suricata
detect-template-rust-buffer.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /*
19  * TODO: Update the \author in this file and detect-template.h.
20  * TODO: Update description in the \file section below.
21  * TODO: Remove SCLogNotice statements or convert to debug.
22  */
23 
24 /**
25  * \file
26  *
27  * \author FirstName LastName <yourname@domain>
28  *
29  * Set up of the "template_rust" keyword to allow content
30  * inspections on the decoded template application layer buffers.
31  */
32 
33 #include "suricata-common.h"
34 #include "conf.h"
35 #include "detect.h"
36 #include "detect-parse.h"
37 #include "detect-engine.h"
40 #include "app-layer-parser.h"
41 #include "detect-engine-build.h"
42 #include "rust.h"
43 
44 static int DetectTemplateRustBufferSetup(DetectEngineCtx *, Signature *, const char *);
45 static uint8_t DetectEngineInspectTemplateRustBuffer(DetectEngineCtx *de_ctx,
46  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
47  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
48 #ifdef UNITTESTS
49 static void DetectTemplateRustBufferRegisterTests(void);
50 #endif
51 static int g_template_rust_id = 0;
52 
54 {
55  /* TEMPLATE_START_REMOVE */
56  if (ConfGetNode("app-layer.protocols.template-rust") == NULL) {
57  return;
58  }
59  /* TEMPLATE_END_REMOVE */
60  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].name = "template_rust_buffer";
62  "Template content modifier to match on the template buffers";
63  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].Setup = DetectTemplateRustBufferSetup;
64 #ifdef UNITTESTS
65  sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].RegisterTests = DetectTemplateRustBufferRegisterTests;
66 #endif
68 
69  /* register inspect engines */
71  DetectEngineInspectTemplateRustBuffer, NULL);
73  DetectEngineInspectTemplateRustBuffer, NULL);
74 
75  g_template_rust_id = DetectBufferTypeGetByName("template_buffer");
76 
77  SCLogNotice("Template application layer detect registered.");
78 }
79 
80 static int DetectTemplateRustBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
81 {
82  s->init_data->list = g_template_rust_id;
83 
85  return -1;
86 
87  return 0;
88 }
89 
90 static uint8_t DetectEngineInspectTemplateRustBuffer(DetectEngineCtx *de_ctx,
91  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
92  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
93 {
94  uint8_t ret = 0;
95  const uint8_t *data = NULL;
96  uint32_t data_len = 0;
97 
98  if (flags & STREAM_TOSERVER) {
99  rs_template_get_request_buffer(txv, &data, &data_len);
100  } else if (flags & STREAM_TOCLIENT) {
101  rs_template_get_response_buffer(txv, &data, &data_len);
102  }
103 
104  if (data != NULL) {
105  ret = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
106  (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
108  }
109 
110  SCLogNotice("Returning %d.", ret);
111  return ret;
112 }
113 
114 #ifdef UNITTESTS
115 
116 #include "util-unittest.h"
117 #include "util-unittest-helper.h"
118 #include "flow-util.h"
119 #include "stream-tcp.h"
120 #include "detect-engine-alert.h"
121 
122 static int DetectTemplateRustBufferTest(void)
123 {
125  DetectEngineThreadCtx *det_ctx = NULL;
126  DetectEngineCtx *de_ctx = NULL;
127  Flow f;
128  Packet *p;
129  TcpSession tcp;
130  ThreadVars tv;
131  Signature *s;
132 
133  uint8_t request[] = "12:Hello World!";
134 
135  /* Setup flow. */
136  memset(&f, 0, sizeof(Flow));
137  memset(&tcp, 0, sizeof(TcpSession));
138  memset(&tv, 0, sizeof(ThreadVars));
139  p = UTHBuildPacket(request, sizeof(request), IPPROTO_TCP);
140  FLOW_INITIALIZE(&f);
142  f.protoctx = (void *)&tcp;
143  f.proto = IPPROTO_TCP;
144  f.flags |= FLOW_IPV4;
145  p->flow = &f;
148  StreamTcpInitConfig(true);
149 
152 
153  /* This rule should match. */
154  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
155  "msg:\"TEMPLATE Test Rule\"; "
156  "template_rust_buffer; content:\"World!\"; "
157  "sid:1; rev:1;)");
158  FAIL_IF_NULL(s);
159 
160  /* This rule should not match. */
161  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
162  "msg:\"TEMPLATE Test Rule\"; "
163  "template_rust_buffer; content:\"W0rld!\"; "
164  "sid:2; rev:1;)");
165  FAIL_IF_NULL(s);
166 
168  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
169 
171  NULL, alp_tctx, &f, ALPROTO_TEMPLATE, STREAM_TOSERVER, request, sizeof(request));
172 
173  /* Check that we have app-layer state. */
175 
176  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
177  FAIL_IF(!PacketAlertCheck(p, 1));
178  FAIL_IF(PacketAlertCheck(p, 2));
179 
180  /* Cleanup. */
181  if (alp_tctx != NULL)
183  if (det_ctx != NULL)
184  DetectEngineThreadCtxDeinit(&tv, det_ctx);
185  if (de_ctx != NULL)
187  if (de_ctx != NULL)
189  StreamTcpFreeConfig(true);
190  FLOW_DESTROY(&f);
191  UTHFreePacket(p);
192 
193  PASS;
194 }
195 
196 static void DetectTemplateRustBufferRegisterTests(void)
197 {
198  UtRegisterTest("DetectTemplateRustBufferTest",
199  DetectTemplateRustBufferTest);
200 }
201 #endif /* UNITTESTS */
DetectEngineAppInspectionEngine_
Definition: detect.h:390
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1238
stream-tcp.h
detect-template-rust-buffer.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:379
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
Flow_
Flow data structure.
Definition: flow.h:357
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DETECT_AL_TEMPLATE_BUFFER
@ DETECT_AL_TEMPLATE_BUFFER
Definition: detect-engine-register.h:280
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
rust.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
Flow_::protoctx
void * protoctx
Definition: flow.h:447
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:356
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SignatureInitData_::list
int list
Definition: detect.h:517
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
Packet_
Definition: decode.h:428
detect-engine-build.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
detect-engine-alert.h
conf.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
detect-engine-content-inspection.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:668
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
str
#define str(s)
Definition: suricata-common.h:280
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:482
Flow_::flags
uint32_t flags
Definition: flow.h:427
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:59
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
DetectTemplateRustBufferRegister
void DetectTemplateRustBufferRegister(void)
Definition: detect-template-rust-buffer.c:53
TcpSession_
Definition: stream-tcp-private.h:272
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1000
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230