suricata
detect-tcp-window.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22 *
23 * Implements the window keyword.
24 */
25
26#include "suricata-common.h"
27#include "decode.h"
28
29#include "detect.h"
30#include "detect-parse.h"
31
32#include "detect-tcp-window.h"
33#include "flow.h"
34#include "flow-var.h"
35
36#include "util-debug.h"
37#include "util-unittest.h"
39#include "util-byte.h"
40
41/**
42 * \brief Regex for parsing our window option
43 */
44#define PARSE_REGEX "^\\s*([!])?\\s*([0-9]{1,9}+)\\s*$"
45
46static DetectParseRegex parse_regex;
47
48static int DetectWindowMatch(DetectEngineThreadCtx *, Packet *,
49 const Signature *, const SigMatchCtx *);
50static int DetectWindowSetup(DetectEngineCtx *, Signature *, const char *);
51#ifdef UNITTESTS
52static void DetectWindowRegisterTests(void);
53#endif
54void DetectWindowFree(DetectEngineCtx *, void *);
55
56/**
57 * \brief Registration function for window: keyword
58 */
60{
61 sigmatch_table[DETECT_WINDOW].name = "tcp.window";
63 sigmatch_table[DETECT_WINDOW].desc = "check for a specific TCP window size";
64 sigmatch_table[DETECT_WINDOW].url = "/rules/header-keywords.html#window";
65 sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch;
66 sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup;
68#ifdef UNITTESTS
69 sigmatch_table[DETECT_WINDOW].RegisterTests = DetectWindowRegisterTests;
70#endif
72}
73
74/**
75 * \brief This function is used to match the window size on a packet
76 *
77 * \param t pointer to thread vars
78 * \param det_ctx pointer to the pattern matcher thread
79 * \param p pointer to the current packet
80 * \param m pointer to the sigmatch that we will cast into DetectWindowData
81 *
82 * \retval 0 no match
83 * \retval 1 match
84 */
85static int DetectWindowMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
86 const Signature *s, const SigMatchCtx *ctx)
87{
88 const DetectWindowData *wd = (const DetectWindowData *)ctx;
89
91 if (!(PacketIsTCP(p)) || wd == NULL) {
92 return 0;
93 }
94
95 const uint16_t window = TCP_GET_RAW_WINDOW(PacketGetTCP(p));
96 if ((!wd->negated && wd->size == window) || (wd->negated && wd->size != window)) {
97 return 1;
98 }
99
100 return 0;
101}
102
103/**
104 * \brief This function is used to parse window options passed via window: keyword
105 *
106 * \param de_ctx Pointer to the detection engine context
107 * \param windowstr Pointer to the user provided window options (negation! and size)
108 *
109 * \retval wd pointer to DetectWindowData on success
110 * \retval NULL on failure
111 */
112static DetectWindowData *DetectWindowParse(DetectEngineCtx *de_ctx, const char *windowstr)
113{
114 DetectWindowData *wd = NULL;
115 int res = 0;
116 size_t pcre2len;
117
118 pcre2_match_data *match = NULL;
119 int ret = DetectParsePcreExec(&parse_regex, &match, windowstr, 0, 0);
120 if (ret < 1 || ret > 3) {
121 SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, windowstr);
122 goto error;
123 }
124
125 wd = SCMalloc(sizeof(DetectWindowData));
126 if (unlikely(wd == NULL))
127 goto error;
128
129 if (ret > 1) {
130 char copy_str[128] = "";
131 pcre2len = sizeof(copy_str);
132 res = SC_Pcre2SubstringCopy(match, 1, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
133 if (res < 0) {
134 SCLogError("pcre2_substring_copy_bynumber failed");
135 goto error;
136 }
137
138 /* Detect if it's negated */
139 if (copy_str[0] == '!')
140 wd->negated = 1;
141 else
142 wd->negated = 0;
143
144 if (ret > 2) {
145 pcre2len = sizeof(copy_str);
146 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
147 if (res < 0) {
148 SCLogError("pcre2_substring_copy_bynumber failed");
149 goto error;
150 }
151
152 /* Get the window size if it's a valid value (in packets, we
153 * should alert if this doesn't happen from decode) */
154 if (StringParseUint16(&wd->size, 10, 0, copy_str) < 0) {
155 goto error;
156 }
157 }
158 }
159
160 pcre2_match_data_free(match);
161 return wd;
162
163error:
164 if (match) {
165 pcre2_match_data_free(match);
166 }
167 if (wd != NULL)
169 return NULL;
170
171}
172
173/**
174 * \brief this function is used to add the parsed window sizedata into the current signature
175 *
176 * \param de_ctx pointer to the Detection Engine Context
177 * \param s pointer to the Current Signature
178 * \param windowstr pointer to the user provided window options
179 *
180 * \retval 0 on Success
181 * \retval -1 on Failure
182 */
183static int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *windowstr)
184{
185 DetectWindowData *wd = NULL;
186
187 wd = DetectWindowParse(de_ctx, windowstr);
188 if (wd == NULL) goto error;
189
190 /* Okay so far so good, lets get this into a SigMatch
191 * and put it in the Signature. */
192
195 goto error;
196 }
198
199 return 0;
200
201error:
202 if (wd != NULL)
204 return -1;
205
206}
207
208/**
209 * \brief this function will free memory associated with DetectWindowData
210 *
211 * \param wd pointer to DetectWindowData
212 */
214{
216 SCFree(wd);
217}
218
219#ifdef UNITTESTS /* UNITTESTS */
220
221/**
222 * \test DetectWindowTestParse01 is a test to make sure that we set the size correctly
223 * when given valid window opt
224 */
225static int DetectWindowTestParse01 (void)
226{
227 DetectWindowData *wd = NULL;
228 wd = DetectWindowParse(NULL, "35402");
229 FAIL_IF_NULL(wd);
230 FAIL_IF_NOT(wd->size == 35402);
231
232 DetectWindowFree(NULL, wd);
233 PASS;
234}
235
236/**
237 * \test DetectWindowTestParse02 is a test for setting the window opt negated
238 */
239static int DetectWindowTestParse02 (void)
240{
241 DetectWindowData *wd = NULL;
242 wd = DetectWindowParse(NULL, "!35402");
243 FAIL_IF_NULL(wd);
244 FAIL_IF_NOT(wd->negated == 1);
245 FAIL_IF_NOT(wd->size == 35402);
246
247 DetectWindowFree(NULL, wd);
248 PASS;
249}
250
251/**
252 * \test DetectWindowTestParse03 is a test to check for an empty value
253 */
254static int DetectWindowTestParse03 (void)
255{
256 DetectWindowData *wd = NULL;
257 wd = DetectWindowParse(NULL, "");
259
260 DetectWindowFree(NULL, wd);
261 PASS;
262}
263
264/**
265 * \test DetectWindowTestParse03 is a test to check for a big value
266 */
267static int DetectWindowTestParse04 (void)
268{
269 DetectWindowData *wd = NULL;
270 wd = DetectWindowParse(NULL, "1235402");
272
273 DetectWindowFree(NULL, wd);
274 PASS;
275}
276
277/**
278 * \test DetectWindowTestPacket01 is a test to check window with constructed packets
279 */
280static int DetectWindowTestPacket01 (void)
281{
282 uint8_t *buf = (uint8_t *)"Hi all!";
283 uint16_t buflen = strlen((char *)buf);
284 Packet *p[3];
285 p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
286 p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
287 p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP);
288
289 FAIL_IF(p[0] == NULL || p[1] == NULL || p[2] == NULL);
290
291 /* TCP wwindow = 40 */
292 p[0]->l4.hdrs.tcph->th_win = htons(40);
293
294 /* TCP window = 41 */
295 p[1]->l4.hdrs.tcph->th_win = htons(41);
296
297 const char *sigs[2];
298 sigs[0]= "alert tcp any any -> any any (msg:\"Testing window 1\"; window:40; sid:1;)";
299 sigs[1]= "alert tcp any any -> any any (msg:\"Testing window 2\"; window:41; sid:2;)";
300
301 uint32_t sid[2] = {1, 2};
302
303 uint32_t results[3][2] = {
304 /* packet 0 match sid 1 but should not match sid 2 */
305 {1, 0},
306 /* packet 1 should not match */
307 {0, 1},
308 /* packet 2 should not match */
309 {0, 0} };
310 FAIL_IF(UTHGenericTest(p, 3, sigs, sid, (uint32_t *)results, 2) == 0);
311
312 UTHFreePackets(p, 3);
313 PASS;
314}
315
316/**
317 * \brief this function registers unit tests for DetectWindow
318 */
319void DetectWindowRegisterTests(void)
320{
321 UtRegisterTest("DetectWindowTestParse01", DetectWindowTestParse01);
322 UtRegisterTest("DetectWindowTestParse02", DetectWindowTestParse02);
323 UtRegisterTest("DetectWindowTestParse03", DetectWindowTestParse03);
324 UtRegisterTest("DetectWindowTestParse04", DetectWindowTestParse04);
325 UtRegisterTest("DetectWindowTestPacket01", DetectWindowTestPacket01);
326}
327#endif /* UNITTESTS */
#define TCP_GET_RAW_WINDOW(tcph)
Definition decode-tcp.h:83
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition decode.h:1321
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
SigTableElmt * sigmatch_table
void DetectWindowRegister(void)
Registration function for window: keyword.
void DetectWindowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectWindowData
#define PARSE_REGEX
Regex for parsing our window option.
#define SIG_FLAG_REQUIRE_PACKET
Definition detect.h:254
@ DETECT_SM_LIST_MATCH
Definition detect.h:117
DetectEngineCtx * de_ctx
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct Thresholds ctx
main detection engine ctx
Definition detect.h:932
union PacketL4::L4Hdrs hdrs
struct PacketL4 l4
Definition decode.h:601
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition detect.h:351
const char * url
Definition detect.h:1462
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
const char * desc
Definition detect.h:1461
void(* RegisterTests)(void)
Definition detect.h:1448
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition detect.h:1421
const char * alias
Definition detect.h:1460
const char * name
Definition detect.h:1459
Signature container.
Definition detect.h:668
uint32_t flags
Definition detect.h:669
uint16_t th_win
Definition decode-tcp.h:156
TCPHdr * tcph
Definition decode.h:469
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition util-byte.c:337
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267
#define SCMalloc(sz)
Definition util-mem.h:47
#define SCFree(p)
Definition util-mem.h:61
#define unlikely(expr)
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perform a generic check taking care of as maximum common unittest eleme...
#define DEBUG_VALIDATE_BUG_ON(exp)