/src/suricata7/src/detect-quic-ua.c

Source (jump to first uncovered line)
/* Copyright (C) 2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 *
 * Implements the quic.ua
 */

#include "suricata-common.h"
#include "conf.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-mpm.h"
#include "detect-engine-content-inspection.h"
#include "detect-engine-uint.h"
#include "detect-quic-ua.h"
#include "util-byte.h"
#include "util-unittest.h"
#include "rust.h"

#ifdef UNITTESTS
static void DetectQuicUaRegisterTests(void);
#endif

#define BUFFER_NAME  "quic_ua"
#define KEYWORD_NAME "quic.ua"
#define KEYWORD_ID   DETECT_AL_QUIC_UA

static int quic_ua_id = 0;

static int DetectQuicUaSetup(DetectEngineCtx *, Signature *, const char *);

static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;

        if (rs_quic_tx_get_ua(txv, &b, &b_len) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
        InspectionBufferApplyTransforms(buffer, transforms);
    }
    return buffer;
}

/**
 * \brief Registration function for quic.ua: keyword
 */
void DetectQuicUaRegister(void)
{
    sigmatch_table[DETECT_AL_QUIC_UA].name = KEYWORD_NAME;
    sigmatch_table[DETECT_AL_QUIC_UA].desc = "match Quic ua";
    sigmatch_table[DETECT_AL_QUIC_UA].url = "/rules/quic-keywords.html#quic-ua";
    sigmatch_table[DETECT_AL_QUIC_UA].Setup = DetectQuicUaSetup;
    sigmatch_table[DETECT_AL_QUIC_UA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
#ifdef UNITTESTS
    sigmatch_table[DETECT_AL_QUIC_UA].RegisterTests = DetectQuicUaRegisterTests;
#endif

    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetUaData, ALPROTO_QUIC, 1);

    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
            DetectEngineInspectBufferGeneric, GetUaData);

    quic_ua_id = DetectBufferTypeGetByName(BUFFER_NAME);
}

/**
 * \internal
 * \brief this function is used to add the parsed sigmatch  into the current signature
 *
 * \param de_ctx pointer to the Detection Engine Context
 * \param s pointer to the Current Signature
 * \param rawstr pointer to the user provided options
 *
 * \retval 0 on Success
 * \retval -1 on Failure
 */
static int DetectQuicUaSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
    if (DetectBufferSetActiveList(de_ctx, s, quic_ua_id) < 0)
        return -1;

    if (DetectSignatureSetAppProto(s, ALPROTO_QUIC) < 0)
        return -1;

    return 0;
}

#ifdef UNITTESTS

/**
 * \test QuicUaTestParse01 is a test for a valid value
 *
 *  \retval 1 on success
 *  \retval 0 on failure
 */
static int QuicUaTestParse01(void)
{
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    Signature *sig = DetectEngineAppendSig(
            de_ctx, "alert ip any any -> any any (quic.ua; content:\"googe.com\"; sid:1; rev:1;)");
    FAIL_IF_NULL(sig);

    sig = DetectEngineAppendSig(
            de_ctx, "alert ip any any -> any any (quic.ua; content:\"|00|\"; sid:2; rev:1;)");
    FAIL_IF_NULL(sig);

    DetectEngineCtxFree(de_ctx);

    PASS;
}

/**
 * \test QuicUaTestParse03 is a test for an invalid value
 *
 *  \retval 1 on success
 *  \retval 0 on failure
 */
static int QuicUaTestParse03(void)
{
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    Signature *sig =
            DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (quic.ua:; sid:1; rev:1;)");
    FAIL_IF_NOT_NULL(sig);

    DetectEngineCtxFree(de_ctx);

    PASS;
}

/**
 * \brief this function registers unit tests for QuicUa
 */
void DetectQuicUaRegisterTests(void)
{
    UtRegisterTest("QuicUaTestParse01", QuicUaTestParse01);
    UtRegisterTest("QuicUaTestParse03", QuicUaTestParse03);
}

#endif /* UNITTESTS */

Line	Count	Source (jump to first uncovered line)
1		/* Copyright (C) 2022 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		/**
19		*
20		* Implements the quic.ua
21		*/
22
23		#include "suricata-common.h"
24		#include "conf.h"
25		#include "detect.h"
26		#include "detect-parse.h"
27		#include "detect-engine.h"
28		#include "detect-engine-prefilter.h"
29		#include "detect-engine-mpm.h"
30		#include "detect-engine-content-inspection.h"
31		#include "detect-engine-uint.h"
32		#include "detect-quic-ua.h"
33		#include "util-byte.h"
34		#include "util-unittest.h"
35		#include "rust.h"
36
37		#ifdef UNITTESTS
38		static void DetectQuicUaRegisterTests(void);
39		#endif
40
41	219	#define BUFFER_NAME "quic_ua"
42	73	#define KEYWORD_NAME "quic.ua"
43		#define KEYWORD_ID DETECT_AL_QUIC_UA
44
45		static int quic_ua_id = 0;
46
47		static int DetectQuicUaSetup(DetectEngineCtx , Signature , const char *);
48
49		static InspectionBuffer GetUaData(DetectEngineThreadCtx det_ctx,
50		const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
51		const int list_id)
52	0	{
53	0	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
54	0	if (buffer->inspect == NULL) {
55	0	uint32_t b_len = 0;
56	0	const uint8_t *b = NULL;
57
58	0	if (rs_quic_tx_get_ua(txv, &b, &b_len) != 1)
59	0	return NULL;
60	0	if (b == NULL \|\| b_len == 0)
61	0	return NULL;
62
63	0	InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
64	0	InspectionBufferApplyTransforms(buffer, transforms);
65	0	}
66	0	return buffer;
67	0	}
68
69		/**
70		* \brief Registration function for quic.ua: keyword
71		*/
72		void DetectQuicUaRegister(void)
73	73	{
74	73	sigmatch_table[DETECT_AL_QUIC_UA].name = KEYWORD_NAME;
75	73	sigmatch_table[DETECT_AL_QUIC_UA].desc = "match Quic ua";
76	73	sigmatch_table[DETECT_AL_QUIC_UA].url = "/rules/quic-keywords.html#quic-ua";
77	73	sigmatch_table[DETECT_AL_QUIC_UA].Setup = DetectQuicUaSetup;
78	73	sigmatch_table[DETECT_AL_QUIC_UA].flags \|= SIGMATCH_NOOPT \| SIGMATCH_INFO_STICKY_BUFFER;
79		#ifdef UNITTESTS
80		sigmatch_table[DETECT_AL_QUIC_UA].RegisterTests = DetectQuicUaRegisterTests;
81		#endif
82
83	73	DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
84	73	GetUaData, ALPROTO_QUIC, 1);
85
86	73	DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
87	73	DetectEngineInspectBufferGeneric, GetUaData);
88
89	73	quic_ua_id = DetectBufferTypeGetByName(BUFFER_NAME);
90	73	}
91
92		/**
93		* \internal
94		* \brief this function is used to add the parsed sigmatch into the current signature
95		*
96		* \param de_ctx pointer to the Detection Engine Context
97		* \param s pointer to the Current Signature
98		* \param rawstr pointer to the user provided options
99		*
100		* \retval 0 on Success
101		* \retval -1 on Failure
102		*/
103		static int DetectQuicUaSetup(DetectEngineCtx de_ctx, Signature s, const char *rawstr)
104	132	{
105	132	if (DetectBufferSetActiveList(de_ctx, s, quic_ua_id) < 0)
106	7	return -1;
107
108	125	if (DetectSignatureSetAppProto(s, ALPROTO_QUIC) < 0)
109	8	return -1;
110
111	117	return 0;
112	125	}
113
114		#ifdef UNITTESTS
115
116		/**
117		* \test QuicUaTestParse01 is a test for a valid value
118		*
119		* \retval 1 on success
120		* \retval 0 on failure
121		*/
122		static int QuicUaTestParse01(void)
123		{
124		DetectEngineCtx *de_ctx = DetectEngineCtxInit();
125		FAIL_IF_NULL(de_ctx);
126
127		Signature *sig = DetectEngineAppendSig(
128		de_ctx, "alert ip any any -> any any (quic.ua; content:\"googe.com\"; sid:1; rev:1;)");
129		FAIL_IF_NULL(sig);
130
131		sig = DetectEngineAppendSig(
132		de_ctx, "alert ip any any -> any any (quic.ua; content:\"\|00\|\"; sid:2; rev:1;)");
133		FAIL_IF_NULL(sig);
134
135		DetectEngineCtxFree(de_ctx);
136
137		PASS;
138		}
139
140		/**
141		* \test QuicUaTestParse03 is a test for an invalid value
142		*
143		* \retval 1 on success
144		* \retval 0 on failure
145		*/
146		static int QuicUaTestParse03(void)
147		{
148		DetectEngineCtx *de_ctx = DetectEngineCtxInit();
149		FAIL_IF_NULL(de_ctx);
150
151		Signature *sig =
152		DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (quic.ua:; sid:1; rev:1;)");
153		FAIL_IF_NOT_NULL(sig);
154
155		DetectEngineCtxFree(de_ctx);
156
157		PASS;
158		}
159
160		/**
161		* \brief this function registers unit tests for QuicUa
162		*/
163		void DetectQuicUaRegisterTests(void)
164		{
165		UtRegisterTest("QuicUaTestParse01", QuicUaTestParse01);
166		UtRegisterTest("QuicUaTestParse03", QuicUaTestParse03);
167		}
168
169		#endif /* UNITTESTS */

Coverage Report

Created: 2025-07-23 07:29