suricata
detect-template.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author XXX Yourname <youremail@yourdomain>
22  *
23  * XXX Short description of the purpose of this keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "util-unittest.h"
28 #include "util-byte.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 
33 #include "detect-template.h"
34 
35 /**
36  * \brief Regex for parsing our keyword options
37  */
38 #define PARSE_REGEX "^\\s*([0-9]+)?\\s*,s*([0-9]+)?\\s*$"
39 static DetectParseRegex parse_regex;
40 
41 /* Prototypes of functions registered in DetectTemplateRegister below */
42 static int DetectTemplateMatch (DetectEngineThreadCtx *,
43  Packet *, const Signature *, const SigMatchCtx *);
44 static int DetectTemplateSetup (DetectEngineCtx *, Signature *, const char *);
45 static void DetectTemplateFree (DetectEngineCtx *, void *);
46 #ifdef UNITTESTS
47 static void DetectTemplateRegisterTests (void);
48 #endif
49 
50 /**
51  * \brief Registration function for template: keyword
52  *
53  * This function is called once in the 'lifetime' of the engine.
54  */
56  /* keyword name: this is how the keyword is used in a rule */
57  sigmatch_table[DETECT_TEMPLATE].name = "template";
58  /* description: listed in "suricata --list-keywords=all" */
59  sigmatch_table[DETECT_TEMPLATE].desc = "give an introduction into how a detection module works";
60  /* link to further documentation of the keyword. Normally on the Suricata redmine/wiki */
61  sigmatch_table[DETECT_TEMPLATE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide";
62  /* match function is called when the signature is inspected on a packet */
63  sigmatch_table[DETECT_TEMPLATE].Match = DetectTemplateMatch;
64  /* setup function is called during signature parsing, when the template
65  * keyword is encountered in the rule */
66  sigmatch_table[DETECT_TEMPLATE].Setup = DetectTemplateSetup;
67  /* free function is called when the detect engine is freed. Normally at
68  * shutdown, but also during rule reloads. */
69  sigmatch_table[DETECT_TEMPLATE].Free = DetectTemplateFree;
70 #ifdef UNITTESTS
71  /* registers unittests into the system */
73 #endif
74  /* set up the PCRE for keyword parsing */
75  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
76 }
77 
78 /**
79  * \brief This function is used to match TEMPLATE rule option on a packet
80  *
81  * \param t pointer to thread vars
82  * \param det_ctx pointer to the pattern matcher thread
83  * \param p pointer to the current packet
84  * \param m pointer to the sigmatch with context that we will cast into DetectTemplateData
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectTemplateMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  int ret = 0;
93  const DetectTemplateData *templated = (const DetectTemplateData *) ctx;
94 #if 0
95  if (PKT_IS_PSEUDOPKT(p)) {
96  /* fake pkt */
97  }
98 
99  if (PKT_IS_IPV4(p)) {
100  /* ipv4 pkt */
101  } else if (PKT_IS_IPV6(p)) {
102  /* ipv6 pkt */
103  } else {
104  SCLogDebug("packet is of not IPv4 or IPv6");
105  return ret;
106  }
107 #endif
108  /* packet payload access */
109  if (p->payload != NULL && p->payload_len > 0) {
110  if (templated->arg1 == p->payload[0] &&
111  templated->arg2 == p->payload[p->payload_len - 1])
112  {
113  ret = 1;
114  }
115  }
116 
117  return ret;
118 }
119 
120 /**
121  * \brief This function is used to parse template options passed via template: keyword
122  *
123  * \param templatestr Pointer to the user provided template options
124  *
125  * \retval templated pointer to DetectTemplateData on success
126  * \retval NULL on failure
127  */
128 static DetectTemplateData *DetectTemplateParse (const char *templatestr)
129 {
130  char arg1[4] = "";
131  char arg2[4] = "";
132  size_t pcre2len;
133 
134  int ret = DetectParsePcreExec(&parse_regex, templatestr, 0, 0);
135  if (ret != 3) {
136  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
137  return NULL;
138  }
139 
140  pcre2len = sizeof(arg1);
141  ret = pcre2_substring_copy_bynumber(parse_regex.match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
142  if (ret < 0) {
143  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
144  return NULL;
145  }
146  SCLogDebug("Arg1 \"%s\"", arg1);
147 
148  pcre2len = sizeof(arg2);
149  ret = pcre2_substring_copy_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 *)arg2, &pcre2len);
150  if (ret < 0) {
151  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
152  return NULL;
153  }
154  SCLogDebug("Arg2 \"%s\"", arg2);
155 
156  DetectTemplateData *templated = SCMalloc(sizeof (DetectTemplateData));
157  if (unlikely(templated == NULL))
158  return NULL;
159 
160  if (ByteExtractStringUint8(&templated->arg1, 10, 0, (const char *)arg1) < 0) {
161  SCFree(templated);
162  return NULL;
163  }
164  if (ByteExtractStringUint8(&templated->arg2, 10, 0, (const char *)arg2) < 0) {
165  SCFree(templated);
166  return NULL;
167  }
168  return templated;
169 }
170 
171 /**
172  * \brief parse the options from the 'template' keyword in the rule into
173  * the Signature data structure.
174  *
175  * \param de_ctx pointer to the Detection Engine Context
176  * \param s pointer to the Current Signature
177  * \param templatestr pointer to the user provided template options
178  *
179  * \retval 0 on Success
180  * \retval -1 on Failure
181  */
182 static int DetectTemplateSetup (DetectEngineCtx *de_ctx, Signature *s, const char *templatestr)
183 {
184  DetectTemplateData *templated = DetectTemplateParse(templatestr);
185  if (templated == NULL)
186  return -1;
187 
188  SigMatch *sm = SigMatchAlloc();
189  if (sm == NULL) {
190  DetectTemplateFree(de_ctx, templated);
191  return -1;
192  }
193 
194  sm->type = DETECT_TEMPLATE;
195  sm->ctx = (void *)templated;
196 
199 
200  return 0;
201 }
202 
203 /**
204  * \brief this function will free memory associated with DetectTemplateData
205  *
206  * \param ptr pointer to DetectTemplateData
207  */
208 static void DetectTemplateFree(DetectEngineCtx *de_ctx, void *ptr)
209 {
210  DetectTemplateData *templated = (DetectTemplateData *)ptr;
211 
212  /* do more specific cleanup here, if needed */
213 
214  SCFree(templated);
215 }
216 
217 #ifdef UNITTESTS
218 #include "tests/detect-template.c"
219 #endif
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1238
DETECT_TEMPLATE
@ DETECT_TEMPLATE
Definition: detect-engine-register.h:269
DetectTemplateRegister
void DetectTemplateRegister(void)
Registration function for template: keyword.
Definition: detect-template.c:55
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
DetectTemplateData_
Definition: detect-template.h:32
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1235
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1058
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:246
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Packet_::payload
uint8_t * payload
Definition: decode.h:573
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
util-unittest.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
DetectTemplateData_::arg1
uint8_t arg1
Definition: detect-template.h:33
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2611
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
Signature_::flags
uint32_t flags
Definition: detect.h:540
Packet_
Definition: decode.h:428
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
detect-template.c
ByteExtractStringUint8
int ByteExtractStringUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:285
DetectTemplateData_::arg2
uint8_t arg2
Definition: detect-template.h:34
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our keyword options.
Definition: detect-template.c:38
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
detect-template.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectTemplateRegisterTests
void DetectTemplateRegisterTests(void)
this function registers unit tests for DetectTemplate
Definition: detect-template.c:58
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:245
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:215