suricata
detect-template-rust-buffer.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /*
19  * TODO: Update the \author in this file and detect-template.h.
20  * TODO: Update description in the \file section below.
21  * TODO: Remove SCLogNotice statements or convert to debug.
22  */
23 
24 /**
25  * \file
26  *
27  * \author FirstName LastName <yourname@domain>
28  *
29  * Set up of the "template_rust" keyword to allow content
30  * inspections on the decoded template application layer buffers.
31  */
32 
33 #include "suricata-common.h"
34 #include "conf.h"
35 #include "detect.h"
36 #include "detect-parse.h"
37 #include "detect-engine.h"
40 #include "app-layer-parser.h"
41 #include "rust-applayertemplate-template-gen.h"
42 
43 static int DetectTemplateRustBufferSetup(DetectEngineCtx *, Signature *,
44  const char *);
45 static int DetectEngineInspectTemplateRustBuffer(ThreadVars *tv,
46  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
47  const Signature *s, const SigMatchData *smd,
48  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
49 static void DetectTemplateRustBufferRegisterTests(void);
50 static int g_template_rust_id = 0;
51 
53 {
54  /* TEMPLATE_START_REMOVE */
55  if (ConfGetNode("app-layer.protocols.template-rust") == NULL) {
56  return;
57  }
58  /* TEMPLATE_END_REMOVE */
60  "template_rust_buffer";
62  "Template content modififier to match on the template buffers";
64  DetectTemplateRustBufferSetup;
66  DetectTemplateRustBufferRegisterTests;
67 
69 
70  /* register inspect engines */
71  DetectAppLayerInspectEngineRegister("template_rust_buffer",
73  DetectEngineInspectTemplateRustBuffer);
74  DetectAppLayerInspectEngineRegister("template_rust_buffer",
76  DetectEngineInspectTemplateRustBuffer);
77 
78  g_template_rust_id = DetectBufferTypeGetByName("template_rust_buffer");
79 
80  SCLogNotice("Template application layer detect registered.");
81 }
82 
83 static int DetectTemplateRustBufferSetup(DetectEngineCtx *de_ctx, Signature *s,
84  const char *str)
85 {
86  s->init_data->list = g_template_rust_id;
87 
89  return -1;
90 
91  return 0;
92 }
93 
94 static int DetectEngineInspectTemplateRustBuffer(ThreadVars *tv,
95  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
96  const Signature *s, const SigMatchData *smd,
97  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
98 {
99  int ret = 0;
100  const uint8_t *data = NULL;
101  uint32_t data_len = 0;
102 
103  if (flags & STREAM_TOSERVER) {
104  rs_template_get_request_buffer(txv, &data, &data_len);
105  } else if (flags & STREAM_TOCLIENT) {
106  rs_template_get_response_buffer(txv, &data, &data_len);
107  }
108 
109  if (data != NULL) {
110  ret = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
111  NULL, f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
113  }
114 
115  SCLogNotice("Returning %d.", ret);
116  return ret;
117 }
118 
119 #ifdef UNITTESTS
120 
121 #include "util-unittest.h"
122 #include "util-unittest-helper.h"
123 #include "app-layer-parser.h"
124 #include "detect-engine.h"
125 #include "detect-parse.h"
126 #include "flow-util.h"
127 #include "stream-tcp.h"
128 
129 static int DetectTemplateRustBufferTest(void)
130 {
132  DetectEngineThreadCtx *det_ctx = NULL;
133  DetectEngineCtx *de_ctx = NULL;
134  Flow f;
135  Packet *p;
136  TcpSession tcp;
137  ThreadVars tv;
138  Signature *s;
139 
140  uint8_t request[] = "12:Hello World!";
141 
142  /* Setup flow. */
143  memset(&f, 0, sizeof(Flow));
144  memset(&tcp, 0, sizeof(TcpSession));
145  memset(&tv, 0, sizeof(ThreadVars));
146  p = UTHBuildPacket(request, sizeof(request), IPPROTO_TCP);
147  FLOW_INITIALIZE(&f);
149  f.protoctx = (void *)&tcp;
150  f.proto = IPPROTO_TCP;
151  f.flags |= FLOW_IPV4;
152  p->flow = &f;
156 
157  de_ctx = DetectEngineCtxInit();
158  FAIL_IF_NULL(de_ctx);
159 
160  /* This rule should match. */
161  s = DetectEngineAppendSig(de_ctx,
162  "alert tcp any any -> any any ("
163  "msg:\"TEMPLATE Test Rule\"; "
164  "template_rust_buffer; content:\"World!\"; "
165  "sid:1; rev:1;)");
166  FAIL_IF_NULL(s);
167 
168  /* This rule should not match. */
169  s = DetectEngineAppendSig(de_ctx,
170  "alert tcp any any -> any any ("
171  "msg:\"TEMPLATE Test Rule\"; "
172  "template_rust_buffer; content:\"W0rld!\"; "
173  "sid:2; rev:1;)");
174  FAIL_IF_NULL(s);
175 
176  SigGroupBuild(de_ctx);
177  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
178 
179  FLOWLOCK_WRLOCK(&f);
180  AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TEMPLATE_RUST,
181  STREAM_TOSERVER, request, sizeof(request));
182  FLOWLOCK_UNLOCK(&f);
183 
184  /* Check that we have app-layer state. */
186 
187  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
188  FAIL_IF(!PacketAlertCheck(p, 1));
189  FAIL_IF(PacketAlertCheck(p, 2));
190 
191  /* Cleanup. */
192  if (alp_tctx != NULL)
193  AppLayerParserThreadCtxFree(alp_tctx);
194  if (det_ctx != NULL)
195  DetectEngineThreadCtxDeinit(&tv, det_ctx);
196  if (de_ctx != NULL)
197  SigGroupCleanup(de_ctx);
198  if (de_ctx != NULL)
199  DetectEngineCtxFree(de_ctx);
201  FLOW_DESTROY(&f);
202  UTHFreePacket(p);
203 
204  PASS;
205 }
206 
207 #endif
208 
209 static void DetectTemplateRustBufferRegisterTests(void)
210 {
211 #ifdef UNITTESTS
212  UtRegisterTest("DetectTemplateRustBufferTest",
213  DetectTemplateRustBufferTest);
214 #endif /* UNITTESTS */
215 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SignatureInitData * init_data
Definition: detect.h:591
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:445
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define PASS
Pass the test.
void DetectTemplateRustBufferRegister(void)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
Data needed for Match()
Definition: detect.h:327
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
#define TRUE
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void * alstate
Definition: flow.h:438
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:439
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
const char * desc
Definition: detect.h:1202
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
uint16_t tx_id
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define SIGMATCH_NOOPT
Definition: detect.h:1369
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
#define PKT_HAS_FLOW
Definition: decode.h:1093
#define DETECT_CI_FLAGS_SINGLE
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:443
uint16_t flags
Definition: detect.h:1194
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1091
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1192
DetectEngineCtx * DetectEngineCtxInit(void)