suricata
util-lua-smtp.c
Go to the documentation of this file.
1 /* Copyright (C) 2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author casec Bachelors group
22  * \author Lauritz Prag Sømme <lauritz24@me.com>
23  * \author Levi Tobiassen <levi.tobiassen@gmail.com>
24  * \author Stian Hoel Bergseth <stian.bergseth@hig.no>
25  * \author Vinjar Hillestad <vinjar.hillestad@hig.no>
26  */
27 
28 #include "suricata-common.h"
29 
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 #include "output.h"
36 
37 #include "app-layer-smtp.h"
38 
39 #include "lua.h"
40 #include "lualib.h"
41 
42 #include "util-lua.h"
43 #include "util-lua-common.h"
44 #include "util-lua-smtp.h"
45 #include "util-file.h"
46 
47 /*
48  * \brief internal function used by SMTPGetMimeField
49  *
50  * \param luastate luastate stack to use and push attributes to
51  * \param flow network flow of SMTP packets
52  * \param name name of the attribute to extract from MimeDecField
53  *
54  * \retval 1 if success mimefield found and pushed to stack. Returns error
55  * int and msg pushed to luastate stack if error occurs.
56  */
57 
58 static int GetMimeDecField(lua_State *luastate, Flow *flow, const char *name)
59 {
60  /* extract state from flow */
61  SMTPState *state = (SMTPState *) FlowGetAppState(flow);
62  /* check that state exists */
63  if(state == NULL) {
64  return LuaCallbackError(luastate, "Internal error: no state in flow");
65  }
66  /* pointer to current transaction in state */
67  SMTPTransaction *smtp_tx = state->curr_tx;
68  if(smtp_tx == NULL) {
69  return LuaCallbackError(luastate, "Transaction ending or not found");
70  }
71  /* pointer to tail of msg list of MimeStateSMTP in current transaction. */
72  MimeStateSMTP *mime = smtp_tx->mime_state;
73  /* check if msg_tail was hit */
74  if(mime == NULL){
75  return LuaCallbackError(luastate, "Internal error: no fields in transaction");
76  }
77  /* extract MIME field based on specific field name. */
78  const uint8_t *field_value;
79  uint32_t field_len;
80  /* check MIME field */
81  if (!SCMimeSmtpGetHeader(mime, name, &field_value, &field_len)) {
82  return LuaCallbackError(luastate, "Error: mimefield not found");
83  }
84  if (field_len == 0) {
85  return LuaCallbackError(luastate, "Error, pointer error");
86  }
87  return LuaPushStringBuffer(luastate, field_value, field_len);
88 }
89 
90 /**
91  * \brief Function extracts specific MIME field based on argument from luastate
92  * stack then pushing the attribute onto the luastate stack.
93  *
94  * \param luastate luastate stack to pop and push attributes for I/O to lua
95  *
96  * \retval 1 if success mimefield found and pushed to stack. Returns error
97  * int and msg pushed to luastate stack if error occurs.
98  */
99 
100 static int SMTPGetMimeField(lua_State *luastate)
101 {
102  if(!(LuaStateNeedProto(luastate, ALPROTO_SMTP))) {
103  return LuaCallbackError(luastate, "error: protocol not SMTP");
104  }
105  Flow *flow = LuaStateGetFlow(luastate);
106  /* check that flow exist */
107  if(flow == NULL) {
108  return LuaCallbackError(luastate, "Error: no flow found");
109  }
110  const char *name = LuaGetStringArgument(luastate, 1);
111  if (name == NULL)
112  return LuaCallbackError(luastate, "1st argument missing, empty or wrong type");
113 
114  GetMimeDecField(luastate, flow, name);
115 
116  return 1;
117 }
118 
119 /**
120  * \brief Internal function used by SMTPGetMimeList
121  *
122  * \param luastate luastate stack to pop and push attributes for I/O to lua
123  * \param flow network flow of SMTP packets
124  *
125  * \retval 1 if the mimelist table is pushed to luastate stack.
126  * Returns error int and msg pushed to luastate stack if error occurs.
127 */
128 
129 static int GetMimeList(lua_State *luastate, Flow *flow)
130 {
131 
132  SMTPState *state = (SMTPState *) FlowGetAppState(flow);
133  if(state == NULL) {
134  return LuaCallbackError(luastate, "Error: no SMTP state");
135  }
136  /* Create a pointer to the current SMTPtransaction */
137  SMTPTransaction *smtp_tx = state->curr_tx;
138  if(smtp_tx == NULL) {
139  return LuaCallbackError(luastate, "Error: no SMTP transaction found");
140  }
141  /* Create a pointer to the tail of MimeStateSMTP list */
142  MimeStateSMTP *mime = smtp_tx->mime_state;
143  if(mime == NULL) {
144  return LuaCallbackError(luastate, "Error: no mime entity found");
145  }
146  const uint8_t *field_name;
147  uint32_t field_len;
148  /* Counter of MIME fields found */
149  int num = 1;
150  /* loop trough the list of mimeFields, printing each name found */
151  lua_newtable(luastate);
152  while (SCMimeSmtpGetHeaderName(mime, &field_name, &field_len, (uint32_t)num)) {
153  if (field_len != 0) {
154  lua_pushinteger(luastate,num++);
155  LuaPushStringBuffer(luastate, field_name, field_len);
156  lua_settable(luastate,-3);
157  }
158  }
159  return 1;
160 }
161 
162 /**
163  * \brief Lists name and value to all MIME fields which
164  * is included in a SMTP transaction.
165  *
166  * \param luastate luastate stack to pop and push attributes for I/O to lua.
167  *
168  * \retval 1 if the table is pushed to lua.
169  * Returns error int and msg pushed to luastate stack if error occurs
170  *
171  */
172 
173 static int SMTPGetMimeList(lua_State *luastate)
174 {
175  /* Check if right protocol */
176  if(!(LuaStateNeedProto(luastate, ALPROTO_SMTP))) {
177  return LuaCallbackError(luastate, "Error: protocol not SMTP");
178  }
179  /* Extract network flow */
180  Flow *flow = LuaStateGetFlow(luastate);
181  if(flow == NULL) {
182  return LuaCallbackError(luastate, "Error: no flow found");
183  }
184 
185  GetMimeList(luastate, flow);
186 
187  return 1;
188 }
189 
190 /**
191  * \brief internal function used by SMTPGetMailFrom
192  *
193  * \param luastate luastate stack to pop and push attributes for I/O to lua.
194  * \param flow flow to get state for SMTP
195  *
196  * \retval 1 if mailfrom field found.
197  * Returns error int and msg pushed to luastate stack if error occurs
198  */
199 
200 static int GetMailFrom(lua_State *luastate, Flow *flow)
201 {
202  /* Extract SMTPstate from current flow */
203  SMTPState *state = (SMTPState *) FlowGetAppState(flow);
204 
205  if(state == NULL) {
206  return LuaCallbackError(luastate, "Internal Error: no state");
207  }
208  SMTPTransaction *smtp_tx = state->curr_tx;
209  if(smtp_tx == NULL) {
210  return LuaCallbackError(luastate, "Internal Error: no SMTP transaction");
211  }
212  if(smtp_tx->mail_from == NULL || smtp_tx->mail_from_len == 0) {
213  return LuaCallbackError(luastate, "MailFrom not found");
214  }
215  return LuaPushStringBuffer(luastate, smtp_tx->mail_from, smtp_tx->mail_from_len);
216  /* Returns 1 because we never push more then 1 item to the lua stack */
217 }
218 
219 /**
220  * \brief Extracts mail_from parameter from SMTPState.
221  * Attribute may also be available from mimefields, although there is no
222  * guarantee of it existing as mime.
223  *
224  * \param luastate luastate stack to pop and push attributes for I/O to lua.
225  *
226  * \retval 1 if mailfrom field found.
227  * Returns error int and msg pushed to luastate stack if error occurs
228  */
229 
230 static int SMTPGetMailFrom(lua_State *luastate)
231 {
232  /* check protocol */
233  if(!(LuaStateNeedProto(luastate, ALPROTO_SMTP))) {
234  return LuaCallbackError(luastate, "Error: protocol not SMTP");
235  }
236  /* Extract flow, with lockhint to check mutexlocking */
237  Flow *flow = LuaStateGetFlow(luastate);
238  if(flow == NULL) {
239  return LuaCallbackError(luastate, "Internal Error: no flow");
240  }
241 
242  GetMailFrom(luastate, flow);
243 
244  return 1;
245 }
246 
247 /**
248  * \brief intern function used by SMTPGetRcpList
249  *
250  * \param luastate luastate stack for internal communication with Lua.
251  * Used to hand over data to the receiving luascript.
252  *
253  * \retval 1 if the table is pushed to lua.
254  * Returns error int and msg pushed to luastate stack if error occurs
255  */
256 
257 static int GetRcptList(lua_State *luastate, Flow *flow)
258 {
259 
260  SMTPState *state = (SMTPState *) FlowGetAppState(flow);
261  if(state == NULL) {
262  return LuaCallbackError(luastate, "Internal error, no state");
263  }
264 
265  SMTPTransaction *smtp_tx = state->curr_tx;
266  if(smtp_tx == NULL) {
267  return LuaCallbackError(luastate, "No more tx, or tx not found");
268  }
269 
270  /* Create a new table in luastate for rcpt list */
271  lua_newtable(luastate);
272  /* rcpt var for iterator */
273  int u = 1;
274  SMTPString *rcpt;
275 
276  TAILQ_FOREACH(rcpt, &smtp_tx->rcpt_to_list, next) {
277  lua_pushinteger(luastate, u++);
278  LuaPushStringBuffer(luastate, rcpt->str, rcpt->len);
279  lua_settable(luastate, -3);
280  }
281  /* return 1 since we always push one table to luastate */
282  return 1;
283 }
284 
285 /**
286  * \brief function loops through rcpt-list located in
287  * flow->SMTPState->SMTPTransaction, adding all items to a table.
288  * Then pushing it to the luastate stack.
289  *
290  * \param luastate luastate stack for internal communication with Lua.
291  * Used to hand over data to the receiving luascript.
292  *
293  * \retval 1 if the table is pushed to lua.
294  * Returns error int and msg pushed to luastate stack if error occurs
295  */
296 
297 static int SMTPGetRcptList(lua_State *luastate)
298 {
299  /* check protocol */
300  if(!(LuaStateNeedProto(luastate, ALPROTO_SMTP))) {
301  return LuaCallbackError(luastate, "Error: protocol not SMTP");
302  }
303  /* Extract flow, with lockhint to check mutexlocking */
304  Flow *flow = LuaStateGetFlow(luastate);
305  if(flow == NULL) {
306  return LuaCallbackError(luastate, "Internal error: no flow");
307  }
308 
309  GetRcptList(luastate, flow);
310 
311  /* return 1 since we always push one table to luastate */
312  return 1;
313 }
314 
315 int LuaRegisterSmtpFunctions(lua_State *luastate)
316 {
317 
318  lua_pushcfunction(luastate, SMTPGetMimeField);
319  lua_setglobal(luastate, "SMTPGetMimeField");
320 
321  lua_pushcfunction(luastate, SMTPGetMimeList);
322  lua_setglobal(luastate, "SMTPGetMimeList");
323 
324  lua_pushcfunction(luastate, SMTPGetMailFrom);
325  lua_setglobal(luastate, "SMTPGetMailFrom");
326 
327  lua_pushcfunction(luastate, SMTPGetRcptList);
328  lua_setglobal(luastate, "SMTPGetRcptList");
329 
330  return 0;
331 }
tm-threads.h
SMTPState_
Definition: app-layer-smtp.h:116
util-lua-common.h
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
util-lua.h
LuaCallbackError
int LuaCallbackError(lua_State *luastate, const char *msg)
Definition: util-lua-common.c:59
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
LuaGetStringArgument
const char * LuaGetStringArgument(lua_State *luastate, int idx)
Definition: util-lua-common.c:66
lua_State
struct lua_State lua_State
Definition: suricata-common.h:515
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
SMTPTransaction_::mail_from
uint8_t * mail_from
Definition: app-layer-smtp.h:88
SMTPState_::curr_tx
SMTPTransaction * curr_tx
Definition: app-layer-smtp.h:118
SMTPTransaction_
Definition: app-layer-smtp.h:72
conf.h
name
const char * name
Definition: tm-threads.c:2135
SMTPTransaction_::mail_from_len
uint16_t mail_from_len
Definition: app-layer-smtp.h:89
util-lua-smtp.h
SMTPString_::len
uint16_t len
Definition: app-layer-smtp.h:67
util-file.h
suricata-common.h
SMTPString_
Definition: app-layer-smtp.h:65
threadvars.h
LuaStateGetFlow
Flow * LuaStateGetFlow(lua_State *luastate)
get flow pointer from lua state
Definition: util-lua.c:161
SMTPString_::str
uint8_t * str
Definition: app-layer-smtp.h:66
app-layer-smtp.h
LuaRegisterSmtpFunctions
int LuaRegisterSmtpFunctions(lua_State *luastate)
Definition: util-lua-smtp.c:315
LuaStateNeedProto
int LuaStateNeedProto(lua_State *luastate, AppProto alproto)
Definition: util-lua-common.c:396
output.h
LuaPushStringBuffer
int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len)
Definition: util-lua.c:319
SMTPTransaction_::mime_state
MimeStateSMTP * mime_state
Definition: app-layer-smtp.h:85