suricata
detect-template2.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author XXX
22  *
23  */
24 
25 #include "suricata-common.h"
26 
27 #include "detect.h"
28 #include "detect-parse.h"
30 
31 #include "detect-template2.h"
32 
33 /**
34  * \brief Regex for parsing our options
35  */
36 #define PARSE_REGEX "^\\s*([0-9]*)?\\s*([<>=-]+)?\\s*([0-9]+)?\\s*$"
37 
38 static pcre *parse_regex;
39 static pcre_extra *parse_regex_study;
40 
41 /* prototypes */
42 static int DetectTemplate2Match (DetectEngineThreadCtx *, Packet *,
43  const Signature *, const SigMatchCtx *);
44 static int DetectTemplate2Setup (DetectEngineCtx *, Signature *, const char *);
45 void DetectTemplate2Free (void *);
46 #ifdef UNITTESTS
48 #endif
49 static int PrefilterSetupTemplate2(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
50 static _Bool PrefilterTemplate2IsPrefilterable(const Signature *s);
51 
52 /**
53  * \brief Registration function for template2: keyword
54  */
55 
57 {
58  sigmatch_table[DETECT_TEMPLATE2].name = "template2";
59  sigmatch_table[DETECT_TEMPLATE2].desc = "TODO describe the keyword";
60  sigmatch_table[DETECT_TEMPLATE2].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#template2";
61  sigmatch_table[DETECT_TEMPLATE2].Match = DetectTemplate2Match;
62  sigmatch_table[DETECT_TEMPLATE2].Setup = DetectTemplate2Setup;
64 #ifdef UNITTESTS
66 #endif
67  sigmatch_table[DETECT_TEMPLATE2].SupportsPrefilter = PrefilterTemplate2IsPrefilterable;
68  sigmatch_table[DETECT_TEMPLATE2].SetupPrefilter = PrefilterSetupTemplate2;
69 
70  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
71  return;
72 }
73 
74 static inline int Template2Match(const uint8_t parg, const uint8_t mode,
75  const uint8_t darg1, const uint8_t darg2)
76 {
77  if (mode == DETECT_TEMPLATE2_EQ && parg == darg1)
78  return 1;
79  else if (mode == DETECT_TEMPLATE2_LT && parg < darg1)
80  return 1;
81  else if (mode == DETECT_TEMPLATE2_GT && parg > darg1)
82  return 1;
83  else if (mode == DETECT_TEMPLATE2_RA && (parg > darg1 && parg < darg2))
84  return 1;
85 
86  return 0;
87 }
88 
89 /**
90  * \brief This function is used to match TEMPLATE2 rule option on a packet with those passed via template2:
91  *
92  * \param t pointer to thread vars
93  * \param det_ctx pointer to the pattern matcher thread
94  * \param p pointer to the current packet
95  * \param m pointer to the sigmatch that we will cast into DetectTemplate2Data
96  *
97  * \retval 0 no match
98  * \retval 1 match
99  */
100 static int DetectTemplate2Match (DetectEngineThreadCtx *det_ctx, Packet *p,
101  const Signature *s, const SigMatchCtx *ctx)
102 {
103 
104  if (PKT_IS_PSEUDOPKT(p))
105  return 0;
106 
107  /* TODO replace this */
108  uint8_t ptemplate2;
109  if (PKT_IS_IPV4(p)) {
110  ptemplate2 = IPV4_GET_IPTTL(p);
111  } else if (PKT_IS_IPV6(p)) {
112  ptemplate2 = IPV6_GET_HLIM(p);
113  } else {
114  SCLogDebug("Packet is of not IPv4 or IPv6");
115  return 0;
116  }
117 
118  const DetectTemplate2Data *template2d = (const DetectTemplate2Data *)ctx;
119  return Template2Match(ptemplate2, template2d->mode, template2d->arg1, template2d->arg2);
120 }
121 
122 /**
123  * \brief This function is used to parse template2 options passed via template2: keyword
124  *
125  * \param template2str Pointer to the user provided template2 options
126  *
127  * \retval template2d pointer to DetectTemplate2Data on success
128  * \retval NULL on failure
129  */
130 
131 static DetectTemplate2Data *DetectTemplate2Parse (const char *template2str)
132 {
133  DetectTemplate2Data *template2d = NULL;
134  char *arg1 = NULL;
135  char *arg2 = NULL;
136  char *arg3 = NULL;
137 #define MAX_SUBSTRINGS 30
138  int ret = 0, res = 0;
139  int ov[MAX_SUBSTRINGS];
140 
141  ret = pcre_exec(parse_regex, parse_regex_study, template2str, strlen(template2str), 0, 0, ov, MAX_SUBSTRINGS);
142  if (ret < 2 || ret > 4) {
143  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
144  goto error;
145  }
146  const char *str_ptr;
147 
148  res = pcre_get_substring((char *) template2str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
149  if (res < 0) {
150  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
151  goto error;
152  }
153  arg1 = (char *) str_ptr;
154  SCLogDebug("Arg1 \"%s\"", arg1);
155 
156  if (ret >= 3) {
157  res = pcre_get_substring((char *) template2str, ov, MAX_SUBSTRINGS, 2, &str_ptr);
158  if (res < 0) {
159  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
160  goto error;
161  }
162  arg2 = (char *) str_ptr;
163  SCLogDebug("Arg2 \"%s\"", arg2);
164 
165  if (ret >= 4) {
166  res = pcre_get_substring((char *) template2str, ov, MAX_SUBSTRINGS, 3, &str_ptr);
167  if (res < 0) {
168  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
169  goto error;
170  }
171  arg3 = (char *) str_ptr;
172  SCLogDebug("Arg3 \"%s\"", arg3);
173  }
174  }
175 
176  template2d = SCMalloc(sizeof (DetectTemplate2Data));
177  if (unlikely(template2d == NULL))
178  goto error;
179  template2d->arg1 = 0;
180  template2d->arg2 = 0;
181 
182  if (arg2 != NULL) {
183  /*set the values*/
184  switch(arg2[0]) {
185  case '<':
186  if (arg3 == NULL)
187  goto error;
188 
189  template2d->mode = DETECT_TEMPLATE2_LT;
190  template2d->arg1 = (uint8_t) atoi(arg3);
191 
192  SCLogDebug("template2 is %"PRIu8"",template2d->arg1);
193  if (strlen(arg1) > 0)
194  goto error;
195 
196  break;
197  case '>':
198  if (arg3 == NULL)
199  goto error;
200 
201  template2d->mode = DETECT_TEMPLATE2_GT;
202  template2d->arg1 = (uint8_t) atoi(arg3);
203 
204  SCLogDebug("template2 is %"PRIu8"",template2d->arg1);
205  if (strlen(arg1) > 0)
206  goto error;
207 
208  break;
209  case '-':
210  if (arg1 == NULL || strlen(arg1)== 0)
211  goto error;
212  if (arg3 == NULL || strlen(arg3)== 0)
213  goto error;
214 
215  template2d->mode = DETECT_TEMPLATE2_RA;
216  template2d->arg1 = (uint8_t) atoi(arg1);
217 
218  template2d->arg2 = (uint8_t) atoi(arg3);
219  SCLogDebug("template2 is %"PRIu8" to %"PRIu8"",template2d->arg1, template2d->arg2);
220  if (template2d->arg1 >= template2d->arg2) {
221  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid template2 range. ");
222  goto error;
223  }
224  break;
225  default:
226  template2d->mode = DETECT_TEMPLATE2_EQ;
227 
228  if ((arg2 != NULL && strlen(arg2) > 0) ||
229  (arg3 != NULL && strlen(arg3) > 0) ||
230  (arg1 == NULL ||strlen(arg1) == 0))
231  goto error;
232 
233  template2d->arg1 = (uint8_t) atoi(arg1);
234  break;
235  }
236  } else {
237  template2d->mode = DETECT_TEMPLATE2_EQ;
238 
239  if ((arg3 != NULL && strlen(arg3) > 0) ||
240  (arg1 == NULL ||strlen(arg1) == 0))
241  goto error;
242 
243  template2d->arg1 = (uint8_t) atoi(arg1);
244  }
245 
246  SCFree(arg1);
247  SCFree(arg2);
248  SCFree(arg3);
249  return template2d;
250 
251 error:
252  if (template2d)
253  SCFree(template2d);
254  if (arg1)
255  SCFree(arg1);
256  if (arg2)
257  SCFree(arg2);
258  if (arg3)
259  SCFree(arg3);
260  return NULL;
261 }
262 
263 /**
264  * \brief this function is used to atemplate2d the parsed template2 data into the current signature
265  *
266  * \param de_ctx pointer to the Detection Engine Context
267  * \param s pointer to the Current Signature
268  * \param template2str pointer to the user provided template2 options
269  *
270  * \retval 0 on Success
271  * \retval -1 on Failure
272  */
273 static int DetectTemplate2Setup (DetectEngineCtx *de_ctx, Signature *s, const char *template2str)
274 {
275  DetectTemplate2Data *template2d = DetectTemplate2Parse(template2str);
276  if (template2d == NULL)
277  return -1;
278 
279  SigMatch *sm = SigMatchAlloc();
280  if (sm == NULL) {
281  DetectTemplate2Free(template2d);
282  return -1;
283  }
284 
285  sm->type = DETECT_TEMPLATE2;
286  sm->ctx = (SigMatchCtx *)template2d;
287 
290 
291  return 0;
292 }
293 
294 /**
295  * \brief this function will free memory associated with DetectTemplate2Data
296  *
297  * \param ptr pointer to DetectTemplate2Data
298  */
299 void DetectTemplate2Free(void *ptr)
300 {
301  DetectTemplate2Data *template2d = (DetectTemplate2Data *)ptr;
302  SCFree(template2d);
303 }
304 
305 /* prefilter code */
306 
307 static void
308 PrefilterPacketTemplate2Match(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
309 {
310  if (PKT_IS_PSEUDOPKT(p)) {
311  SCReturn;
312  }
313 
314  uint8_t ptemplate2;
315 /* TODO update */
316  if (PKT_IS_IPV4(p)) {
317  ptemplate2 = IPV4_GET_IPTTL(p);
318  } else if (PKT_IS_IPV6(p)) {
319  ptemplate2 = IPV6_GET_HLIM(p);
320  } else {
321  SCLogDebug("Packet is of not IPv4 or IPv6");
322  return;
323  }
324 
325  /* during setup Suricata will automatically see if there is another
326  * check that can be added: alproto, sport or dport */
327  const PrefilterPacketHeaderCtx *ctx = pectx;
328  if (PrefilterPacketHeaderExtraMatch(ctx, p) == FALSE)
329  return;
330 
331  /* if we match, add all the sigs that use this prefilter. This means
332  * that these will be inspected further */
333  if (Template2Match(ptemplate2, ctx->v1.u8[0], ctx->v1.u8[1], ctx->v1.u8[2]))
334  {
335  SCLogDebug("packet matches template2/hl %u", ptemplate2);
336  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
337  }
338 }
339 
340 static void
341 PrefilterPacketTemplate2Set(PrefilterPacketHeaderValue *v, void *smctx)
342 {
343  const DetectTemplate2Data *a = smctx;
344  v->u8[0] = a->mode;
345  v->u8[1] = a->arg1;
346  v->u8[2] = a->arg2;
347 }
348 
349 static _Bool
350 PrefilterPacketTemplate2Compare(PrefilterPacketHeaderValue v, void *smctx)
351 {
352  const DetectTemplate2Data *a = smctx;
353  if (v.u8[0] == a->mode &&
354  v.u8[1] == a->arg1 &&
355  v.u8[2] == a->arg2)
356  return TRUE;
357  return FALSE;
358 }
359 
360 static int PrefilterSetupTemplate2(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
361 {
362  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TEMPLATE2,
363  PrefilterPacketTemplate2Set,
364  PrefilterPacketTemplate2Compare,
365  PrefilterPacketTemplate2Match);
366 }
367 
368 static _Bool PrefilterTemplate2IsPrefilterable(const Signature *s)
369 {
370  const SigMatch *sm;
371  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
372  switch (sm->type) {
373  case DETECT_TEMPLATE2:
374  return TRUE;
375  }
376  }
377  return FALSE;
378 }
379 
380 #ifdef UNITTESTS
381 #include "tests/detect-template2.c"
382 #endif
383 
#define MAX_SUBSTRINGS
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SignatureInitData * init_data
Definition: detect.h:591
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1189
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), _Bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
void DetectTemplate2Free(void *)
this function will free memory associated with DetectTemplate2Data
#define DETECT_TEMPLATE2_LT
uint32_t flags
Definition: detect.h:523
_Bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1188
#define FALSE
#define unlikely(expr)
Definition: util-optimize.h:35
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:90
#define PKT_IS_IPV6(p)
Definition: decode.h:253
Container for matching data for a signature group.
Definition: detect.h:1336
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
#define PKT_IS_IPV4(p)
Definition: decode.h:252
struct SigMatch_ * next
Definition: detect.h:322
main detection engine ctx
Definition: detect.h:761
void DetectTemplate2RegisterTests(void)
this function registers unit tests for DetectTemplate2
void(* Free)(void *)
Definition: detect.h:1191
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
PrefilterRuleStore pmq
Definition: detect.h:1102
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1170
uint8_t type
Definition: detect.h:319
const char * desc
Definition: detect.h:1202
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
struct SigMatch_ ** smlists
Definition: detect.h:516
SigMatchCtx * ctx
Definition: detect.h:321
#define DETECT_TEMPLATE2_GT
#define SCMalloc(a)
Definition: util-mem.h:222
#define SCFree(a)
Definition: util-mem.h:322
PoolThreadReserved res
const char * url
Definition: detect.h:1203
void DetectTemplate2Register(void)
Registration function for template2: keyword.
#define DETECT_TEMPLATE2_RA
#define DOC_URL
Definition: suricata.h:86
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1133
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
#define DETECT_TEMPLATE2_EQ
#define SCReturn
Definition: util-debug.h:339
#define DOC_VERSION
Definition: suricata.h:91
#define PARSE_REGEX
Regex for parsing our options.
void(* RegisterTests)(void)
Definition: detect.h:1192
a single match condition for a signature
Definition: detect.h:318
#define IPV4_GET_IPTTL(p)
Definition: decode-ipv4.h:146