suricata
detect-icode.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2021 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Gerardo Iglesias <iglesiasg@gmail.com>
22 *
23 * Implements icode keyword support
24 */
25
26#include "suricata-common.h"
27#include "decode.h"
28
29#include "detect.h"
30#include "detect-parse.h"
32#include "detect-engine-uint.h"
33#include "detect-engine-build.h"
34
35#include "detect-icode.h"
36
37#include "util-byte.h"
38#include "util-unittest.h"
40#include "util-debug.h"
41
42/**
43 *\brief Regex for parsing our icode options
44 */
45
46static int DetectICodeMatch(DetectEngineThreadCtx *, Packet *,
47 const Signature *, const SigMatchCtx *);
48static int DetectICodeSetup(DetectEngineCtx *, Signature *, const char *);
49#ifdef UNITTESTS
50static void DetectICodeRegisterTests(void);
51#endif
52void DetectICodeFree(DetectEngineCtx *, void *);
53
54static int PrefilterSetupICode(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
55static bool PrefilterICodeIsPrefilterable(const Signature *s);
56
57/**
58 * \brief Registration function for icode: keyword
59 */
61{
63 sigmatch_table[DETECT_ICODE].desc = "match on specific ICMP id-value";
64 sigmatch_table[DETECT_ICODE].url = "/rules/header-keywords.html#icode";
65 sigmatch_table[DETECT_ICODE].Match = DetectICodeMatch;
66 sigmatch_table[DETECT_ICODE].Setup = DetectICodeSetup;
68#ifdef UNITTESTS
69 sigmatch_table[DETECT_ICODE].RegisterTests = DetectICodeRegisterTests;
70#endif
71 sigmatch_table[DETECT_ICODE].SupportsPrefilter = PrefilterICodeIsPrefilterable;
72 sigmatch_table[DETECT_ICODE].SetupPrefilter = PrefilterSetupICode;
73}
74
75/**
76 * \brief This function is used to match icode rule option set on a packet with those passed via
77 * icode:
78 *
79 * \param t pointer to thread vars
80 * \param det_ctx pointer to the pattern matcher thread
81 * \param p pointer to the current packet
82 * \param ctx pointer to the sigmatch that we will cast into DetectU8Data
83 *
84 * \retval 0 no match
85 * \retval 1 match
86 */
87static int DetectICodeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
88 const Signature *s, const SigMatchCtx *ctx)
89{
91
92 uint8_t picode;
93 if (PacketIsICMPv4(p)) {
94 picode = p->icmp_s.code;
95 } else if (PacketIsICMPv6(p)) {
96 const ICMPV6Hdr *icmpv6h = PacketGetICMPv6(p);
97 picode = ICMPV6_GET_CODE(icmpv6h);
98 } else {
99 /* Packet not ICMPv4 nor ICMPv6 */
100 return 0;
101 }
102
103 const DetectU8Data *icd = (const DetectU8Data *)ctx;
104 return DetectU8Match(picode, icd);
105}
106
107/**
108 * \brief this function is used to add the parsed icode data into the current signature
109 *
110 * \param de_ctx pointer to the Detection Engine Context
111 * \param s pointer to the Current Signature
112 * \param icodestr pointer to the user provided icode options
113 *
114 * \retval 0 on Success
115 * \retval -1 on Failure
116 */
117static int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *icodestr)
118{
119
120 DetectU8Data *icd = NULL;
121
122 icd = DetectU8Parse(icodestr);
123 if (icd == NULL)
124 return -1;
125
127 de_ctx, s, DETECT_ICODE, (SigMatchCtx *)icd, DETECT_SM_LIST_MATCH) == NULL) {
128 SCDetectU8Free(icd);
129 return -1;
130 }
132
133 return 0;
134}
135
136/**
137 * \brief this function will free memory associated with DetectU8Data
138 *
139 * \param ptr pointer to DetectU8Data
140 */
142{
143 SCDetectU8Free(ptr);
144}
145
146/* prefilter code */
147
148static void PrefilterPacketICodeMatch(DetectEngineThreadCtx *det_ctx,
149 Packet *p, const void *pectx)
150{
152
153 uint8_t picode;
154 if (PacketIsICMPv4(p)) {
155 picode = p->icmp_s.code;
156 } else if (PacketIsICMPv6(p)) {
157 const ICMPV6Hdr *icmpv6h = PacketGetICMPv6(p);
158 picode = ICMPV6_GET_CODE(icmpv6h);
159 } else {
160 /* Packet not ICMPv4 nor ICMPv6 */
161 return;
162 }
163
164 const PrefilterPacketU8HashCtx *h = pectx;
165 const SigsArray *sa = h->array[picode];
166 if (sa) {
167 PrefilterAddSids(&det_ctx->pmq, sa->sigs, sa->cnt);
168 }
169}
170
171static int PrefilterSetupICode(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
172{
174 PrefilterPacketU8Set, PrefilterPacketU8Compare, PrefilterPacketICodeMatch);
175}
176
177static bool PrefilterICodeIsPrefilterable(const Signature *s)
178{
179 const SigMatch *sm;
180 for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
181 switch (sm->type) {
182 case DETECT_ICODE:
183 return true;
184 }
185 }
186 return false;
187}
188
189#ifdef UNITTESTS
190#include "detect-engine.h"
191#include "detect-engine-mpm.h"
192#include "detect-engine-alert.h"
193
194/**
195 * \test DetectICodeParseTest01 is a test for setting a valid icode value
196 */
197static int DetectICodeParseTest01(void)
198{
199 DetectU8Data *icd = DetectU8Parse("8");
200 FAIL_IF_NULL(icd);
201 FAIL_IF_NOT(icd->arg1 == 8);
202 FAIL_IF_NOT(icd->mode == DETECT_UINT_EQ);
203 DetectICodeFree(NULL, icd);
204
205 PASS;
206}
207
208/**
209 * \test DetectICodeParseTest02 is a test for setting a valid icode value
210 * with ">" operator
211 */
212static int DetectICodeParseTest02(void)
213{
214 DetectU8Data *icd = DetectU8Parse(">8");
215 FAIL_IF_NULL(icd);
216 FAIL_IF_NOT(icd->arg1 == 8);
217 FAIL_IF_NOT(icd->mode == DETECT_UINT_GT);
218 DetectICodeFree(NULL, icd);
219
220 PASS;
221}
222
223/**
224 * \test DetectICodeParseTest03 is a test for setting a valid icode value
225 * with "<" operator
226 */
227static int DetectICodeParseTest03(void)
228{
229 DetectU8Data *icd = DetectU8Parse("<8");
230 FAIL_IF_NULL(icd);
231 FAIL_IF_NOT(icd->arg1 == 8);
232 FAIL_IF_NOT(icd->mode == DETECT_UINT_LT);
233 DetectICodeFree(NULL, icd);
234
235 PASS;
236}
237
238/**
239 * \test DetectICodeParseTest04 is a test for setting a valid icode value
240 * with "<>" operator
241 */
242static int DetectICodeParseTest04(void)
243{
244 DetectU8Data *icd = DetectU8Parse("8<>20");
245 FAIL_IF_NULL(icd);
246 FAIL_IF_NOT(icd->arg1 == 8);
247 FAIL_IF_NOT(icd->arg2 == 20);
248 FAIL_IF_NOT(icd->mode == DETECT_UINT_RA);
249 DetectICodeFree(NULL, icd);
250
251 PASS;
252}
253
254/**
255 * \test DetectICodeParseTest05 is a test for setting a valid icode value
256 * with spaces all around
257 */
258static int DetectICodeParseTest05(void)
259{
260 DetectU8Data *icd = DetectU8Parse(" 8 ");
261 FAIL_IF_NULL(icd);
262 FAIL_IF_NOT(icd->arg1 == 8);
263 FAIL_IF_NOT(icd->mode == DETECT_UINT_EQ);
264 DetectICodeFree(NULL, icd);
265
266 PASS;
267}
268
269/**
270 * \test DetectICodeParseTest06 is a test for setting a valid icode value
271 * with ">" operator and spaces all around
272 */
273static int DetectICodeParseTest06(void)
274{
275 DetectU8Data *icd = DetectU8Parse(" > 8 ");
276 FAIL_IF_NULL(icd);
277 FAIL_IF_NOT(icd->arg1 == 8);
278 FAIL_IF_NOT(icd->mode == DETECT_UINT_GT);
279 DetectICodeFree(NULL, icd);
280
281 PASS;
282}
283
284/**
285 * \test DetectICodeParseTest07 is a test for setting a valid icode value
286 * with "<>" operator and spaces all around
287 */
288static int DetectICodeParseTest07(void)
289{
290 DetectU8Data *icd = DetectU8Parse(" 8 <> 20 ");
291 FAIL_IF_NULL(icd);
292 FAIL_IF_NOT(icd->arg1 == 8);
293 FAIL_IF_NOT(icd->arg2 == 20);
294 FAIL_IF_NOT(icd->mode == DETECT_UINT_RA);
295 DetectICodeFree(NULL, icd);
296
297 PASS;
298}
299
300/**
301 * \test DetectICodeParseTest08 is a test for setting an invalid icode value
302 */
303static int DetectICodeParseTest08(void)
304{
305 DetectU8Data *icd = DetectU8Parse("> 8 <> 20");
306 FAIL_IF_NOT_NULL(icd);
307
308 PASS;
309}
310
311/**
312 * \test DetectICodeParseTest09 is a test for setting an invalid icode value
313 * with "<<" operator
314 */
315static int DetectICodeParseTest09(void)
316{
317 DetectU8Data *icd = DetectU8Parse("8<<20");
318 FAIL_IF_NOT_NULL(icd);
319
320 PASS;
321}
322
323/**
324 * \test DetectICodeMatchTest01 is a test for checking the working of icode
325 * keyword by creating 5 rules and matching a crafted packet against
326 * them. 4 out of 5 rules shall trigger.
327 */
328static int DetectICodeMatchTest01(void)
329{
330 Signature *s = NULL;
331 ThreadVars th_v;
332 DetectEngineThreadCtx *det_ctx;
333
334 memset(&th_v, 0, sizeof(th_v));
335
336 Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
337 FAIL_IF_NULL(p);
338 FAIL_IF_NOT(PacketIsICMPv4(p));
339 p->icmp_s.code = p->l4.hdrs.icmpv4h->code = 10;
340
343
345
346 s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any (icode:10; sid:1;)");
347 FAIL_IF_NULL(s);
348
349 s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any (icode:<15; sid:2;)");
350 FAIL_IF_NULL(s);
351
352 s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any (icode:>20; sid:3;)");
353 FAIL_IF_NULL(s);
354
355 s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any (icode:8<>20; sid:4;)");
356 FAIL_IF_NULL(s);
357
358 s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any (icode:20<>8; sid:5;)");
360
362 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
363
364 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
365
366 FAIL_IF(PacketAlertCheck(p, 1) == 0);
367 FAIL_IF(PacketAlertCheck(p, 2) == 0);
369 FAIL_IF(PacketAlertCheck(p, 4) == 0);
370
371 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
373
374 UTHFreePackets(&p, 1);
375
376 PASS;
377}
378
379/**
380 * \brief this function registers unit tests for DetectICode
381 */
382void DetectICodeRegisterTests(void)
383{
384 UtRegisterTest("DetectICodeParseTest01", DetectICodeParseTest01);
385 UtRegisterTest("DetectICodeParseTest02", DetectICodeParseTest02);
386 UtRegisterTest("DetectICodeParseTest03", DetectICodeParseTest03);
387 UtRegisterTest("DetectICodeParseTest04", DetectICodeParseTest04);
388 UtRegisterTest("DetectICodeParseTest05", DetectICodeParseTest05);
389 UtRegisterTest("DetectICodeParseTest06", DetectICodeParseTest06);
390 UtRegisterTest("DetectICodeParseTest07", DetectICodeParseTest07);
391 UtRegisterTest("DetectICodeParseTest08", DetectICodeParseTest08);
392 UtRegisterTest("DetectICodeParseTest09", DetectICodeParseTest09);
393 UtRegisterTest("DetectICodeMatchTest01", DetectICodeMatchTest01);
394}
395#endif /* UNITTESTS */
#define ICMPV6_GET_CODE(icmp6h)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition decode.h:1321
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
DetectUintData_u8 * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
void PrefilterPacketU8Set(PrefilterPacketHeaderValue *v, void *smctx)
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
bool PrefilterPacketU8Compare(PrefilterPacketHeaderValue v, void *smctx)
#define DETECT_UINT_LT
#define DETECT_UINT_EQ
#define DETECT_UINT_GT
#define DETECT_UINT_RA
DetectUintData_u8 DetectU8Data
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
void DetectICodeRegister(void)
Registration function for icode: keyword.
void DetectICodeFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectU8Data
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
SigTableElmt * sigmatch_table
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
#define DE_QUIET
Definition detect.h:330
#define SIG_FLAG_REQUIRE_PACKET
Definition detect.h:254
#define SIG_MASK_REQUIRE_REAL_PKT
Definition detect.h:316
@ DETECT_SM_LIST_MATCH
Definition detect.h:117
DetectEngineCtx * de_ctx
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct Thresholds ctx
main detection engine ctx
Definition detect.h:932
uint8_t flags
Definition detect.h:934
PrefilterRuleStore pmq
Definition detect.h:1349
union PacketL4::L4Hdrs hdrs
struct Packet_::@33::@40 icmp_s
struct PacketL4 l4
Definition decode.h:601
uint8_t code
Definition decode.h:512
Container for matching data for a signature group.
Definition detect.h:1629
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition detect.h:351
a single match condition for a signature
Definition detect.h:356
uint16_t type
Definition detect.h:357
struct SigMatch_ * next
Definition detect.h:360
const char * url
Definition detect.h:1462
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition detect.h:1444
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
const char * desc
Definition detect.h:1461
void(* RegisterTests)(void)
Definition detect.h:1448
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition detect.h:1421
const char * name
Definition detect.h:1459
bool(* SupportsPrefilter)(const Signature *s)
Definition detect.h:1443
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition detect.h:642
Signature container.
Definition detect.h:668
uint32_t flags
Definition detect.h:669
SignatureInitData * init_data
Definition detect.h:747
Per thread variable structure.
Definition threadvars.h:58
ICMPV4Hdr * icmpv4h
Definition decode.h:471
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define DEBUG_VALIDATE_BUG_ON(exp)