/src/suricata7/src/detect-dhcp-renewal-time.c
Line | Count | Source |
1 | | /* Copyright (C) 2022 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | #include "suricata-common.h" |
19 | | #include "rust.h" |
20 | | #include "detect-dhcp-renewal-time.h" |
21 | | #include "detect-engine.h" |
22 | | #include "detect-engine-mpm.h" |
23 | | #include "detect-engine-prefilter.h" |
24 | | #include "detect-engine-uint.h" |
25 | | #include "detect-parse.h" |
26 | | |
27 | | static int g_buffer_id = 0; |
28 | | |
29 | | /** |
30 | | * \internal |
31 | | * \brief Function to match renewal time of a TX |
32 | | * |
33 | | * \param t Pointer to thread vars. |
34 | | * \param det_ctx Pointer to the pattern matcher thread. |
35 | | * \param f Pointer to the current flow. |
36 | | * \param flags Flags. |
37 | | * \param state App layer state. |
38 | | * \param s Pointer to the Signature. |
39 | | * \param m Pointer to the sigmatch that we will cast into |
40 | | * DetectU64Data. |
41 | | * |
42 | | * \retval 0 no match. |
43 | | * \retval 1 match. |
44 | | */ |
45 | | static int DetectDHCPRenewalTimeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, |
46 | | void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) |
47 | 5 | { |
48 | 5 | SCEnter(); |
49 | | |
50 | 5 | uint64_t res; |
51 | 5 | if (rs_dhcp_tx_get_renewal_time(txv, &res)) { |
52 | 1 | const DetectU64Data *dd = (const DetectU64Data *)ctx; |
53 | 1 | if (DetectU64Match(res, dd)) { |
54 | 1 | SCReturnInt(1); |
55 | 1 | } |
56 | 1 | } |
57 | 5 | SCReturnInt(0); |
58 | 5 | } |
59 | | |
60 | | /** |
61 | | * \internal |
62 | | * \brief Function to free memory associated with DetectU64Data. |
63 | | * |
64 | | * \param de_ptr Pointer to DetectU64Data. |
65 | | */ |
66 | | static void DetectDHCPRenewalTimeFree(DetectEngineCtx *de_ctx, void *ptr) |
67 | 243 | { |
68 | 243 | rs_detect_u64_free(ptr); |
69 | 243 | } |
70 | | |
71 | | /** |
72 | | * \brief Function to add the parsed dhcp renewal time field into the current signature. |
73 | | * |
74 | | * \param de_ctx Pointer to the Detection Engine Context. |
75 | | * \param s Pointer to the Current Signature. |
76 | | * \param rawstr Pointer to the user provided flags options. |
77 | | * \param type Defines if this is notBefore or notAfter. |
78 | | * |
79 | | * \retval 0 on Success. |
80 | | * \retval -1 on Failure. |
81 | | */ |
82 | | static int DetectDHCPRenewalTimeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) |
83 | 741 | { |
84 | 741 | if (DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0) |
85 | 18 | return -1; |
86 | | |
87 | 723 | DetectU64Data *dd = DetectU64Parse(rawstr); |
88 | 723 | if (dd == NULL) { |
89 | 480 | SCLogError("Parsing \'%s\' failed for %s", rawstr, |
90 | 480 | sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].name); |
91 | 480 | return -1; |
92 | 480 | } |
93 | | |
94 | | /* okay so far so good, lets get this into a SigMatch |
95 | | * and put it in the Signature. */ |
96 | 243 | SigMatch *sm = SigMatchAlloc(); |
97 | 243 | if (sm == NULL) |
98 | 0 | goto error; |
99 | | |
100 | 243 | sm->type = DETECT_AL_DHCP_RENEWAL_TIME; |
101 | 243 | sm->ctx = (void *)dd; |
102 | | |
103 | 243 | SigMatchAppendSMToList(s, sm, g_buffer_id); |
104 | 243 | return 0; |
105 | | |
106 | 0 | error: |
107 | 0 | DetectDHCPRenewalTimeFree(de_ctx, dd); |
108 | 0 | return -1; |
109 | 243 | } |
110 | | |
111 | | /** |
112 | | * \brief Registration function for dhcp.procedure keyword. |
113 | | */ |
114 | | void DetectDHCPRenewalTimeRegister(void) |
115 | 34 | { |
116 | 34 | sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].name = "dhcp.renewal_time"; |
117 | 34 | sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].desc = "match DHCP renewal time"; |
118 | 34 | sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].url = "/rules/dhcp-keywords.html#dhcp-renewal-time"; |
119 | 34 | sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].AppLayerTxMatch = DetectDHCPRenewalTimeMatch; |
120 | 34 | sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].Setup = DetectDHCPRenewalTimeSetup; |
121 | 34 | sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].Free = DetectDHCPRenewalTimeFree; |
122 | | |
123 | 34 | DetectAppLayerInspectEngineRegister2("dhcp.renewal-time", ALPROTO_DHCP, SIG_FLAG_TOSERVER, 0, |
124 | 34 | DetectEngineInspectGenericList, NULL); |
125 | | |
126 | 34 | DetectAppLayerInspectEngineRegister2("dhcp.renewal-time", ALPROTO_DHCP, SIG_FLAG_TOCLIENT, 0, |
127 | 34 | DetectEngineInspectGenericList, NULL); |
128 | | |
129 | 34 | g_buffer_id = DetectBufferTypeGetByName("dhcp.renewal-time"); |
130 | 34 | } |