suricata
detect-template.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author XXX Yourname <youremail@yourdomain>
22  *
23  * XXX Short description of the purpose of this keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "util-unittest.h"
28 
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 
32 #include "detect-template.h"
33 
34 /**
35  * \brief Regex for parsing our keyword options
36  */
37 #define PARSE_REGEX "^\\s*([0-9]+)?\\s*,s*([0-9]+)?\\s*$"
38 static pcre *parse_regex;
39 static pcre_extra *parse_regex_study;
40 
41 /* Prototypes of functions registered in DetectTemplateRegister below */
42 static int DetectTemplateMatch (DetectEngineThreadCtx *,
43  Packet *, const Signature *, const SigMatchCtx *);
44 static int DetectTemplateSetup (DetectEngineCtx *, Signature *, const char *);
45 static void DetectTemplateFree (void *);
46 #ifdef UNITTESTS
47 static void DetectTemplateRegisterTests (void);
48 #endif
49 
50 /**
51  * \brief Registration function for template: keyword
52  *
53  * This function is called once in the 'lifetime' of the engine.
54  */
56  /* keyword name: this is how the keyword is used in a rule */
57  sigmatch_table[DETECT_TEMPLATE].name = "template";
58  /* description: listed in "suricata --list-keywords=all" */
59  sigmatch_table[DETECT_TEMPLATE].desc = "give an introduction into how a detection module works";
60  /* link to further documentation of the keyword. Normally on the Suricata redmine/wiki */
61  sigmatch_table[DETECT_TEMPLATE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide";
62  /* match function is called when the signature is inspected on a packet */
63  sigmatch_table[DETECT_TEMPLATE].Match = DetectTemplateMatch;
64  /* setup function is called during signature parsing, when the template
65  * keyword is encountered in the rule */
66  sigmatch_table[DETECT_TEMPLATE].Setup = DetectTemplateSetup;
67  /* free function is called when the detect engine is freed. Normally at
68  * shutdown, but also during rule reloads. */
69  sigmatch_table[DETECT_TEMPLATE].Free = DetectTemplateFree;
70 #ifdef UNITTESTS
71  /* registers unittests into the system */
73 #endif
74  /* set up the PCRE for keyword parsing */
75  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
76 }
77 
78 /**
79  * \brief This function is used to match TEMPLATE rule option on a packet
80  *
81  * \param t pointer to thread vars
82  * \param det_ctx pointer to the pattern matcher thread
83  * \param p pointer to the current packet
84  * \param m pointer to the sigmatch with context that we will cast into DetectTemplateData
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectTemplateMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  int ret = 0;
93  const DetectTemplateData *templated = (const DetectTemplateData *) ctx;
94 #if 0
95  if (PKT_IS_PSEUDOPKT(p)) {
96  /* fake pkt */
97  }
98 
99  if (PKT_IS_IPV4(p)) {
100  /* ipv4 pkt */
101  } else if (PKT_IS_IPV6(p)) {
102  /* ipv6 pkt */
103  } else {
104  SCLogDebug("packet is of not IPv4 or IPv6");
105  return ret;
106  }
107 #endif
108  /* packet payload access */
109  if (p->payload != NULL && p->payload_len > 0) {
110  if (templated->arg1 == p->payload[0] &&
111  templated->arg2 == p->payload[p->payload_len - 1])
112  {
113  ret = 1;
114  }
115  }
116 
117  return ret;
118 }
119 
120 /**
121  * \brief This function is used to parse template options passed via template: keyword
122  *
123  * \param templatestr Pointer to the user provided template options
124  *
125  * \retval templated pointer to DetectTemplateData on success
126  * \retval NULL on failure
127  */
128 static DetectTemplateData *DetectTemplateParse (const char *templatestr)
129 {
130  char arg1[4] = "";
131  char arg2[4] = "";
132 #define MAX_SUBSTRINGS 30
133  int ov[MAX_SUBSTRINGS];
134 
135  int ret = pcre_exec(parse_regex, parse_regex_study,
136  templatestr, strlen(templatestr),
137  0, 0, ov, MAX_SUBSTRINGS);
138  if (ret != 3) {
139  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
140  return NULL;
141  }
142 
143  ret = pcre_copy_substring((char *) templatestr, ov, MAX_SUBSTRINGS, 1, arg1, sizeof(arg1));
144  if (ret < 0) {
145  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
146  return NULL;
147  }
148  SCLogDebug("Arg1 \"%s\"", arg1);
149 
150  ret = pcre_copy_substring((char *) templatestr, ov, MAX_SUBSTRINGS, 2, arg2, sizeof(arg2));
151  if (ret < 0) {
152  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
153  return NULL;
154  }
155  SCLogDebug("Arg2 \"%s\"", arg2);
156 
157  DetectTemplateData *templated = SCMalloc(sizeof (DetectTemplateData));
158  if (unlikely(templated == NULL))
159  return NULL;
160 
161  templated->arg1 = (uint8_t)atoi(arg1);
162  templated->arg2 = (uint8_t)atoi(arg2);
163 
164  return templated;
165 }
166 
167 /**
168  * \brief parse the options from the 'template' keyword in the rule into
169  * the Signature data structure.
170  *
171  * \param de_ctx pointer to the Detection Engine Context
172  * \param s pointer to the Current Signature
173  * \param templatestr pointer to the user provided template options
174  *
175  * \retval 0 on Success
176  * \retval -1 on Failure
177  */
178 static int DetectTemplateSetup (DetectEngineCtx *de_ctx, Signature *s, const char *templatestr)
179 {
180  DetectTemplateData *templated = DetectTemplateParse(templatestr);
181  if (templated == NULL)
182  return -1;
183 
184  SigMatch *sm = SigMatchAlloc();
185  if (sm == NULL) {
186  DetectTemplateFree(templated);
187  return -1;
188  }
189 
190  sm->type = DETECT_TEMPLATE;
191  sm->ctx = (void *)templated;
192 
195 
196  return 0;
197 }
198 
199 /**
200  * \brief this function will free memory associated with DetectTemplateData
201  *
202  * \param ptr pointer to DetectTemplateData
203  */
204 static void DetectTemplateFree(void *ptr)
205 {
206  DetectTemplateData *templated = (DetectTemplateData *)ptr;
207 
208  /* do more specific cleanup here, if needed */
209 
210  SCFree(templated);
211 }
212 
213 #ifdef UNITTESTS
214 #include "tests/detect-template.c"
215 #endif
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
uint32_t flags
Definition: detect.h:523
#define unlikely(expr)
Definition: util-optimize.h:35
#define PKT_IS_IPV6(p)
Definition: decode.h:252
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
#define PKT_IS_IPV4(p)
Definition: decode.h:251
main detection engine ctx
Definition: detect.h:761
void DetectTemplateRegister(void)
Registration function for template: keyword.
void(* Free)(void *)
Definition: detect.h:1191
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1170
uint8_t type
Definition: detect.h:319
const char * desc
Definition: detect.h:1202
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
SigMatchCtx * ctx
Definition: detect.h:321
#define SCMalloc(a)
Definition: util-mem.h:222
#define SCFree(a)
Definition: util-mem.h:322
#define PARSE_REGEX
Regex for parsing our keyword options.
const char * url
Definition: detect.h:1203
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1132
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
void DetectTemplateRegisterTests(void)
this function registers unit tests for DetectTemplate
uint16_t payload_len
Definition: decode.h:541
uint8_t * payload
Definition: decode.h:540
void(* RegisterTests)(void)
Definition: detect.h:1192
a single match condition for a signature
Definition: detect.h:318
#define MAX_SUBSTRINGS