suricata
util-rule-vars.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Rule variable utility functions
24  */
25 
26 #include "suricata-common.h"
27 #include "conf.h"
28 #include "conf-yaml-loader.h"
29 
30 #include "detect.h"
31 #include "detect-content.h"
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 
36 #include "util-rule-vars.h"
37 #include "util-enum.h"
38 #include "util-debug.h"
39 #include "util-unittest.h"
40 
41 /** An enum-string map, that maps the different vars type in the yaml conf
42  * type with the mapping path in the yaml conf file */
44  { "vars.address-groups", SC_RULE_VARS_ADDRESS_GROUPS },
45  { "vars.port-groups", SC_RULE_VARS_PORT_GROUPS }
46 };
47 
48 /**
49  * \internal
50  * \brief Retrieves a value for a yaml mapping. The sequence from the yaml
51  * conf file, from which the conf value has to be retrieved can be
52  * specified by supplying a SCRuleVarsType enum. The string mapping
53  * for each of the SCRuleVarsType is present in sc_rule_vars_type_map.
54  *
55  * \param conf_var_name Pointer to a character string containing the conf var
56  * name, whose value has to be retrieved from the yaml
57  * conf file.
58  * \param conf_vars_type Holds an enum value that indicates the kind of yaml
59  * mapping that has to be retrieved. Can be one of the
60  * values in SCRuleVarsType.
61  *
62  * \retval conf_var_name_value Pointer to the string containing the conf value
63  * on success; NULL on failure.
64  */
66  const char *conf_var_name,
67  SCRuleVarsType conf_vars_type)
68 {
69  SCEnter();
70 
71  const char *conf_var_type_name = NULL;
72  char conf_var_full_name[2048];
73  const char *conf_var_full_name_value = NULL;
74 
75  if (conf_var_name == NULL)
76  goto end;
77 
78  while (conf_var_name[0] != '\0' && isspace((unsigned char)conf_var_name[0])) {
79  conf_var_name++;
80  }
81 
82  (conf_var_name[0] == '$') ? conf_var_name++ : conf_var_name;
83  conf_var_type_name = SCMapEnumValueToName(conf_vars_type,
85  if (conf_var_type_name == NULL)
86  goto end;
87 
88  if (de_ctx != NULL && strlen(de_ctx->config_prefix) > 0) {
89  if (snprintf(conf_var_full_name, sizeof(conf_var_full_name), "%s.%s.%s",
90  de_ctx->config_prefix, conf_var_type_name, conf_var_name) < 0) {
91  goto end;
92  }
93  } else {
94  if (snprintf(conf_var_full_name, sizeof(conf_var_full_name), "%s.%s",
95  conf_var_type_name, conf_var_name) < 0) {
96  goto end;
97  }
98  }
99 
100  if (ConfGet(conf_var_full_name, &conf_var_full_name_value) != 1) {
101  SCLogError(SC_ERR_UNDEFINED_VAR, "Variable \"%s\" is not defined in "
102  "configuration file", conf_var_name);
103  goto end;
104  }
105 
106  SCLogDebug("Value obtained from the yaml conf file, for the var "
107  "\"%s\" is \"%s\"", conf_var_name, conf_var_full_name_value);
108 
109  end:
110  SCReturnCharPtr(conf_var_full_name_value);
111 }
112 
113 
114 /**********************************Unittests***********************************/
115 #ifdef UNITTESTS
116 
117 static const char *dummy_conf_string =
118  "%YAML 1.1\n"
119  "---\n"
120  "\n"
121  "default-log-dir: /var/log/suricata\n"
122  "\n"
123  "logging:\n"
124  "\n"
125  " default-log-level: debug\n"
126  "\n"
127  " default-format: \"<%t> - <%l>\"\n"
128  "\n"
129  " default-startup-message: Your IDS has started.\n"
130  "\n"
131  " default-output-filter:\n"
132  "\n"
133  " output:\n"
134  "\n"
135  " - interface: console\n"
136  " log-level: info\n"
137  "\n"
138  " - interface: file\n"
139  " filename: /var/log/suricata.log\n"
140  "\n"
141  " - interface: syslog\n"
142  " facility: local5\n"
143  " format: \"%l\"\n"
144  "\n"
145  "pfring:\n"
146  "\n"
147  " interface: eth0\n"
148  "\n"
149  " clusterid: 99\n"
150  "\n"
151  "vars:\n"
152  "\n"
153  " address-groups:\n"
154  "\n"
155  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
156  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
157  "\n"
158  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
159  "\n"
160  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
161  "\n"
162  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
163  "\n"
164  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
165  "\n"
166  " DNS_SERVERS: any\n"
167  "\n"
168  " TELNET_SERVERS: any\n"
169  "\n"
170  " AIM_SERVERS: any\n"
171  "\n"
172  " port-groups:\n"
173  "\n"
174  " HTTP_PORTS: \"80:81,88\"\n"
175  "\n"
176  " SHELLCODE_PORTS: 80\n"
177  "\n"
178  " ORACLE_PORTS: 1521\n"
179  "\n"
180  " SSH_PORTS: 22\n"
181  "\n";
182 
183 /**
184  * \test Check that valid address and port group vars are correctly retrieved
185  * from the configuration.
186  */
187 static int SCRuleVarsPositiveTest01(void)
188 {
190  ConfInit();
191  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
192 
193  /* check for address-groups */
194  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
195  strcmp(SCRuleVarsGetConfVar(NULL, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS),
196  "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:"
197  "5AFE::/64,2001:888:13c5:CAFE::/64]") == 0);
198  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$EXTERNAL_NET", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
199  strcmp(SCRuleVarsGetConfVar(NULL, "$EXTERNAL_NET", SC_RULE_VARS_ADDRESS_GROUPS),
200  "[!192.168.0.0/16,2000::/3]") == 0);
201  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$HTTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
202  strcmp(SCRuleVarsGetConfVar(NULL, "$HTTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
203  "!192.168.0.0/16") == 0);
204  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$SMTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
205  strcmp(SCRuleVarsGetConfVar(NULL, "$SMTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
206  "!192.168.0.0/16") == 0);
207  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$SQL_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
208  strcmp(SCRuleVarsGetConfVar(NULL, "$SQL_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
209  "!192.168.0.0/16") == 0);
210  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$DNS_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
211  strcmp(SCRuleVarsGetConfVar(NULL, "$DNS_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
212  "any") == 0);
213  FAIL_IF_NOT(
214  SCRuleVarsGetConfVar(NULL, "$TELNET_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
215  strcmp(SCRuleVarsGetConfVar(NULL, "$TELNET_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
216  "any") == 0);
217  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
218  strcmp(SCRuleVarsGetConfVar(NULL, "$AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
219  "any") == 0);
220 
221  /* Test that a leading space is stripped. */
222  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, " $AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
223  strcmp(SCRuleVarsGetConfVar(NULL, " $AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
224  "any") == 0);
225 
226  /* check for port-groups */
227  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
228  strcmp(SCRuleVarsGetConfVar(NULL, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS),
229  "80:81,88") == 0);
230  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$SHELLCODE_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
231  strcmp(SCRuleVarsGetConfVar(NULL, "$SHELLCODE_PORTS", SC_RULE_VARS_PORT_GROUPS),
232  "80") == 0);
233  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$ORACLE_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
234  strcmp(SCRuleVarsGetConfVar(NULL, "$ORACLE_PORTS", SC_RULE_VARS_PORT_GROUPS),
235  "1521") == 0);
236  FAIL_IF_NOT(
237  SCRuleVarsGetConfVar(NULL, "$SSH_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
238  strcmp(SCRuleVarsGetConfVar(NULL, "$SSH_PORTS", SC_RULE_VARS_PORT_GROUPS), "22") == 0);
239 
240  ConfDeInit();
242  PASS;
243 }
244 
245 /**
246  * \test Check that invalid address and port groups are properly handled by the
247  * API.
248  */
249 static int SCRuleVarsNegativeTest02(void)
250 {
252  ConfInit();
253  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
254 
255  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$HOME_NETW", SC_RULE_VARS_ADDRESS_GROUPS) == NULL);
256  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$home_net", SC_RULE_VARS_ADDRESS_GROUPS) == NULL);
257  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$TOMCAT_PORTSW", SC_RULE_VARS_PORT_GROUPS) == NULL);
258  FAIL_IF_NOT(SCRuleVarsGetConfVar(NULL, "$tomcat_ports", SC_RULE_VARS_PORT_GROUPS) == NULL);
259 
260  ConfDeInit();
262  PASS;
263 }
264 
265 /**
266  * \test Check that Signatures with valid address and port groups are parsed
267  * without any errors by the Signature parsing API.
268  */
269 static int SCRuleVarsPositiveTest03(void)
270 {
272  ConfInit();
273  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
274 
277  de_ctx->flags |= DE_QUIET;
278 
280  "alert tcp [$HTTP_SERVERS,$HOME_NET,192.168.2.5] $HTTP_PORTS -> $EXTERNAL_NET "
281  "[80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)");
282  FAIL_IF_NULL(s);
283 
284  ConfDeInit();
287  PASS;
288 }
289 
290 /**
291  * \test Check that Signatures with invalid address and port groups, are
292  * are invalidated by the Singature parsing API.
293  */
294 static int SCRuleVarsNegativeTest04(void)
295 {
297  ConfInit();
298  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
301  de_ctx->flags |= DE_QUIET;
302 
304  de_ctx, "alert tcp $HTTP_SERVER any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
305  FAIL_IF_NOT_NULL(s);
307  de_ctx, "alert tcp $http_servers any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
308  FAIL_IF_NOT_NULL(s);
310  "alert tcp $http_servers any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
311  FAIL_IF_NOT_NULL(s);
313  "alert tcp !$TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
314  FAIL_IF_NOT_NULL(s);
315 
317  ConfDeInit();
319  PASS;
320 }
321 
322 static const char *dummy_mt_conf_string =
323  "%YAML 1.1\n"
324  "---\n"
325  "vars:\n"
326  "\n"
327  " address-groups:\n"
328  "\n"
329  " HOME_NET: \"[1.2.3.4]\"\n"
330  " port-groups:\n"
331  " HTTP_PORTS: \"12345\"\n"
332  "multi-detect:\n"
333  " 0:\n"
334  " vars:\n"
335  "\n"
336  " address-groups:\n"
337  "\n"
338  " HOME_NET: \"[8.8.8.8]\"\n"
339  " port-groups:\n"
340  " HTTP_PORTS: \"54321\"\n"
341  "\n";
342 
343 /**
344  * \test Check that valid address and port group vars are correctly retrieved
345  * from the configuration.
346  */
347 static int SCRuleVarsMTest01(void)
348 {
349  int result = 0;
350  DetectEngineCtx *de_ctx = NULL;
351 
353  ConfInit();
354  ConfYamlLoadString(dummy_mt_conf_string, strlen(dummy_mt_conf_string));
355 
356  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
357  return 0;
358  de_ctx->flags |= DE_QUIET;
359  snprintf(de_ctx->config_prefix, sizeof(de_ctx->config_prefix),
360  "multi-detect.0");
361 
362  /* check for address-groups */
363  result = (SCRuleVarsGetConfVar(de_ctx,"$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
365  "[8.8.8.8]") == 0);
366  if (result == 0)
367  goto end;
368 
369  result = (SCRuleVarsGetConfVar(NULL,"$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
370  strcmp(SCRuleVarsGetConfVar(NULL,"$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS),
371  "[1.2.3.4]") == 0);
372  if (result == 0)
373  goto end;
374 
375  /* check for port-groups */
376  result = (SCRuleVarsGetConfVar(de_ctx,"$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
378  "54321") == 0);
379  if (result == 0)
380  goto end;
381 
382  result = (SCRuleVarsGetConfVar(NULL,"$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
383  strcmp(SCRuleVarsGetConfVar(NULL,"$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS),
384  "12345") == 0);
385  if (result == 0)
386  goto end;
387 
388 end:
389  ConfDeInit();
391 
392  if (de_ctx != NULL)
394  return result;
395 }
396 
397 #endif /* UNITTESTS */
398 
400 {
401 #ifdef UNITTESTS
402  UtRegisterTest("SCRuleVarsPositiveTest01", SCRuleVarsPositiveTest01);
403  UtRegisterTest("SCRuleVarsNegativeTest02", SCRuleVarsNegativeTest02);
404  UtRegisterTest("SCRuleVarsPositiveTest03", SCRuleVarsPositiveTest03);
405  UtRegisterTest("SCRuleVarsNegativeTest04", SCRuleVarsNegativeTest04);
406 
407  UtRegisterTest("SCRuleVarsMTest01", SCRuleVarsMTest01);
408 #endif
409 
410  return;
411 }
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SCReturnCharPtr
#define SCReturnCharPtr(x)
Definition: util-debug.h:312
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SC_RULE_VARS_ADDRESS_GROUPS
@ SC_RULE_VARS_ADDRESS_GROUPS
Definition: util-rule-vars.h:29
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:794
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2439
DE_QUIET
#define DE_QUIET
Definition: detect.h:297
SCRuleVarsType
SCRuleVarsType
Definition: util-rule-vars.h:28
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:330
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_RULE_VARS_PORT_GROUPS
@ SC_RULE_VARS_PORT_GROUPS
Definition: util-rule-vars.h:30
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
SCRuleVarsRegisterTests
void SCRuleVarsRegisterTests(void)
Definition: util-rule-vars.c:399
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:487
util-rule-vars.h
conf-yaml-loader.h
conf.h
SC_ERR_UNDEFINED_VAR
@ SC_ERR_UNDEFINED_VAR
Definition: util-error.h:131
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:654
sc_rule_vars_type_map
SCEnumCharMap sc_rule_vars_type_map[]
Definition: util-rule-vars.c:43
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:926
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2421
SCMapEnumValueToName
const char * SCMapEnumValueToName(int enum_value, SCEnumCharMap *table)
Maps an enum value to a string name, from the supplied table.
Definition: util-enum.c:68
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:666
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:113
detect-parse.h
Signature_
Signature container.
Definition: detect.h:549
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2400
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:677
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:795
SCRuleVarsGetConfVar
const char * SCRuleVarsGetConfVar(const DetectEngineCtx *de_ctx, const char *conf_var_name, SCRuleVarsType conf_vars_type)
Definition: util-rule-vars.c:65
util-enum.h