Signature *s;
123 
124  uint8_t request[] = "12:Hello World!";
125 
126  /* Setup flow. */
127  memset(&f, 0, sizeof(Flow));
128  memset(&tcp, 0, sizeof(TcpSession));
129  memset(&tv, 0, sizeof(ThreadVars));
130  p = UTHBuildPacket(request, sizeof(request), IPPROTO_TCP);
131  FLOW_INITIALIZE(&f);
132  f.alproto = ALPROTO_TEMPLATE;
133  f.protoctx = (void *)&tcp;
134  f.proto = IPPROTO_TCP;
135  f.flags |= FLOW_IPV4;
136  p->flow = &f;
137  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
138  p->flowflags |= FLOW_PKT_TOSERVER | FLOW_PKT_ESTABLISHED;
139  StreamTcpInitConfig(true);
140 
141  de_ctx = DetectEngineCtxInit();
142  FAIL_IF_NULL(de_ctx);
143 
144  /* This rule should match. */
145  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
146  "msg:\"TEMPLATE Test Rule\"; "
147  "template_rust_buffer; content:\"World!\"; "
148  "sid:1; rev:1;)");
149  FAIL_IF_NULL(s);
150 
151  /* This rule should not match. */
152  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
153  "msg:\"TEMPLATE Test Rule\"; "
154  "template_rust_buffer; content:\"W0rld!\"; "
155  "sid:2; rev:1;)");
156  FAIL_IF_NULL(s);
157 
158  SigGroupBuild(de_ctx);
159  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
160 
161  AppLayerParserParse(
162  NULL, alp_tctx, &f, ALPROTO_TEMPLATE, STREAM_TOSERVER, request, sizeof(request));
163 
164  /* Check that we have app-layer state. */
165  FAIL_IF_NULL(f.alstate);
166 
167  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
168  FAIL_IF(!PacketAlertCheck(p, 1));
169  FAIL_IF(PacketAlertCheck(p, 2));
170 
171  /* Cleanup. */
172  if (alp_tctx != NULL)
173  AppLayerParserThreadCtxFree(alp_tctx);
174  if (det_ctx != NULL)
175  DetectEngineThreadCtxDeinit(&tv, det_ctx);
176  if (de_ctx != NULL)
177  SigGroupCleanup(de_ctx);
178  if (de_ctx != NULL)
179  DetectEngineCtxFree(de_ctx);
180  StreamTcpFreeConfig(true);
181  FLOW_DESTROY(&f);
182  UTHFreePacket(p);
183 
184  PASS;
185 }
186 
187 static void DetectTemplateRustBufferRegisterTests(void)
188 {
189  UtRegisterTest("DetectTemplateRustBufferTest",
190  DetectTemplateRustBufferTest);
191 }
192 #endif /* UNITTESTS */
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1737
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1303
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1273
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2140
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1301
InspectionBuffer::initialized
bool initialized
Definition: detect.h:377
stream-tcp.h
detect-template-rust-buffer.h
DetectEngineTransforms
Definition: detect.h:408
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:382
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
InspectionBuffer
Definition: detect.h:373
Packet_::flags
uint32_t flags
Definition: decode.h:516
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
Flow_
Flow data structure.
Definition: flow.h:360
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1295
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DETECT_AL_TEMPLATE_BUFFER
@ DETECT_AL_TEMPLATE_BUFFER
Definition: detect-engine-register.h:297
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2597
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:301
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
rust.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1926
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:510
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:268
Flow_::protoctx
void * protoctx
Definition: flow.h:450
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1286
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1498
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1091
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:267
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1090
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SignatureInitData_::list
int list
Definition: detect.h:570
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2228
Packet_
Definition: decode.h:479
detect-engine-build.h
detect-engine-alert.h
conf.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2161
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:280
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:518
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3312
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1267
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3539
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1697
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
str
#define str(s)
Definition: suricata-common.h:291
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1593
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:485
Flow_::flags
uint32_t flags
Definition: flow.h:430
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:62
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2558
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1485
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:238
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:59
DetectTemplateRustBufferRegister
void DetectTemplateRustBufferRegister(void)
Definition: detect-template-rust-buffer.c:78
TcpSession_
Definition: stream-tcp-private.h:283
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:459
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1270
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1293