suricata
detect-template.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author XXX Yourname <youremail@yourdomain>
22  *
23  * XXX Short description of the purpose of this keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "util-unittest.h"
28 #include "util-byte.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 
33 #include "detect-template.h"
34 
35 /**
36  * \brief Regex for parsing our keyword options
37  */
38 #define PARSE_REGEX "^\\s*([0-9]+)?\\s*,s*([0-9]+)?\\s*$"
39 static DetectParseRegex parse_regex;
40 
41 /* Prototypes of functions registered in DetectTemplateRegister below */
42 static int DetectTemplateMatch (DetectEngineThreadCtx *,
43  Packet *, const Signature *, const SigMatchCtx *);
44 static int DetectTemplateSetup (DetectEngineCtx *, Signature *, const char *);
45 static void DetectTemplateFree (DetectEngineCtx *, void *);
46 #ifdef UNITTESTS
47 static void DetectTemplateRegisterTests (void);
48 #endif
49 
50 /**
51  * \brief Registration function for template: keyword
52  *
53  * This function is called once in the 'lifetime' of the engine.
54  */
56  /* keyword name: this is how the keyword is used in a rule */
57  sigmatch_table[DETECT_TEMPLATE].name = "template";
58  /* description: listed in "suricata --list-keywords=all" */
59  sigmatch_table[DETECT_TEMPLATE].desc = "give an introduction into how a detection module works";
60  /* link to further documentation of the keyword. Normally on the Suricata redmine/wiki */
61  sigmatch_table[DETECT_TEMPLATE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide";
62  /* match function is called when the signature is inspected on a packet */
63  sigmatch_table[DETECT_TEMPLATE].Match = DetectTemplateMatch;
64  /* setup function is called during signature parsing, when the template
65  * keyword is encountered in the rule */
66  sigmatch_table[DETECT_TEMPLATE].Setup = DetectTemplateSetup;
67  /* free function is called when the detect engine is freed. Normally at
68  * shutdown, but also during rule reloads. */
69  sigmatch_table[DETECT_TEMPLATE].Free = DetectTemplateFree;
70 #ifdef UNITTESTS
71  /* registers unittests into the system */
73 #endif
74  /* set up the PCRE for keyword parsing */
75  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
76 }
77 
78 /**
79  * \brief This function is used to match TEMPLATE rule option on a packet
80  *
81  * \param t pointer to thread vars
82  * \param det_ctx pointer to the pattern matcher thread
83  * \param p pointer to the current packet
84  * \param m pointer to the sigmatch with context that we will cast into DetectTemplateData
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectTemplateMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  int ret = 0;
93  const DetectTemplateData *templated = (const DetectTemplateData *) ctx;
94 #if 0
95  if (PKT_IS_PSEUDOPKT(p)) {
96  /* fake pkt */
97  }
98 
99  if (PKT_IS_IPV4(p)) {
100  /* ipv4 pkt */
101  } else if (PKT_IS_IPV6(p)) {
102  /* ipv6 pkt */
103  } else {
104  SCLogDebug("packet is of not IPv4 or IPv6");
105  return ret;
106  }
107 #endif
108  /* packet payload access */
109  if (p->payload != NULL && p->payload_len > 0) {
110  if (templated->arg1 == p->payload[0] &&
111  templated->arg2 == p->payload[p->payload_len - 1])
112  {
113  ret = 1;
114  }
115  }
116 
117  return ret;
118 }
119 
120 /**
121  * \brief This function is used to parse template options passed via template: keyword
122  *
123  * \param templatestr Pointer to the user provided template options
124  *
125  * \retval templated pointer to DetectTemplateData on success
126  * \retval NULL on failure
127  */
128 static DetectTemplateData *DetectTemplateParse (const char *templatestr)
129 {
130  char arg1[4] = "";
131  char arg2[4] = "";
132  int ov[MAX_SUBSTRINGS];
133 
134  int ret = DetectParsePcreExec(&parse_regex, templatestr, 0, 0, ov, MAX_SUBSTRINGS);
135  if (ret != 3) {
136  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
137  return NULL;
138  }
139 
140  ret = pcre_copy_substring((char *) templatestr, ov, MAX_SUBSTRINGS, 1, arg1, sizeof(arg1));
141  if (ret < 0) {
142  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
143  return NULL;
144  }
145  SCLogDebug("Arg1 \"%s\"", arg1);
146 
147  ret = pcre_copy_substring((char *) templatestr, ov, MAX_SUBSTRINGS, 2, arg2, sizeof(arg2));
148  if (ret < 0) {
149  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
150  return NULL;
151  }
152  SCLogDebug("Arg2 \"%s\"", arg2);
153 
154  DetectTemplateData *templated = SCMalloc(sizeof (DetectTemplateData));
155  if (unlikely(templated == NULL))
156  return NULL;
157 
158  if (ByteExtractStringUint8(&templated->arg1, 10, 0, (const char *)arg1) < 0) {
159  SCFree(templated);
160  return NULL;
161  }
162  if (ByteExtractStringUint8(&templated->arg2, 10, 0, (const char *)arg2) < 0) {
163  SCFree(templated);
164  return NULL;
165  }
166  return templated;
167 }
168 
169 /**
170  * \brief parse the options from the 'template' keyword in the rule into
171  * the Signature data structure.
172  *
173  * \param de_ctx pointer to the Detection Engine Context
174  * \param s pointer to the Current Signature
175  * \param templatestr pointer to the user provided template options
176  *
177  * \retval 0 on Success
178  * \retval -1 on Failure
179  */
180 static int DetectTemplateSetup (DetectEngineCtx *de_ctx, Signature *s, const char *templatestr)
181 {
182  DetectTemplateData *templated = DetectTemplateParse(templatestr);
183  if (templated == NULL)
184  return -1;
185 
186  SigMatch *sm = SigMatchAlloc();
187  if (sm == NULL) {
188  DetectTemplateFree(de_ctx, templated);
189  return -1;
190  }
191 
192  sm->type = DETECT_TEMPLATE;
193  sm->ctx = (void *)templated;
194 
197 
198  return 0;
199 }
200 
201 /**
202  * \brief this function will free memory associated with DetectTemplateData
203  *
204  * \param ptr pointer to DetectTemplateData
205  */
206 static void DetectTemplateFree(DetectEngineCtx *de_ctx, void *ptr)
207 {
208  DetectTemplateData *templated = (DetectTemplateData *)ptr;
209 
210  /* do more specific cleanup here, if needed */
211 
212  SCFree(templated);
213 }
214 
215 #ifdef UNITTESTS
216 #include "tests/detect-template.c"
217 #endif
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DETECT_TEMPLATE
@ DETECT_TEMPLATE
Definition: detect-engine-register.h:255
DetectTemplateRegister
void DetectTemplateRegister(void)
Registration function for template: keyword.
Definition: detect-template.c:55
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
DetectTemplateData_
Definition: detect-template.h:32
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1147
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:258
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::payload
uint8_t * payload
Definition: decode.h:549
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
util-unittest.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
DetectTemplateData_::arg1
uint8_t arg1
Definition: detect-template.h:33
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
Signature_::flags
uint32_t flags
Definition: detect.h:529
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
detect-template.c
DetectTemplateData_::arg2
uint8_t arg2
Definition: detect-template.h:34
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our keyword options.
Definition: detect-template.c:38
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
detect-template.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
ByteExtractStringUint8
int ByteExtractStringUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:285
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
DetectTemplateRegisterTests
void DetectTemplateRegisterTests(void)
this function registers unit tests for DetectTemplate
Definition: detect-template.c:58
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:257
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223