suricata
detect-transform-dotprefix.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  *
23  * Implements the dotprefix transformation
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
31 #include "detect-parse.h"
33 #include "detect-engine-build.h"
34 
35 #include "util-unittest.h"
36 #include "util-print.h"
37 #include "util-memrchr.h"
38 #include "util-memcpy.h"
39 
40 static int DetectTransformDotPrefixSetup (DetectEngineCtx *, Signature *, const char *);
41 #ifdef UNITTESTS
42 static void DetectTransformDotPrefixRegisterTests(void);
43 #endif
44 static void TransformDotPrefix(InspectionBuffer *buffer, void *options);
45 
47 {
50  "modify buffer to extract the dotprefix";
52  "/rules/transforms.html#dotprefix";
54  sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].Setup = DetectTransformDotPrefixSetup;
55 #ifdef UNITTESTS
57  DetectTransformDotPrefixRegisterTests;
58 #endif
60 }
61 
62 /**
63  * \internal
64  * \brief Extract the dotprefix, if any, the last pattern match, either content or uricontent
65  * \param det_ctx detection engine ctx
66  * \param s signature
67  * \param nullstr should be null
68  * \retval 0 ok
69  * \retval -1 failure
70  */
71 static int DetectTransformDotPrefixSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
72 {
73  SCEnter();
75  SCReturnInt(r);
76 }
77 
78 /**
79  * \brief Return the dotprefix, if any, in the last pattern match.
80  *
81  * Input values are modified by prefixing with a ".".
82  *
83  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; sid:1;)"
84  * 1. hello.google.com --> match
85  * 2. hey.agoogle.com --> no match
86  * 3. agoogle.com --> no match
87  * 4. something.google.com.au --> match
88  * 5. google.com --> match
89  *
90  * To match on the dotprefix only:
91  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; endswith; sid:1;)"
92  *
93  * 1. hello.google.com --> match
94  * 2. hey.agoogle.com --> no match
95  * 3. agoogle.com --> no match
96  * 4. something.google.com.au --> no match
97  * 5. google.com --> match
98  *
99  * To match on a TLD:
100  * Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".co.uk"; endswith; sid:1;)"
101  *
102  * 1. hello.google.com --> no match
103  * 2. hey.agoogle.com --> no match
104  * 3. agoogle.com --> no match
105  * 4. something.google.co.uk --> match
106  * 5. google.com --> no match
107  */
108 static void TransformDotPrefix(InspectionBuffer *buffer, void *options)
109 {
110  const size_t input_len = buffer->inspect_len;
111 
112  if (input_len) {
113  uint8_t output[input_len + 1]; // For the leading '.'
114 
115  output[0] = '.';
116  memcpy(&output[1], buffer->inspect, input_len);
117  InspectionBufferCopy(buffer, output, input_len + 1);
118  }
119 }
120 
121 #ifdef UNITTESTS
122 static int DetectTransformDotPrefixTest01(void)
123 {
124  const uint8_t *input = (const uint8_t *)"example.com";
125  uint32_t input_len = strlen((char *)input);
126 
127  const char *result = ".example.com";
128  uint32_t result_len = strlen((char *)result);
129 
130  InspectionBuffer buffer;
131  InspectionBufferInit(&buffer, input_len);
132  InspectionBufferSetup(NULL, -1, &buffer, input, input_len);
133  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
134  TransformDotPrefix(&buffer, NULL);
135  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
136  FAIL_IF_NOT(buffer.inspect_len == result_len);
137  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
138  InspectionBufferFree(&buffer);
139  PASS;
140 }
141 
142 static int DetectTransformDotPrefixTest02(void)
143 {
144  const uint8_t *input = (const uint8_t *)"hello.example.com";
145  uint32_t input_len = strlen((char *)input);
146 
147  const char *result = ".hello.example.com";
148  uint32_t result_len = strlen((char *)result);
149 
150  InspectionBuffer buffer;
151  InspectionBufferInit(&buffer, input_len);
152  InspectionBufferSetup(NULL, -1, &buffer, input, input_len);
153  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
154  TransformDotPrefix(&buffer, NULL);
155  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
156  FAIL_IF_NOT(buffer.inspect_len == result_len);
157  FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
158  InspectionBufferFree(&buffer);
159  PASS;
160 }
161 
162 static int DetectTransformDotPrefixTest03(void)
163 {
164  const char rule[] = "alert dns any any -> any any (dns.query; dotprefix; content:\".google.com\"; sid:1;)";
165  ThreadVars th_v;
166  DetectEngineThreadCtx *det_ctx = NULL;
167  memset(&th_v, 0, sizeof(th_v));
168 
172  FAIL_IF_NULL(s);
174  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
175  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
177  PASS;
178 }
179 
180 static void DetectTransformDotPrefixRegisterTests(void)
181 {
182  UtRegisterTest("DetectTransformDotPrefixTest01", DetectTransformDotPrefixTest01);
183  UtRegisterTest("DetectTransformDotPrefixTest02", DetectTransformDotPrefixTest02);
184  UtRegisterTest("DetectTransformDotPrefixTest03", DetectTransformDotPrefixTest03);
185 }
186 #endif
SigTableElmt_::url
const char * url
Definition: detect.h:1248
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
SigTableElmt_::name
const char * name
Definition: detect.h:1245
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
InspectionBuffer
Definition: detect.h:338
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1239
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
util-memcpy.h
DetectTransformDotPrefixRegister
void DetectTransformDotPrefixRegister(void)
Definition: detect-transform-dotprefix.c:46
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
detect-engine-prefilter.h
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
InspectionBufferInit
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
Definition: detect-engine.c:1426
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:143
DETECT_TRANSFORM_DOTPREFIX
@ DETECT_TRANSFORM_DOTPREFIX
Definition: detect-engine-register.h:316
detect-engine-build.h
detect-transform-dotprefix.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1953
InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition: detect-engine.c:1497
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2421
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3368
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *, void *context)
Definition: detect.h:1226
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:341
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:339
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1450
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform, void *options)
Definition: detect-parse.c:1465
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1431
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine.c:1468
util-memrchr.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237