suricata
detect-transform-dotprefix.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  *
23  * Implements the dotprefix transformation
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
30 #include "detect-engine-prefilter.h"
31 #include "detect-parse.h"
32 #include "detect-transform-dotprefix.h"
33 
34 #include "util-unittest.h"
35 #include "util-print.h"
36 #include "util-memrchr.h"
37 #include "util-memcpy.h"
38 
39 static int DetectTransformDotPrefixSetup (DetectEngineCtx *, Signature *, const char *);
40 static void DetectTransformDotPrefixRegisterTests(void);
41 
42 static void TransformDotPrefix(InspectionBuffer *buffer);
43 
44 void DetectTransformDotPrefixRegister(void)
45 {
46  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].name = "dotprefix";
47  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].desc =
48  "modify buffer to extract the dotprefix";
49  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].url =
50  DOC_URL DOC_VERSION "/rules/transforms.html#dotprefix";
51  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].Transform = TransformDotPrefix;
52  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].Setup = DetectTransformDotPrefixSetup;
53  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].RegisterTests =
54  DetectTransformDotPrefixRegisterTests;
55 
56  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].flags |= SIGMATCH_NOOPT;
57 }
58 
59 /**
60  * \internal
61  * \brief Extract the dotprefix, if any, the last pattern match, either content or uricontent
62  * \param det_ctx detection engine ctx
63  * \param s signature
64  * \param nullstr should be null
65  * \retval 0 ok
66  * \retval -1 failure
67  */
68 static int DetectTransformDotPrefixSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
69 {
70  SCEnter();
71  int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_DOTPREFIX);
72  SCReturnInt(r);
73 }
74 
75 /**
76  * \brief Return the dotprefix, if any, in the last pattern match.
77  *
78  * Input values are modified by prefixing with a ".".
79  *
80  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; sid:1;)"
81  * 1. hello.google.com --> match
82  * 2. hey.agoogle.com --> no match
83  * 3. agoogle.com --> no match
84  * 4. something.google.com.au --> match
85  * 5. google.com --> match
86  *
87  * To match on the dotprefix only:
88  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; endswith; sid:1;)"
89  *
90  * 1. hello.google.com --> match
91  * 2. hey.agoogle.com --> no match
92  * 3. agoogle.com --> no match
93  * 4. something.google.com.au --> no match
94  * 5. google.com --> match
95  *
96  * To match on a TLD:
97  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".co.uk"; endswith; sid:1;)"
98  *
99  * 1. hello.google.com --> no match
100  * 2. hey.agoogle.com --> no match
101  * 3. agoogle.com --> no match
102  * 4. something.google.co.uk --> match
103  * 5. google.com --> no match
104  */
105 static void TransformDotPrefix(InspectionBuffer *buffer)
106 {
107  const size_t input_len = buffer->inspect_len;
108 
109  if (input_len) {
110  uint8_t output[input_len + 1]; // For the leading '.'
111 
112  output[0] = '.';
113  memcpy(&output[1], buffer->inspect, input_len);
114  InspectionBufferCopy(buffer, output, input_len + 1);
115  }
116 }
117 
118 #ifdef UNITTESTS
119 static int DetectTransformDotPrefixTest01(void)
120 {
121  const uint8_t *input = (const uint8_t *)"example.com";
122  uint32_t input_len = strlen((char *)input);
123 
124  const char *result = ".example.com";
125  uint32_t result_len = strlen((char *)result);
126 
127  InspectionBuffer buffer;
128  InspectionBufferInit(&buffer, input_len);
129  InspectionBufferSetup(&buffer, input, input_len);
130  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
131  TransformDotPrefix(&buffer);
132  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
133  FAIL_IF_NOT(buffer.inspect_len == result_len);
134  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
135  InspectionBufferFree(&buffer);
136  PASS;
137 }
138 
139 static int DetectTransformDotPrefixTest02(void)
140 {
141  const uint8_t *input = (const uint8_t *)"hello.example.com";
142  uint32_t input_len = strlen((char *)input);
143 
144  const char *result = ".hello.example.com";
145  uint32_t result_len = strlen((char *)result);
146 
147  InspectionBuffer buffer;
148  InspectionBufferInit(&buffer, input_len);
149  InspectionBufferSetup(&buffer, input, input_len);
150  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
151  TransformDotPrefix(&buffer);
152  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
153  FAIL_IF_NOT(buffer.inspect_len == result_len);
154  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
155  InspectionBufferFree(&buffer);
156  PASS;
157 }
158 
159 static int DetectTransformDotPrefixTest03(void)
160 {
161  const char rule[] = "alert dns any any -> any any (dns.query; dotprefix; content:\".google.com\"; sid:1;)";
162  ThreadVars th_v;
163  DetectEngineThreadCtx *det_ctx = NULL;
164  memset(&th_v, 0, sizeof(th_v));
165 
166  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
167  FAIL_IF_NULL(de_ctx);
168  Signature *s = DetectEngineAppendSig(de_ctx, rule);
169  FAIL_IF_NULL(s);
170  SigGroupBuild(de_ctx);
171  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
172  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
173  DetectEngineCtxFree(de_ctx);
174  PASS;
175 }
176 #endif
177 
178 static void DetectTransformDotPrefixRegisterTests(void)
179 {
180 #ifdef UNITTESTS
181  UtRegisterTest("DetectTransformDotPrefixTest01", DetectTransformDotPrefixTest01);
182  UtRegisterTest("DetectTransformDotPrefixTest02", DetectTransformDotPrefixTest02);
183  UtRegisterTest("DetectTransformDotPrefixTest03", DetectTransformDotPrefixTest03);
184 #endif
185 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2298
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2770
SigTableElmt_::name
const char * name
Definition: detect.h:1200
Signature_
Signature container.
Definition: detect.h:522
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform)
Definition: detect-parse.c:1439
InspectionBufferInit
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
Definition: detect-engine.c:1082
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *)
Definition: detect.h:1183
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2978
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
SigTableElmt_::desc
const char * desc
Definition: detect.h:1202
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition: detect-engine.c:1128
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1092
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1369
SigTableElmt_::url
const char * url
Definition: detect.h:1203
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:345
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:343
DOC_URL
#define DOC_URL
Definition: suricata.h:86
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:1003
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine.c:1099
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1194
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2074
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1192
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2029
DetectTransformDotPrefixRegister
void DetectTransformDotPrefixRegister(void)
Definition: detect-transform-dotprefix.c:44