suricata
detect-filemd5.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2012 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 *
23 */
24
25#include "suricata-common.h"
26
27#include "detect-engine.h"
28#include "detect-file-hash-common.h"
29#include "util-unittest.h"
30#include "util-unittest-helper.h"
31
32#include "detect-filemd5.h"
33
34static int g_file_match_list_id = 0;
35
36static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, const char *);
37#ifdef UNITTESTS
38static void DetectFileMd5RegisterTests(void);
39#endif
40
41/**
42 * \brief Registration function for keyword: filemd5
43 */
44void DetectFileMd5Register(void)
45{
46 sigmatch_table[DETECT_FILEMD5].name = "filemd5";
47 sigmatch_table[DETECT_FILEMD5].desc = "match file MD5 against list of MD5 checksums";
48 sigmatch_table[DETECT_FILEMD5].url = "/rules/file-keywords.html#filemd5";
49 sigmatch_table[DETECT_FILEMD5].FileMatch = DetectFileHashMatch;
50 sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup;
51 sigmatch_table[DETECT_FILEMD5].Free = DetectFileHashFree;
52#ifdef UNITTESTS
53 sigmatch_table[DETECT_FILEMD5].RegisterTests = DetectFileMd5RegisterTests;
54#endif
55 g_file_match_list_id = DetectBufferTypeRegister("files");
56
57 SCLogDebug("registering filemd5 rule option");
58}
59
60/**
61 * \brief this function is used to parse filemd5 options
62 * \brief into the current signature
63 *
64 * \param de_ctx pointer to the Detection Engine Context
65 * \param s pointer to the Current Signature
66 * \param str pointer to the user provided "filemd5" option
67 *
68 * \retval 0 on Success
69 * \retval -1 on Failure
70 */
71static int DetectFileMd5Setup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
72{
73 return DetectFileHashSetup(de_ctx, s, str, DETECT_FILEMD5, g_file_match_list_id);
74}
75
76#ifdef UNITTESTS
77static int MD5MatchLookupString(ROHashTable *hash, const char *string)
78{
79 uint8_t md5[16];
80 if (ReadHashString(md5, string, "file", 88, 32) == 1) {
81 void *ptr = ROHashLookup(hash, &md5, (uint16_t)sizeof(md5));
82 if (ptr == NULL)
83 return 0;
84 else
85 return 1;
86 }
87 return 0;
88}
89
90static int MD5MatchTest01(void)
91{
92 ROHashTable *hash = ROHashInit(4, 16);
93 FAIL_IF_NULL(hash);
94 FAIL_IF(LoadHashTable(hash, "d80f93a93dc5f3ee945704754d6e0a36", "file", 1, DETECT_FILEMD5) !=
95 1);
96 FAIL_IF(LoadHashTable(hash, "92a49985b384f0d993a36e4c2d45e206", "file", 2, DETECT_FILEMD5) !=
97 1);
98 FAIL_IF(LoadHashTable(hash, "11adeaacc8c309815f7bc3e33888f281", "file", 3, DETECT_FILEMD5) !=
99 1);
100 FAIL_IF(LoadHashTable(hash, "22e10a8fe02344ade0bea8836a1714af", "file", 4, DETECT_FILEMD5) !=
101 1);
102 FAIL_IF(LoadHashTable(hash, "c3db2cbf02c68f073afcaee5634677bc", "file", 5, DETECT_FILEMD5) !=
103 1);
104 FAIL_IF(LoadHashTable(hash, "7ed095da259638f42402fb9e74287a17", "file", 6, DETECT_FILEMD5) !=
105 1);
106 FAIL_IF(ROHashInitFinalize(hash) != 1);
107 FAIL_IF(MD5MatchLookupString(hash, "d80f93a93dc5f3ee945704754d6e0a36") != 1);
108 FAIL_IF(MD5MatchLookupString(hash, "92a49985b384f0d993a36e4c2d45e206") != 1);
109 FAIL_IF(MD5MatchLookupString(hash, "11adeaacc8c309815f7bc3e33888f281") != 1);
110 FAIL_IF(MD5MatchLookupString(hash, "22e10a8fe02344ade0bea8836a1714af") != 1);
111 FAIL_IF(MD5MatchLookupString(hash, "c3db2cbf02c68f073afcaee5634677bc") != 1);
112 FAIL_IF(MD5MatchLookupString(hash, "7ed095da259638f42402fb9e74287a17") != 1);
113 /* shouldn't match */
114 FAIL_IF(MD5MatchLookupString(hash, "33333333333333333333333333333333") == 1);
115 ROHashFree(hash);
116 PASS;
117}
118
119void DetectFileMd5RegisterTests(void)
120{
121 UtRegisterTest("MD5MatchTest01", MD5MatchTest01);
122}
123#endif
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition detect-engine.c:1213
ReadHashString
int ReadHashString(uint8_t *hash, const char *string, const char *filename, int line_no, uint16_t expected_len)
Read the bytes of a hash from an hexadecimal string.
Definition detect-file-hash-common.c:47
LoadHashTable
int LoadHashTable(ROHashTable *hash_table, const char *string, const char *filename, int line_no, uint32_t type)
Store a hash into the hash table.
Definition detect-file-hash-common.c:85
DetectFileHashFree
void DetectFileHashFree(DetectEngineCtx *de_ctx, void *ptr)
this function will free memory associated with DetectFileHashData
Definition detect-file-hash-common.c:359
DetectFileHashMatch
int DetectFileHashMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
Match the specified file hash.
Definition detect-file-hash-common.c:144
DetectFileHashSetup
int DetectFileHashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str, uint16_t type, int list)
this function is used to parse filemd5, filesha1 and filesha256 options
Definition detect-file-hash-common.c:318
DetectFileMd5Register
void DetectFileMd5Register(void)
Registration function for keyword: filemd5.
Definition detect-filemd5.c:44
sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
ROHashTable_
Definition util-rohash.h:27
SigTableElmt_::url
const char * url
Definition detect.h:1462
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
SigTableElmt_::desc
const char * desc
Definition detect.h:1461
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition detect.h:1448
SigTableElmt_::name
const char * name
Definition detect.h:1459
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition detect.h:1429
Signature_
Signature container.
Definition detect.h:668
str
#define str(s)
Definition suricata-common.h:308
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
ROHashLookup
void * ROHashLookup(ROHashTable *table, void *data, uint16_t size)
Definition util-rohash.c:113
ROHashFree
void ROHashFree(ROHashTable *table)
Definition util-rohash.c:91
ROHashInitFinalize
int ROHashInitFinalize(ROHashTable *table)
create final hash data structure
Definition util-rohash.c:181
ROHashInit
ROHashTable * ROHashInit(uint8_t hash_bits, uint16_t item_size)
initialize a new rohash
Definition util-rohash.c:64