suricata
detect-transform-urldecode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Philippe Antoine <p.antoine@catenacyber.fr>
22  *
23  * Implements the url_decode transform keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
30 #include "detect-engine-prefilter.h"
31 #include "detect-engine-build.h"
32 #include "detect-parse.h"
33 #include "detect-transform-urldecode.h"
34 
35 #include "util-unittest.h"
36 #include "util-print.h"
37 
38 static int DetectTransformUrlDecodeSetup (DetectEngineCtx *, Signature *, const char *);
39 #ifdef UNITTESTS
40 static void DetectTransformUrlDecodeRegisterTests(void);
41 #endif
42 
43 static void TransformUrlDecode(InspectionBuffer *buffer, void *options);
44 
45 void DetectTransformUrlDecodeRegister(void)
46 {
47  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].name = "url_decode";
48  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].desc =
49  "modify buffer to decode urlencoded data before inspection";
50  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].url = "/rules/transforms.html#url-decode";
51  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].Transform =
52  TransformUrlDecode;
53  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].Setup =
54  DetectTransformUrlDecodeSetup;
55 #ifdef UNITTESTS
56  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].RegisterTests =
57  DetectTransformUrlDecodeRegisterTests;
58 #endif
59 
60  sigmatch_table[DETECT_TRANSFORM_URL_DECODE].flags |= SIGMATCH_NOOPT;
61 }
62 
63 /**
64  * \internal
65  * \brief Apply the transform keyword to the last pattern match
66  * \param det_ctx detection engine ctx
67  * \param s signature
68  * \param nullstr should be null
69  * \retval 0 ok
70  * \retval -1 failure
71  */
72 static int DetectTransformUrlDecodeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
73 {
74  SCEnter();
75  int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_URL_DECODE, NULL);
76  SCReturnInt(r);
77 }
78 
79 // util function so as to ease reuse sometimes
80 static bool BufferUrlDecode(const uint8_t *input, const uint32_t input_len, uint8_t *output, uint32_t *output_size)
81 {
82  bool changed = false;
83  uint8_t *oi = output;
84  //PrintRawDataFp(stdout, input, input_len);
85  for (uint32_t i = 0; i < input_len; i++) {
86  if (input[i] == '%') {
87  if (i + 2 < input_len) {
88  if ((isxdigit(input[i+1])) && (isxdigit(input[i+2]))) {
89  // Decode %HH encoding.
90  *oi = (uint8_t)((input[i + 1] >= 'A' ? ((input[i + 1] & 0xdf) - 'A') + 10
91  : (input[i + 1] - '0'))
92  << 4);
93  *oi |= (input[i+2] >= 'A' ? ((input[i+2] & 0xdf) - 'A') + 10 : (input[i+2] - '0'));
94  oi++;
95  // one more increment before looping
96  i += 2;
97  changed = true;
98  } else {
99  // leaves incorrect percent
100  // does not handle unicode %u encoding
101  *oi++ = input[i];
102  }
103  } else {
104  // leaves trailing incomplete percent
105  *oi++ = input[i];
106  }
107  } else if (input[i] == '+') {
108  *oi++ = ' ';
109  changed = true;
110  } else {
111  *oi++ = input[i];
112  }
113  }
114  *output_size = oi - output;
115  return changed;
116 }
117 
118 static void TransformUrlDecode(InspectionBuffer *buffer, void *options)
119 {
120  uint32_t output_size;
121  bool changed;
122 
123  const uint8_t *input = buffer->inspect;
124  const uint32_t input_len = buffer->inspect_len;
125  if (input_len == 0) {
126  return;
127  }
128  uint8_t output[input_len]; // we can only shrink
129 
130  changed = BufferUrlDecode(input, input_len, output, &output_size);
131 
132  if (changed) {
133  InspectionBufferCopy(buffer, output, output_size);
134  }
135 }
136 
137 #ifdef UNITTESTS
138 static int DetectTransformUrlDecodeTest01(void)
139 {
140  const uint8_t *input = (const uint8_t *)"Suricata%20is+%27%61wesome%21%27%25%30%30%ZZ%4";
141  uint32_t input_len = strlen((char *)input);
142 
143  InspectionBuffer buffer;
144  InspectionBufferInit(&buffer, 8);
145  InspectionBufferSetup(NULL, -1, &buffer, input, input_len);
146  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
147  TransformUrlDecode(&buffer, NULL);
148  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
149  FAIL_IF (buffer.inspect_len != strlen("Suricata is 'awesome!'%00%ZZ%4"));
150  FAIL_IF (memcmp(buffer.inspect, "Suricata is 'awesome!'%00%ZZ%4", buffer.inspect_len) != 0);
151  InspectionBufferFree(&buffer);
152  PASS;
153 }
154 
155 static int DetectTransformUrlDecodeTest02(void)
156 {
157  const char rule[] = "alert http any any -> any any (http.request_body; url_decode; content:\"mail=test@oisf.net\"; sid:1;)";
158  ThreadVars th_v;
159  DetectEngineThreadCtx *det_ctx = NULL;
160  memset(&th_v, 0, sizeof(th_v));
161 
162  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
163  FAIL_IF_NULL(de_ctx);
164  Signature *s = DetectEngineAppendSig(de_ctx, rule);
165  FAIL_IF_NULL(s);
166  SigGroupBuild(de_ctx);
167  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
168  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
169  DetectEngineCtxFree(de_ctx);
170  PASS;
171 }
172 
173 static void DetectTransformUrlDecodeRegisterTests(void)
174 {
175  UtRegisterTest("DetectTransformUrlDecodeTest01",
176  DetectTransformUrlDecodeTest01);
177  UtRegisterTest("DetectTransformUrlDecodeTest02",
178  DetectTransformUrlDecodeTest02);
179 }
180 #endif
SigTableElmt_::url
const char * url
Definition: detect.h:1304
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1303
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
SigTableElmt_::name
const char * name
Definition: detect.h:1301
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
InspectionBuffer
Definition: detect.h:373
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1295
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2597
DETECT_TRANSFORM_URL_DECODE
@ DETECT_TRANSFORM_URL_DECODE
Definition: detect-engine-register.h:316
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1286
detect-engine-prefilter.h
util-unittest.h
InspectionBufferInit
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
Definition: detect-engine.c:1555
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1090
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:112
detect-engine-build.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2161
InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition: detect-engine.c:1641
DetectTransformUrlDecodeRegister
void DetectTransformUrlDecodeRegister(void)
Definition: detect-transform-urldecode.c:45
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3312
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3539
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *, void *context)
Definition: detect.h:1282
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:376
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:374
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1593
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2558
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform, void *options)
Definition: detect-parse.c:1712
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1485
detect-transform-urldecode.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine.c:1612
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1293