suricata
util-rule-vars.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Rule variable utility functions
24  */
25 
26 #include "suricata-common.h"
27 #include "conf.h"
28 #include "conf-yaml-loader.h"
29 
30 #include "detect.h"
31 #include "detect-content.h"
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 
36 #include "util-rule-vars.h"
37 #include "util-enum.h"
38 #include "util-debug.h"
39 #include "util-unittest.h"
40 
41 /** An enum-string map, that maps the different vars type in the yaml conf
42  * type with the mapping path in the yaml conf file */
43 SCEnumCharMap sc_rule_vars_type_map[ ] = {
44  { "vars.address-groups", SC_RULE_VARS_ADDRESS_GROUPS },
45  { "vars.port-groups", SC_RULE_VARS_PORT_GROUPS }
46 };
47 
48 /**
49  * \internal
50  * \brief Retrieves a value for a yaml mapping. The sequence from the yaml
51  * conf file, from which the conf value has to be retrieved can be
52  * specified by supplying a SCRuleVarsType enum. The string mapping
53  * for each of the SCRuleVarsType is present in sc_rule_vars_type_map.
54  *
55  * \param conf_var_name Pointer to a character string containing the conf var
56  * name, whose value has to be retrieved from the yaml
57  * conf file.
58  * \param conf_vars_type Holds an enum value that indicates the kind of yaml
59  * mapping that has to be retrieved. Can be one of the
60  * values in SCRuleVarsType.
61  *
62  * \retval conf_var_name_value Pointer to the string containing the conf value
63  * on success; NULL on failure.
64  */
65 const char *SCRuleVarsGetConfVar(const DetectEngineCtx *de_ctx,
66  const char *conf_var_name,
67  SCRuleVarsType conf_vars_type)
68 {
69  SCEnter();
70 
71  const char *conf_var_type_name = NULL;
72  char conf_var_full_name[2048];
73  const char *conf_var_full_name_value = NULL;
74 
75  if (conf_var_name == NULL)
76  goto end;
77 
78  while (conf_var_name[0] != '\0' && isspace((unsigned char)conf_var_name[0])) {
79  conf_var_name++;
80  }
81 
82  (conf_var_name[0] == '$') ? conf_var_name++ : conf_var_name;
83  conf_var_type_name = SCMapEnumValueToName(conf_vars_type,
84  sc_rule_vars_type_map);
85  if (conf_var_type_name == NULL)
86  goto end;
87 
88  if (de_ctx != NULL && strlen(de_ctx->config_prefix) > 0) {
89  if (snprintf(conf_var_full_name, sizeof(conf_var_full_name), "%s.%s.%s",
90  de_ctx->config_prefix, conf_var_type_name, conf_var_name) < 0) {
91  goto end;
92  }
93  } else {
94  if (snprintf(conf_var_full_name, sizeof(conf_var_full_name), "%s.%s",
95  conf_var_type_name, conf_var_name) < 0) {
96  goto end;
97  }
98  }
99 
100  if (SCConfGet(conf_var_full_name, &conf_var_full_name_value) != 1) {
101  SCLogError("Variable \"%s\" is not defined in "
102  "configuration file",
103  conf_var_name);
104  goto end;
105  }
106 
107  SCLogDebug("Value obtained from the yaml conf file, for the var "
108  "\"%s\" is \"%s\"", conf_var_name, conf_var_full_name_value);
109 
110  end:
111  SCReturnCharPtr(conf_var_full_name_value);
112 }
113 
114 
115 /**********************************Unittests***********************************/
116 #ifdef UNITTESTS
117 
118 static const char *dummy_conf_string =
119  "%YAML 1.1\n"
120  "---\n"
121  "\n"
122  "default-log-dir: /var/log/suricata\n"
123  "\n"
124  "logging:\n"
125  "\n"
126  " default-log-level: debug\n"
127  "\n"
128  " default-format: \"<%t> - <%l>\"\n"
129  "\n"
130  " default-startup-message: Your IDS has started.\n"
131  "\n"
132  " default-output-filter:\n"
133  "\n"
134  " output:\n"
135  "\n"
136  " - interface: console\n"
137  " log-level: info\n"
138  "\n"
139  " - interface: file\n"
140  " filename: /var/log/suricata.log\n"
141  "\n"
142  " - interface: syslog\n"
143  " facility: local5\n"
144  " format: \"%l\"\n"
145  "\n"
146  "pfring:\n"
147  "\n"
148  " interface: eth0\n"
149  "\n"
150  " clusterid: 99\n"
151  "\n"
152  "vars:\n"
153  "\n"
154  " address-groups:\n"
155  "\n"
156  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
157  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
158  "\n"
159  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
160  "\n"
161  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
162  "\n"
163  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
164  "\n"
165  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
166  "\n"
167  " DNS_SERVERS: any\n"
168  "\n"
169  " TELNET_SERVERS: any\n"
170  "\n"
171  " AIM_SERVERS: any\n"
172  "\n"
173  " port-groups:\n"
174  "\n"
175  " HTTP_PORTS: \"80:81,88\"\n"
176  "\n"
177  " SHELLCODE_PORTS: 80\n"
178  "\n"
179  " ORACLE_PORTS: 1521\n"
180  "\n"
181  " SSH_PORTS: 22\n"
182  "\n";
183 
184 /**
185  * \test Check that valid address and port group vars are correctly retrieved
186  * from the configuration.
187  */
188 static int SCRuleVarsPositiveTest01(void)
189 {
190  SCConfCreateContextBackup();
191  SCConfInit();
192  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
193 
194  /* check for address-groups */
195  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS));
196  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS),
197  "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:"
198  "5AFE::/64,2001:888:13c5:CAFE::/64]") == 0);
199  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$EXTERNAL_NET", SC_RULE_VARS_ADDRESS_GROUPS));
200  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$EXTERNAL_NET", SC_RULE_VARS_ADDRESS_GROUPS),
201  "[!192.168.0.0/16,2000::/3]") == 0);
202  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$HTTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS));
203  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$HTTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
204  "!192.168.0.0/16") == 0);
205  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$SMTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS));
206  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$SMTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
207  "!192.168.0.0/16") == 0);
208  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$SQL_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS));
209  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$SQL_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
210  "!192.168.0.0/16") == 0);
211  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$DNS_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS));
212  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$DNS_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
213  "any") == 0);
214  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$TELNET_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS));
215  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$TELNET_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
216  "any") == 0);
217  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS));
218  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
219  "any") == 0);
220 
221  /* Test that a leading space is stripped. */
222  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, " $AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS));
223  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, " $AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
224  "any") == 0);
225 
226  /* check for port-groups */
227  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS));
228  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS),
229  "80:81,88") == 0);
230  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$SHELLCODE_PORTS", SC_RULE_VARS_PORT_GROUPS));
231  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$SHELLCODE_PORTS", SC_RULE_VARS_PORT_GROUPS),
232  "80") == 0);
233  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$ORACLE_PORTS", SC_RULE_VARS_PORT_GROUPS));
234  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$ORACLE_PORTS", SC_RULE_VARS_PORT_GROUPS),
235  "1521") == 0);
236  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$SSH_PORTS", SC_RULE_VARS_PORT_GROUPS));
237  FAIL_IF_NOT(
238  strcmp(SCRuleVarsGetConfVar(NULL, "$SSH_PORTS", SC_RULE_VARS_PORT_GROUPS), "22") == 0);
239 
240  SCConfDeInit();
241  SCConfRestoreContextBackup();
242  PASS;
243 }
244 
245 /**
246  * \test Check that invalid address and port groups are properly handled by the
247  * API.
248  */
249 static int SCRuleVarsNegativeTest02(void)
250 {
251  SCConfCreateContextBackup();
252  SCConfInit();
253  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
254 
255  FAIL_IF_NOT_NULL(SCRuleVarsGetConfVar(NULL, "$HOME_NETW", SC_RULE_VARS_ADDRESS_GROUPS));
256  FAIL_IF_NOT_NULL(SCRuleVarsGetConfVar(NULL, "$home_net", SC_RULE_VARS_ADDRESS_GROUPS));
257  FAIL_IF_NOT_NULL(SCRuleVarsGetConfVar(NULL, "$TOMCAT_PORTSW", SC_RULE_VARS_PORT_GROUPS));
258  FAIL_IF_NOT_NULL(SCRuleVarsGetConfVar(NULL, "$tomcat_ports", SC_RULE_VARS_PORT_GROUPS));
259 
260  SCConfDeInit();
261  SCConfRestoreContextBackup();
262  PASS;
263 }
264 
265 /**
266  * \test Check that Signatures with valid address and port groups are parsed
267  * without any errors by the Signature parsing API.
268  */
269 static int SCRuleVarsPositiveTest03(void)
270 {
271  SCConfCreateContextBackup();
272  SCConfInit();
273  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
274 
275  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
276  FAIL_IF_NULL(de_ctx);
277  de_ctx->flags |= DE_QUIET;
278 
279  Signature *s = DetectEngineAppendSig(de_ctx,
280  "alert tcp [$HTTP_SERVERS,$HOME_NET,192.168.2.5] $HTTP_PORTS -> $EXTERNAL_NET "
281  "[80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)");
282  FAIL_IF_NULL(s);
283 
284  SCConfDeInit();
285  SCConfRestoreContextBackup();
286  DetectEngineCtxFree(de_ctx);
287  PASS;
288 }
289 
290 /**
291  * \test Check that Signatures with invalid address and port groups, are
292  * are invalidated by the Signature parsing API.
293  */
294 static int SCRuleVarsNegativeTest04(void)
295 {
296  SCConfCreateContextBackup();
297  SCConfInit();
298  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
299  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
300  FAIL_IF_NULL(de_ctx);
301  de_ctx->flags |= DE_QUIET;
302 
303  Signature *s = DetectEngineAppendSig(
304  de_ctx, "alert tcp $HTTP_SERVER any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
305  FAIL_IF_NOT_NULL(s);
306  s = DetectEngineAppendSig(
307  de_ctx, "alert tcp $http_servers any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
308  FAIL_IF_NOT_NULL(s);
309  s = DetectEngineAppendSig(de_ctx,
310  "alert tcp $http_servers any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
311  FAIL_IF_NOT_NULL(s);
312  s = DetectEngineAppendSig(de_ctx,
313  "alert tcp !$TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
314  FAIL_IF_NOT_NULL(s);
315 
316  DetectEngineCtxFree(de_ctx);
317  SCConfDeInit();
318  SCConfRestoreContextBackup();
319  PASS;
320 }
321 
322 static const char *dummy_mt_conf_string =
323  "%YAML 1.1\n"
324  "---\n"
325  "vars:\n"
326  "\n"
327  " address-groups:\n"
328  "\n"
329  " HOME_NET: \"[1.2.3.4]\"\n"
330  " port-groups:\n"
331  " HTTP_PORTS: \"12345\"\n"
332  "multi-detect:\n"
333  " 0:\n"
334  " vars:\n"
335  "\n"
336  " address-groups:\n"
337  "\n"
338  " HOME_NET: \"[8.8.8.8]\"\n"
339  " port-groups:\n"
340  " HTTP_PORTS: \"54321\"\n"
341  "\n";
342 
343 /**
344  * \test Check that valid address and port group vars are correctly retrieved
345  * from the configuration.
346  */
347 static int SCRuleVarsMTest01(void)
348 {
349  SCConfCreateContextBackup();
350  SCConfInit();
351  SCConfYamlLoadString(dummy_mt_conf_string, strlen(dummy_mt_conf_string));
352 
353  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
354  FAIL_IF_NULL(de_ctx);
355  de_ctx->flags |= DE_QUIET;
356  snprintf(de_ctx->config_prefix, sizeof(de_ctx->config_prefix),
357  "multi-detect.0");
358 
359  /* check for address-groups */
360  FAIL_IF_NULL(SCRuleVarsGetConfVar(de_ctx, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS));
361  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(de_ctx, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS),
362  "[8.8.8.8]") == 0);
363 
364  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS));
365  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS),
366  "[1.2.3.4]") == 0);
367 
368  /* check for port-groups */
369  FAIL_IF_NULL(SCRuleVarsGetConfVar(de_ctx, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS));
370  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(de_ctx, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS),
371  "54321") == 0);
372 
373  FAIL_IF_NULL(SCRuleVarsGetConfVar(NULL, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS));
374  FAIL_IF_NOT(strcmp(SCRuleVarsGetConfVar(NULL, "$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS),
375  "12345") == 0);
376 
377  SCConfDeInit();
378  SCConfRestoreContextBackup();
379 
380  DetectEngineCtxFree(de_ctx);
381  PASS;
382 }
383 
384 #endif /* UNITTESTS */
385 
386 void SCRuleVarsRegisterTests(void)
387 {
388 #ifdef UNITTESTS
389  UtRegisterTest("SCRuleVarsPositiveTest01", SCRuleVarsPositiveTest01);
390  UtRegisterTest("SCRuleVarsNegativeTest02", SCRuleVarsNegativeTest02);
391  UtRegisterTest("SCRuleVarsPositiveTest03", SCRuleVarsPositiveTest03);
392  UtRegisterTest("SCRuleVarsNegativeTest04", SCRuleVarsNegativeTest04);
393 
394  UtRegisterTest("SCRuleVarsMTest01", SCRuleVarsMTest01);
395 #endif
396 }
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:535
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SCReturnCharPtr
#define SCReturnCharPtr(x)
Definition: util-debug.h:293
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SC_RULE_VARS_ADDRESS_GROUPS
@ SC_RULE_VARS_ADDRESS_GROUPS
Definition: util-rule-vars.h:31
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:350
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
SCRuleVarsType
SCRuleVarsType
Definition: util-rule-vars.h:30
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3440
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_RULE_VARS_PORT_GROUPS
@ SC_RULE_VARS_PORT_GROUPS
Definition: util-rule-vars.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
SCRuleVarsRegisterTests
void SCRuleVarsRegisterTests(void)
Definition: util-rule-vars.c:386
SCEnter
#define SCEnter(...)
Definition: util-debug.h:281
detect-engine-mpm.h
detect.h
util-rule-vars.h
conf-yaml-loader.h
conf.h
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:684
sc_rule_vars_type_map
SCEnumCharMap sc_rule_vars_type_map[]
Definition: util-rule-vars.c:43
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:1052
SCMapEnumValueToName
const char * SCMapEnumValueToName(int enum_value, SCEnumCharMap *table)
Maps an enum value to a string name, from the supplied table.
Definition: util-enum.c:68
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:703
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:271
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:694
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
SCRuleVarsGetConfVar
const char * SCRuleVarsGetConfVar(const DetectEngineCtx *de_ctx, const char *conf_var_name, SCRuleVarsType conf_vars_type)
Definition: util-rule-vars.c:65
util-enum.h