suricata
detect-transform-compress-whitespace.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the nocase keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
30 #include "detect-engine-prefilter.h"
31 #include "detect-parse.h"
32 #include "detect-transform-compress-whitespace.h"
33 
34 #include "util-unittest.h"
35 #include "util-print.h"
36 
37 static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *, Signature *, const char *);
38 static void DetectTransformCompressWhitespaceRegisterTests(void);
39 
40 static void TransformCompressWhitespace(InspectionBuffer *buffer);
41 
42 void DetectTransformCompressWhitespaceRegister(void)
43 {
44  sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].name = "compress_whitespace";
45  sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].desc =
46  "modify buffer to strip whitespace before inspection";
47  sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].url =
48  DOC_URL DOC_VERSION "/rules/transforms.html#compress-whitespace";
49  sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Transform =
50  TransformCompressWhitespace;
51  sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Setup =
52  DetectTransformCompressWhitespaceSetup;
53  sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].RegisterTests =
54  DetectTransformCompressWhitespaceRegisterTests;
55 
56  sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].flags |= SIGMATCH_NOOPT;
57 }
58 
59 /**
60  * \internal
61  * \brief Apply the nocase keyword to the last pattern match, either content or uricontent
62  * \param det_ctx detection engine ctx
63  * \param s signature
64  * \param nullstr should be null
65  * \retval 0 ok
66  * \retval -1 failure
67  */
68 static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
69 {
70  SCEnter();
71  int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_COMPRESS_WHITESPACE);
72  SCReturnInt(r);
73 }
74 
75 static void TransformCompressWhitespace(InspectionBuffer *buffer)
76 {
77  const uint8_t *input = buffer->inspect;
78  const uint32_t input_len = buffer->inspect_len;
79  uint8_t output[input_len]; // we can only shrink
80  uint8_t *oi = output, *os = output;
81 
82  //PrintRawDataFp(stdout, input, input_len);
83  for (uint32_t i = 0; i < input_len; ) {
84  if (!(isspace(*input))) {
85  *oi++ = *input++;
86  i++;
87  } else {
88  *oi++ = *input++;
89  i++;
90 
91  while (i < input_len && isspace(*input)) {
92  input++;
93  i++;
94  }
95  }
96  }
97  uint32_t output_size = oi - os;
98  //PrintRawDataFp(stdout, output, output_size);
99 
100  InspectionBufferCopy(buffer, os, output_size);
101 }
102 
103 #ifdef UNITTESTS
104 static int TransformDoubleWhitespace(InspectionBuffer *buffer)
105 {
106  const uint8_t *input = buffer->inspect;
107  const uint32_t input_len = buffer->inspect_len;
108  uint8_t output[input_len * 2]; // if all chars are whitespace this fits
109  uint8_t *oi = output, *os = output;
110 
111  PrintRawDataFp(stdout, input, input_len);
112  for (uint32_t i = 0; i < input_len; i++) {
113  if (isspace(*input)) {
114  *oi++ = *input;
115  }
116  *oi++ = *input;
117  input++;
118  }
119  uint32_t output_size = oi - os;
120  PrintRawDataFp(stdout, output, output_size);
121 
122  InspectionBufferCopy(buffer, os, output_size);
123  return 0;
124 }
125 
126 static int DetectTransformCompressWhitespaceTest01(void)
127 {
128  const uint8_t *input = (const uint8_t *)" A B C D ";
129  uint32_t input_len = strlen((char *)input);
130 
131  InspectionBuffer buffer;
132  InspectionBufferInit(&buffer, 8);
133  InspectionBufferSetup(&buffer, input, input_len);
134  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
135  TransformCompressWhitespace(&buffer);
136  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
137  InspectionBufferFree(&buffer);
138  PASS;
139 }
140 
141 static int DetectTransformCompressWhitespaceTest02(void)
142 {
143  const uint8_t *input = (const uint8_t *)" A B C D ";
144  uint32_t input_len = strlen((char *)input);
145 
146  InspectionBuffer buffer;
147  InspectionBufferInit(&buffer, 8);
148  InspectionBufferSetup(&buffer, input, input_len);
149  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
150  TransformDoubleWhitespace(&buffer);
151  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
152  TransformDoubleWhitespace(&buffer);
153  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
154  TransformCompressWhitespace(&buffer);
155  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
156  InspectionBufferFree(&buffer);
157  PASS;
158 }
159 
160 static int DetectTransformCompressWhitespaceTest03(void)
161 {
162  const char rule[] = "alert http any any -> any any (http_request_line; strip_whitespace; content:\"GET/HTTP\"; sid:1;)";
163  ThreadVars th_v;
164  DetectEngineThreadCtx *det_ctx = NULL;
165  memset(&th_v, 0, sizeof(th_v));
166 
167  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
168  FAIL_IF_NULL(de_ctx);
169  Signature *s = DetectEngineAppendSig(de_ctx, rule);
170  FAIL_IF_NULL(s);
171  SigGroupBuild(de_ctx);
172  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
173  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
174  DetectEngineCtxFree(de_ctx);
175  PASS;
176 }
177 
178 #endif
179 
180 static void DetectTransformCompressWhitespaceRegisterTests(void)
181 {
182 #ifdef UNITTESTS
183  UtRegisterTest("DetectTransformCompressWhitespaceTest01",
184  DetectTransformCompressWhitespaceTest01);
185  UtRegisterTest("DetectTransformCompressWhitespaceTest02",
186  DetectTransformCompressWhitespaceTest02);
187  UtRegisterTest("DetectTransformCompressWhitespaceTest03",
188  DetectTransformCompressWhitespaceTest03);
189 #endif
190 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2190
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1160
Signature_
Signature container.
Definition: detect.h:492
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform)
Definition: detect-parse.c:1356
InspectionBufferInit
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
Definition: detect-engine.c:920
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *)
Definition: detect.h:1143
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:720
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1893
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
SigTableElmt_::desc
const char * desc
Definition: detect.h:1162
DetectTransformCompressWhitespaceRegister
void DetectTransformCompressWhitespaceRegister(void)
Definition: detect-transform-compress-whitespace.c:42
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition: detect-engine.c:966
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:930
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1328
SigTableElmt_::url
const char * url
Definition: detect.h:1163
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:350
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:349
DOC_URL
#define DOC_URL
Definition: suricata.h:86
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:962
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine.c:937
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1154
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1152
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640