suricata.8.0.0/detect-ftp-mode_8c_source.html

/* Copyright (C) 2025 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 *

 * \author Jeff Lucovsky <jlucovsky@oisf.net>

 *

 * Implements the ftp.mode sticky buffer

 *

 */


#include "suricata-common.h"


#include "detect.h"

#include "detect-parse.h"

#include "detect-engine.h"


#include "rust.h"

#include "flow.h"


#include "util-debug.h"


#include "app-layer.h"

#include "app-layer-ftp.h"


#include "detect-ftp-mode.h"


#define KEYWORD_NAME "ftp.mode"

#define KEYWORD_DOC  "ftp-keywords.html#ftp-mode"

#define BUFFER_NAME  "ftp.mode"

#define BUFFER_DESC  "ftp mode"


static int g_ftp_mode_buffer_id = 0;


/**

 * \brief This function is used to check matches from the FTP App Layer Parser

 *

 * \param t pointer to thread vars

 * \param det_ctx pointer to the pattern matcher thread

 * \param p pointer to the current packet

 * \param m pointer to the sigmatch

 * \retval 0 no match

 * \retval 1 match

 */

static int DetectFtpModeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state,

        void *txv, const Signature *s, const SigMatchCtx *m)

{

    FTPTransaction *tx = (FTPTransaction *)txv;

    if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN) {

        return 0;

    }

    if (!tx->dyn_port) {

        return 0;

    }


    const DetectFtpModeData *ftpmoded = (const DetectFtpModeData *)m;

    return ftpmoded->active == tx->active;

}


/**

 * \brief this function will free memory associated with DetectFtpModeData

 *

 * \param ptr pointer to DetectFtpModeData

 */

static void DetectFtpModeFree(DetectEngineCtx *de_ctx, void *ptr)

{

    SCFTPFreeModeData(ptr);

}


/**

 * \brief This function is used to parse ftp.mode options passed via ftp.mode keyword

 *

 * \param str Pointer to the user provided ftp.mode options

 *

 * \retval  pointer to DetectFtpModeData on success

 * \retval NULL on failure

 */

static DetectFtpModeData *DetectFtpModeParse(const char *optstr)

{

    DetectFtpModeData *ftpmoded = SCFTPParseMode(optstr);

    if (unlikely(ftpmoded == NULL)) {

        SCLogError("Invalid command value");

        return NULL;

    }


    return ftpmoded;

}


static int DetectFtpModeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)

{

    if (SCDetectSignatureSetAppProto(s, ALPROTO_FTP) != 0)

        return -1;


    DetectFtpModeData *ftpmoded = DetectFtpModeParse(str);

    if (ftpmoded == NULL)

        return -1;


    if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_FTP_MODE, (SigMatchCtx *)ftpmoded,

                g_ftp_mode_buffer_id) == NULL) {

        DetectFtpModeFree(de_ctx, ftpmoded);

        return -1;

    }


    return 0;

}


void DetectFtpModeRegister(void)

{

    /* ftp.mode sticky buffer */

    sigmatch_table[DETECT_FTP_MODE].name = KEYWORD_NAME;

    sigmatch_table[DETECT_FTP_MODE].desc = "sticky buffer to match on the FTP mode buffer";

    sigmatch_table[DETECT_FTP_MODE].url = "/rules/" KEYWORD_DOC;

    sigmatch_table[DETECT_FTP_MODE].Setup = DetectFtpModeSetup;

    sigmatch_table[DETECT_FTP_MODE].AppLayerTxMatch = DetectFtpModeMatch;

    sigmatch_table[DETECT_FTP_MODE].Free = DetectFtpModeFree;


    DetectAppLayerInspectEngineRegister(

            BUFFER_NAME, ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectGenericList, NULL);


    DetectAppLayerInspectEngineRegister(

            BUFFER_NAME, ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);


    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);


    g_ftp_mode_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);


    SCLogDebug("registering " BUFFER_NAME " rule option");

}


app-layer-ftp.h

ALPROTO_FTP
@ ALPROTO_FTP
Definition app-layer-protos.h:37

app-layer.h

flags
uint8_t flags
Definition decode-gre.h:0

DETECT_FTP_MODE
@ DETECT_FTP_MODE
Definition detect-engine-register.h:323

DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition detect-engine.c:1374

DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition detect-engine.c:272

DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition detect-engine.c:1277

DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition detect-engine.c:1954

detect-engine.h

KEYWORD_DOC
#define KEYWORD_DOC
Definition detect-ftp-mode.c:43

BUFFER_DESC
#define BUFFER_DESC
Definition detect-ftp-mode.c:45

DetectFtpModeRegister
void DetectFtpModeRegister(void)
Definition detect-ftp-mode.c:121

BUFFER_NAME
#define BUFFER_NAME
Definition detect-ftp-mode.c:44

KEYWORD_NAME
#define KEYWORD_NAME
Definition detect-ftp-mode.c:42

detect-ftp-mode.h

SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition detect-parse.c:2229

SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition detect-parse.c:388

sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79

detect-parse.h

detect.h

SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition detect.h:272

SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition detect.h:271

m
SCMutex m
Definition flow-hash.h:6

flow.h

de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18

rust.h

DetectEngineCtx_
main detection engine ctx
Definition detect.h:932

DetectEngineThreadCtx_
Definition detect.h:1244

FTPTransaction_
Definition app-layer-ftp.h:60

FTPTransaction_::command_descriptor
FtpCommandInfo command_descriptor
Definition app-layer-ftp.h:72

FTPTransaction_::active
bool active
Definition app-layer-ftp.h:76

FTPTransaction_::dyn_port
uint16_t dyn_port
Definition app-layer-ftp.h:74

Flow_
Flow data structure.
Definition flow.h:356

FtpCommandInfo_::command_code
FtpRequestCommand command_code
Definition app-layer-ftp.h:57

SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition detect.h:351

SigTableElmt_::url
const char * url
Definition detect.h:1462

SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441

SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446

SigTableElmt_::desc
const char * desc
Definition detect.h:1461

SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition detect.h:1424

SigTableElmt_::name
const char * name
Definition detect.h:1459

Signature_
Signature container.
Definition detect.h:668

suricata-common.h

str
#define str(s)
Definition suricata-common.h:308

util-debug.h

SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275

SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267

unlikely
#define unlikely(expr)
Definition util-optimize.h:35