suricata
detect-target.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Eric Leblond <eric@regit.org>
22 *
23 * target keyword allow rules writer to specify information about target of the attack
24 */
25
26#include "suricata-common.h"
27#include "util-unittest.h"
28
29#include "detect-parse.h"
30#include "detect-engine.h"
31
32#include "detect-target.h"
33
34/**
35 * \brief Regex for parsing our keyword options
36 */
37#define PARSE_REGEX "^\\s*(src_ip|dest_ip)\\s*$"
38
39static DetectParseRegex parse_regex;
40
41/* Prototypes of functions registered in DetectTargetRegister below */
42static int DetectTargetSetup (DetectEngineCtx *, Signature *, const char *);
43#ifdef UNITTESTS
44static void DetectTargetRegisterTests (void);
45#endif
46
47/**
48 * \brief Registration function for target keyword
49 *
50 */
52 /* keyword name: this is how the keyword is used in a rule */
54 /* description: listed in "suricata --list-keywords=all" */
55 sigmatch_table[DETECT_TARGET].desc = "indicate to output module which side is the target of the attack";
56 /* link to further documentation of the keyword. Normally on the Suricata redmine/wiki */
57 sigmatch_table[DETECT_TARGET].url = "/rules/meta.html#target";
58 /* match function is called when the signature is inspected on a packet */
60 /* setup function is called during signature parsing, when the target
61 * keyword is encountered in the rule */
62 sigmatch_table[DETECT_TARGET].Setup = DetectTargetSetup;
63 /* free function is called when the detect engine is freed. Normally at
64 * shutdown, but also during rule reloads. */
66 /* registers unittests into the system */
67#ifdef UNITTESTS
68 sigmatch_table[DETECT_TARGET].RegisterTests = DetectTargetRegisterTests;
69#endif
70 /* set up the PCRE for keyword parsing */
72}
73
74/**
75 * \brief This function is used to parse target options passed via target: keyword
76 *
77 * \param targetstr Pointer to the user provided target options
78 *
79 * \retval 0 on Success
80 * \retval -1 on Failure
81 */
82static int DetectTargetParse(Signature *s, const char *targetstr)
83{
84 size_t pcre2len;
85 char value[10];
86
87 pcre2_match_data *match = NULL;
88 int ret = DetectParsePcreExec(&parse_regex, &match, targetstr, 0, 0);
89 if (ret < 1) {
90 SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, targetstr);
91 goto error;
92 }
93
94 pcre2len = sizeof(value);
95 int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)value, &pcre2len);
96 if (res < 0) {
97 SCLogError("pcre2_substring_copy_bynumber failed");
98 goto error;
99 }
100
101 /* now check key value */
102 if (!strcmp(value, "src_ip")) {
104 SCLogError("Conflicting values of target keyword");
105 goto error;
106 }
108 } else if (!strcmp(value, "dest_ip")) {
109 if (s->flags & SIG_FLAG_SRC_IS_TARGET) {
110 SCLogError("Conflicting values of target keyword");
111 goto error;
112 }
114 } else {
115 SCLogError("only 'src_ip' and 'dest_ip' are supported as target value");
116 goto error;
117 }
118 pcre2_match_data_free(match);
119 return 0;
120
121error:
122 if (match) {
123 pcre2_match_data_free(match);
124 }
125 return -1;
126}
127
128/**
129 * \brief parse the options from the 'target' keyword in the rule into
130 * the Signature data structure.
131 *
132 * \param de_ctx pointer to the Detection Engine Context
133 * \param s pointer to the Current Signature
134 * \param targetstr pointer to the user provided target options
135 *
136 * \retval 0 on Success
137 * \retval -1 on Failure
138 */
139static int DetectTargetSetup(DetectEngineCtx *de_ctx, Signature *s, const char *targetstr)
140{
141 int ret = DetectTargetParse(s, targetstr);
142 if (ret < 0)
143 return -1;
144
145 return 0;
146}
147
148#ifdef UNITTESTS
149
150static int DetectTargetSignatureTest01(void)
151{
154
155 Signature *sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (target: dest_ip; sid:1; rev:1;)");
156 FAIL_IF_NULL(sig);
157
159 PASS;
160}
161
162/**
163 * \brief this function registers unit tests for DetectTarget
164 */
165static void DetectTargetRegisterTests(void)
166{
167 UtRegisterTest("DetectTargetSignatureTest01",
168 DetectTargetSignatureTest01);
169}
170#endif /* UNITTESTS */
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
SigTableElmt * sigmatch_table
void DetectTargetRegister(void)
Registration function for target keyword.
#define PARSE_REGEX
Regex for parsing our keyword options.
#define SIG_FLAG_SRC_IS_TARGET
Definition detect.h:283
#define SIG_FLAG_DEST_IS_TARGET
Definition detect.h:285
DetectEngineCtx * de_ctx
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define PASS
Pass the test.
main detection engine ctx
Definition detect.h:932
const char * url
Definition detect.h:1462
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
const char * desc
Definition detect.h:1461
void(* RegisterTests)(void)
Definition detect.h:1448
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition detect.h:1421
const char * name
Definition detect.h:1459
Signature container.
Definition detect.h:668
uint32_t flags
Definition detect.h:669
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267