suricata.8.0.0/detect-base64-data_8c_source.html

/* Copyright (C) 2015 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


#include "suricata-common.h"

#include "detect.h"

#include "detect-engine.h"

#include "detect-engine-content-inspection.h"

#include "detect-parse.h"

#include "detect-base64-data.h"

#include "detect-engine-build.h"


#include "util-unittest.h"


static int DetectBase64DataSetup(DetectEngineCtx *, Signature *, const char *);

#ifdef UNITTESTS

static void DetectBase64DataRegisterTests(void);

#endif


void DetectBase64DataRegister(void)

{

    sigmatch_table[DETECT_BASE64_DATA].name = "base64_data";

    sigmatch_table[DETECT_BASE64_DATA].desc =

        "Content match base64 decoded data.";

    sigmatch_table[DETECT_BASE64_DATA].url =

        "/rules/base64-keywords.html#base64-data";

    sigmatch_table[DETECT_BASE64_DATA].Setup = DetectBase64DataSetup;

#ifdef UNITTESTS

    sigmatch_table[DETECT_BASE64_DATA].RegisterTests =

        DetectBase64DataRegisterTests;

#endif

    sigmatch_table[DETECT_BASE64_DATA].flags |= SIGMATCH_NOOPT;

}


static int DetectBase64DataSetup(DetectEngineCtx *de_ctx, Signature *s,

    const char *str)

{

    SigMatch *pm = NULL;


    /* Check for a preceding base64_decode. */

    pm = DetectGetLastSMFromLists(s, DETECT_BASE64_DECODE, -1);

    if (pm == NULL) {

        SCLogError("\"base64_data\" keyword seen without preceding base64_decode.");

        return -1;

    }


    s->init_data->list = DETECT_SM_LIST_BASE64_DATA;

    return 0;

}


#ifdef UNITTESTS


static int g_file_data_buffer_id = 0;


static int DetectBase64DataSetupTest01(void)

{

    DetectEngineCtx *de_ctx = NULL;

    SigMatch *sm;

    int retval = 0;


    de_ctx = DetectEngineCtxInit();

    if (de_ctx == NULL) {

        goto end;

    }


    de_ctx->flags |= DE_QUIET;

    de_ctx->sig_list = SigInit(de_ctx,

        "alert smtp any any -> any any (msg:\"DetectBase64DataSetupTest\"; "

        "base64_decode; base64_data; content:\"content\"; sid:1; rev:1;)");

    if (de_ctx->sig_list == NULL) {

        printf("SigInit failed: ");

        goto end;

    }


    sm = de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH];

    if (sm == NULL) {

        printf("DETECT_SM_LIST_PMATCH should not be NULL: ");

        goto end;

    }

    if (sm->type != DETECT_BASE64_DECODE) {

        printf("sm->type should be DETECT_BASE64_DECODE: ");

        goto end;

    }


    if (de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_BASE64_DATA] == NULL) {

        printf("DETECT_SM_LIST_BASE64_DATA should not be NULL: ");

       goto end;

    }


    retval = 1;

end:

    if (de_ctx != NULL) {

        SigGroupCleanup(de_ctx);

        SigCleanSignatures(de_ctx);

        DetectEngineCtxFree(de_ctx);

    }

    return retval;

}


/**

 * \test Test that the list can be changed to post-detection lists

 *     after the base64 keyword.

 */

static int DetectBase64DataSetupTest04(void)

{

    DetectEngineCtx *de_ctx = NULL;

    int retval = 0;


    de_ctx = DetectEngineCtxInit();

    if (de_ctx == NULL) {

        goto end;

    }


    de_ctx->flags |= DE_QUIET;

    de_ctx->sig_list = SigInit(de_ctx,

        "alert tcp any any -> any any (msg:\"some b64thing\"; flow:established,from_server; file_data; content:\"sometext\"; fast_pattern; base64_decode:relative; base64_data; content:\"foobar\"; nocase; tag:session,120,seconds; sid:1111111; rev:1;)");

    if (de_ctx->sig_list == NULL) {

        printf("SigInit failed: ");

        goto end;

    }


    retval = 1;

end:

    if (de_ctx != NULL) {

        SigGroupCleanup(de_ctx);

        SigCleanSignatures(de_ctx);

        DetectEngineCtxFree(de_ctx);

    }

    return retval;

}


static void DetectBase64DataRegisterTests(void)

{

    g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");


    UtRegisterTest("DetectBase64DataSetupTest01", DetectBase64DataSetupTest01);

    UtRegisterTest("DetectBase64DataSetupTest04", DetectBase64DataSetupTest04);

}

#endif /* UNITTESTS */

DetectBase64DataRegister
void DetectBase64DataRegister(void)
Definition detect-base64-data.c:33

detect-base64-data.h

SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:56

SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:2275

detect-engine-build.h

detect-engine-content-inspection.h

DETECT_BASE64_DATA
@ DETECT_BASE64_DATA
Definition detect-engine-register.h:89

DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition detect-engine-register.h:88

DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602

DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641

DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition detect-engine.c:1277

detect-engine.h

SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095

DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition detect-parse.c:564

sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79

detect-parse.h

detect.h

SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition detect.h:1651

DE_QUIET
#define DE_QUIET
Definition detect.h:330

DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition detect.h:119

DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition detect.h:124

de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18

UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103

DetectEngineCtx_
main detection engine ctx
Definition detect.h:932

DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934

DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941

SigMatch_
a single match condition for a signature
Definition detect.h:356

SigMatch_::type
uint16_t type
Definition detect.h:357

SigTableElmt_::url
const char * url
Definition detect.h:1462

SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441

SigTableElmt_::flags
uint16_t flags
Definition detect.h:1450

SigTableElmt_::desc
const char * desc
Definition detect.h:1461

SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition detect.h:1448

SigTableElmt_::name
const char * name
Definition detect.h:1459

SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition detect.h:642

SignatureInitData_::list
int list
Definition detect.h:628

Signature_
Signature container.
Definition detect.h:668

Signature_::init_data
SignatureInitData * init_data
Definition detect.h:747

suricata-common.h

str
#define str(s)
Definition suricata-common.h:308

SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267

util-unittest.h