suricata
detect-transform-dotprefix.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  *
23  * Implements the dotprefix transformation
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
31 #include "detect-parse.h"
33 
34 #include "util-unittest.h"
35 #include "util-print.h"
36 #include "util-memrchr.h"
37 #include "util-memcpy.h"
38 
39 static int DetectTransformDotPrefixSetup (DetectEngineCtx *, Signature *, const char *);
40 static void DetectTransformDotPrefixRegisterTests(void);
41 
42 static void TransformDotPrefix(InspectionBuffer *buffer);
43 
45 {
48  "modify buffer to extract the dotprefix";
50  DOC_URL DOC_VERSION "/rules/transforms.html#dotprefix";
52  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].Setup = DetectTransformDotPrefixSetup;
54  DetectTransformDotPrefixRegisterTests;
55 
57 }
58 
59 /**
60  * \internal
61  * \brief Extract the dotprefix, if any, the last pattern match, either content or uricontent
62  * \param det_ctx detection engine ctx
63  * \param s signature
64  * \param nullstr should be null
65  * \retval 0 ok
66  * \retval -1 failure
67  */
68 static int DetectTransformDotPrefixSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
69 {
70  SCEnter();
72  SCReturnInt(r);
73 }
74 
75 /**
76  * \brief Return the dotprefix, if any, in the last pattern match.
77  *
78  * Input values are modified by prefixing with a ".".
79  *
80  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; sid:1;)"
81  * 1. hello.google.com --> match
82  * 2. hey.agoogle.com --> no match
83  * 3. agoogle.com --> no match
84  * 4. something.google.com.au --> match
85  * 5. google.com --> match
86  *
87  * To match on the dotprefix only:
88  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; endswith; sid:1;)"
89  *
90  * 1. hello.google.com --> match
91  * 2. hey.agoogle.com --> no match
92  * 3. agoogle.com --> no match
93  * 4. something.google.com.au --> no match
94  * 5. google.com --> match
95  *
96  * To match on a TLD:
97  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".co.uk"; endswith; sid:1;)"
98  *
99  * 1. hello.google.com --> no match
100  * 2. hey.agoogle.com --> no match
101  * 3. agoogle.com --> no match
102  * 4. something.google.co.uk --> match
103  * 5. google.com --> no match
104  */
105 static void TransformDotPrefix(InspectionBuffer *buffer)
106 {
107  const size_t input_len = buffer->inspect_len;
108 
109  if (input_len) {
110  uint8_t output[input_len + 1]; // For the leading '.'
111 
112  output[0] = '.';
113  memcpy(&output[1], buffer->inspect, input_len);
114  InspectionBufferCopy(buffer, output, input_len + 1);
115  }
116 }
117 
118 #ifdef UNITTESTS
119 static int DetectTransformDotPrefixTest01(void)
120 {
121  const uint8_t *input = (const uint8_t *)"example.com";
122  uint32_t input_len = strlen((char *)input);
123 
124  const char *result = ".example.com";
125  uint32_t result_len = strlen((char *)result);
126 
127  InspectionBuffer buffer;
128  InspectionBufferInit(&buffer, input_len);
129  InspectionBufferSetup(&buffer, input, input_len);
130  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
131  TransformDotPrefix(&buffer);
132  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
133  FAIL_IF_NOT(buffer.inspect_len == result_len);
134  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
135  InspectionBufferFree(&buffer);
136  PASS;
137 }
138 
139 static int DetectTransformDotPrefixTest02(void)
140 {
141  const uint8_t *input = (const uint8_t *)"hello.example.com";
142  uint32_t input_len = strlen((char *)input);
143 
144  const char *result = ".hello.example.com";
145  uint32_t result_len = strlen((char *)result);
146 
147  InspectionBuffer buffer;
148  InspectionBufferInit(&buffer, input_len);
149  InspectionBufferSetup(&buffer, input, input_len);
150  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
151  TransformDotPrefix(&buffer);
152  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
153  FAIL_IF_NOT(buffer.inspect_len == result_len);
154  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
155  InspectionBufferFree(&buffer);
156  PASS;
157 }
158 
159 static int DetectTransformDotPrefixTest03(void)
160 {
161  const char rule[] = "alert dns any any -> any any (dns.query; dotprefix; content:\".google.com\"; sid:1;)";
162  ThreadVars th_v;
163  DetectEngineThreadCtx *det_ctx = NULL;
164  memset(&th_v, 0, sizeof(th_v));
165 
167  FAIL_IF_NULL(de_ctx);
168  Signature *s = DetectEngineAppendSig(de_ctx, rule);
169  FAIL_IF_NULL(s);
170  SigGroupBuild(de_ctx);
171  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
172  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
173  DetectEngineCtxFree(de_ctx);
174  PASS;
175 }
176 #endif
177 
178 static void DetectTransformDotPrefixRegisterTests(void)
179 {
180 #ifdef UNITTESTS
181  UtRegisterTest("DetectTransformDotPrefixTest01", DetectTransformDotPrefixTest01);
182  UtRegisterTest("DetectTransformDotPrefixTest02", DetectTransformDotPrefixTest02);
183  UtRegisterTest("DetectTransformDotPrefixTest03", DetectTransformDotPrefixTest03);
184 #endif
185 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define PASS
Pass the test.
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
int DetectSignatureAddTransform(Signature *s, int transform)
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
void(* Transform)(InspectionBuffer *)
Definition: detect.h:1183
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SCEnter(...)
Definition: util-debug.h:337
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1202
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
#define SIGMATCH_NOOPT
Definition: detect.h:1369
const char * url
Definition: detect.h:1203
uint32_t inspect_len
Definition: detect.h:345
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
const uint8_t * inspect
Definition: detect.h:343
#define DOC_URL
Definition: suricata.h:86
Per thread variable structure.
Definition: threadvars.h:57
void InspectionBufferFree(InspectionBuffer *buffer)
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1194
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1192
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectTransformDotPrefixRegister(void)