suricata
detect-transform-dotprefix.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  *
23  * Implements the dotprefix transformation
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
31 #include "detect-parse.h"
33 
34 #include "util-unittest.h"
35 #include "util-print.h"
36 #include "util-memrchr.h"
37 #include "util-memcpy.h"
38 
39 static int DetectTransformDotPrefixSetup (DetectEngineCtx *, Signature *, const char *);
40 #ifdef UNITTESTS
41 static void DetectTransformDotPrefixRegisterTests(void);
42 #endif
43 static void TransformDotPrefix(InspectionBuffer *buffer, void *options);
44 
46 {
49  "modify buffer to extract the dotprefix";
51  "/rules/transforms.html#dotprefix";
53  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].Setup = DetectTransformDotPrefixSetup;
54 #ifdef UNITTESTS
56  DetectTransformDotPrefixRegisterTests;
57 #endif
59 }
60 
61 /**
62  * \internal
63  * \brief Extract the dotprefix, if any, the last pattern match, either content or uricontent
64  * \param det_ctx detection engine ctx
65  * \param s signature
66  * \param nullstr should be null
67  * \retval 0 ok
68  * \retval -1 failure
69  */
70 static int DetectTransformDotPrefixSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
71 {
72  SCEnter();
74  SCReturnInt(r);
75 }
76 
77 /**
78  * \brief Return the dotprefix, if any, in the last pattern match.
79  *
80  * Input values are modified by prefixing with a ".".
81  *
82  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; sid:1;)"
83  * 1. hello.google.com --> match
84  * 2. hey.agoogle.com --> no match
85  * 3. agoogle.com --> no match
86  * 4. something.google.com.au --> match
87  * 5. google.com --> match
88  *
89  * To match on the dotprefix only:
90  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; endswith; sid:1;)"
91  *
92  * 1. hello.google.com --> match
93  * 2. hey.agoogle.com --> no match
94  * 3. agoogle.com --> no match
95  * 4. something.google.com.au --> no match
96  * 5. google.com --> match
97  *
98  * To match on a TLD:
99  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".co.uk"; endswith; sid:1;)"
100  *
101  * 1. hello.google.com --> no match
102  * 2. hey.agoogle.com --> no match
103  * 3. agoogle.com --> no match
104  * 4. something.google.co.uk --> match
105  * 5. google.com --> no match
106  */
107 static void TransformDotPrefix(InspectionBuffer *buffer, void *options)
108 {
109  const size_t input_len = buffer->inspect_len;
110 
111  if (input_len) {
112  uint8_t output[input_len + 1]; // For the leading '.'
113 
114  output[0] = '.';
115  memcpy(&output[1], buffer->inspect, input_len);
116  InspectionBufferCopy(buffer, output, input_len + 1);
117  }
118 }
119 
120 #ifdef UNITTESTS
121 static int DetectTransformDotPrefixTest01(void)
122 {
123  const uint8_t *input = (const uint8_t *)"example.com";
124  uint32_t input_len = strlen((char *)input);
125 
126  const char *result = ".example.com";
127  uint32_t result_len = strlen((char *)result);
128 
129  InspectionBuffer buffer;
130  InspectionBufferInit(&buffer, input_len);
131  InspectionBufferSetup(&buffer, input, input_len);
132  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
133  TransformDotPrefix(&buffer, NULL);
134  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
135  FAIL_IF_NOT(buffer.inspect_len == result_len);
136  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
137  InspectionBufferFree(&buffer);
138  PASS;
139 }
140 
141 static int DetectTransformDotPrefixTest02(void)
142 {
143  const uint8_t *input = (const uint8_t *)"hello.example.com";
144  uint32_t input_len = strlen((char *)input);
145 
146  const char *result = ".hello.example.com";
147  uint32_t result_len = strlen((char *)result);
148 
149  InspectionBuffer buffer;
150  InspectionBufferInit(&buffer, input_len);
151  InspectionBufferSetup(&buffer, input, input_len);
152  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
153  TransformDotPrefix(&buffer, NULL);
154  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
155  FAIL_IF_NOT(buffer.inspect_len == result_len);
156  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
157  InspectionBufferFree(&buffer);
158  PASS;
159 }
160 
161 static int DetectTransformDotPrefixTest03(void)
162 {
163  const char rule[] = "alert dns any any -> any any (dns.query; dotprefix; content:\".google.com\"; sid:1;)";
164  ThreadVars th_v;
165  DetectEngineThreadCtx *det_ctx = NULL;
166  memset(&th_v, 0, sizeof(th_v));
167 
171  FAIL_IF_NULL(s);
173  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
174  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
176  PASS;
177 }
178 
179 static void DetectTransformDotPrefixRegisterTests(void)
180 {
181  UtRegisterTest("DetectTransformDotPrefixTest01", DetectTransformDotPrefixTest01);
182  UtRegisterTest("DetectTransformDotPrefixTest02", DetectTransformDotPrefixTest02);
183  UtRegisterTest("DetectTransformDotPrefixTest03", DetectTransformDotPrefixTest03);
184 }
185 #endif
SigTableElmt_::url
const char * url
Definition: detect.h:1213
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1212
SigTableElmt_::name
const char * name
Definition: detect.h:1210
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
InspectionBuffer
Definition: detect.h:343
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1204
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
util-memcpy.h
DetectTransformDotPrefixRegister
void DetectTransformDotPrefixRegister(void)
Definition: detect-transform-dotprefix.c:45
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
detect-engine-prefilter.h
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
InspectionBufferInit
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
Definition: detect-engine.c:1110
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
DETECT_TRANSFORM_DOTPREFIX
@ DETECT_TRANSFORM_DOTPREFIX
Definition: detect-engine-register.h:297
detect-transform-dotprefix.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition: detect-engine.c:1156
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2344
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1120
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *, void *context)
Definition: detect.h:1191
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:346
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:344
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform, void *options)
Definition: detect-parse.c:1450
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1379
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine.c:1127
util-memrchr.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202