/src/suricata7/src/detect-frame.c
Line | Count | Source |
1 | | /* Copyright (C) 2021-2022 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | */ |
21 | | |
22 | | #include "suricata-common.h" |
23 | | #include "threads.h" |
24 | | #include "decode.h" |
25 | | #include "detect.h" |
26 | | |
27 | | #include "app-layer-frames.h" |
28 | | #include "app-layer-parser.h" |
29 | | |
30 | | #include "detect-parse.h" |
31 | | #include "detect-engine.h" |
32 | | #include "detect-engine-mpm.h" |
33 | | #include "detect-engine-prefilter.h" |
34 | | #include "detect-content.h" |
35 | | #include "detect-engine-content-inspection.h" |
36 | | #include "detect-frame.h" |
37 | | |
38 | | #include "flow.h" |
39 | | #include "flow-util.h" |
40 | | #include "flow-var.h" |
41 | | |
42 | | #include "conf.h" |
43 | | #include "conf-yaml-loader.h" |
44 | | |
45 | | #include "util-debug.h" |
46 | | #include "util-unittest.h" |
47 | | #include "util-spm.h" |
48 | | #include "util-print.h" |
49 | | |
50 | | static int DetectFrameSetup(DetectEngineCtx *, Signature *, const char *); |
51 | | |
52 | | /** |
53 | | * \brief this function setup the sticky buffer used in the rule |
54 | | * |
55 | | * \param de_ctx Pointer to the Detection Engine Context |
56 | | * \param s Pointer to the Signature to which the current keyword belongs |
57 | | * \param str The frame name. Can be short name 'pdu' or full name 'sip.pdu' |
58 | | * |
59 | | * \retval 0 On success |
60 | | * \retval -1 On failure |
61 | | */ |
62 | | static int DetectFrameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) |
63 | 50.2k | { |
64 | 50.2k | char value[256] = ""; |
65 | 50.2k | strlcpy(value, str, sizeof(value)); |
66 | 50.2k | char buffer_name[512] = ""; // for registering in detect API we always need <proto>.<frame>. |
67 | | |
68 | 50.2k | const bool is_tcp = DetectProtoContainsProto(&s->proto, IPPROTO_TCP); |
69 | 50.2k | const bool is_udp = DetectProtoContainsProto(&s->proto, IPPROTO_UDP); |
70 | 50.2k | if (!(is_tcp || is_udp)) { |
71 | 58 | SCLogError("'frame' keyword only supported for TCP and UDP"); |
72 | 58 | return -1; |
73 | 58 | } |
74 | | |
75 | 50.1k | char *dot = strchr(value, '.'); |
76 | 50.1k | if (dot != NULL) |
77 | 36.8k | *dot++ = '\0'; |
78 | 50.1k | const char *val = dot ? dot : value; |
79 | 50.1k | const char *proto = dot ? value : NULL; |
80 | | |
81 | 50.1k | bool is_short = false; |
82 | 50.1k | AppProto keyword_alproto = ALPROTO_UNKNOWN; |
83 | 50.1k | AppProto rule_alproto = s->alproto; |
84 | | |
85 | 50.1k | if (proto != NULL) { |
86 | 36.8k | keyword_alproto = StringToAppProto(proto); |
87 | 36.8k | if (!AppProtoIsValid(keyword_alproto)) { |
88 | 23.9k | is_short = true; |
89 | 23.9k | keyword_alproto = rule_alproto; |
90 | 23.9k | } |
91 | 36.8k | } else { |
92 | 13.3k | is_short = true; |
93 | 13.3k | keyword_alproto = rule_alproto; |
94 | 13.3k | } |
95 | | |
96 | 50.1k | if (is_short && rule_alproto == ALPROTO_UNKNOWN) { |
97 | 585 | SCLogError("rule protocol unknown, can't use shorthand notation for frame '%s'", str); |
98 | 585 | return -1; |
99 | 49.6k | } else if (rule_alproto == ALPROTO_UNKNOWN) { |
100 | 1.12k | if (DetectSignatureSetAppProto(s, keyword_alproto) < 0) |
101 | 2 | return -1; |
102 | 48.4k | } else if (!AppProtoEquals(rule_alproto, keyword_alproto)) { |
103 | 63 | SCLogError("frame '%s' protocol '%s' mismatch with rule protocol '%s'", str, |
104 | 63 | AppProtoToString(keyword_alproto), AppProtoToString(s->alproto)); |
105 | 63 | return -1; |
106 | 63 | } |
107 | | |
108 | 49.5k | const char *frame_str = is_short ? str : val; |
109 | 49.5k | int raw_frame_type = -1; |
110 | 49.5k | if (is_tcp) { |
111 | 48.7k | if (strcmp(frame_str, "stream") == 0) { |
112 | 1.62k | raw_frame_type = FRAME_STREAM_TYPE; |
113 | 47.1k | } else { |
114 | 47.1k | raw_frame_type = |
115 | 47.1k | AppLayerParserGetFrameIdByName(IPPROTO_TCP, keyword_alproto, frame_str); |
116 | 47.1k | } |
117 | 48.7k | } |
118 | 49.5k | if (is_udp && raw_frame_type < 0) |
119 | 1.72k | raw_frame_type = AppLayerParserGetFrameIdByName(IPPROTO_UDP, keyword_alproto, frame_str); |
120 | 49.5k | if (raw_frame_type < 0) { |
121 | 8.12k | SCLogError("unknown frame '%s' for protocol '%s'", frame_str, proto); |
122 | 8.12k | return -1; |
123 | 8.12k | } |
124 | 41.4k | BUG_ON(raw_frame_type > UINT8_MAX); |
125 | | |
126 | 41.4k | if (is_short) { |
127 | 31.0k | snprintf(buffer_name, sizeof(buffer_name), "%s.%s", AppProtoToString(s->alproto), str); |
128 | 31.0k | SCLogDebug("short name: %s", buffer_name); |
129 | 31.0k | } else { |
130 | 10.4k | strlcpy(buffer_name, str, sizeof(buffer_name)); |
131 | 10.4k | SCLogDebug("long name: %s", buffer_name); |
132 | 10.4k | } |
133 | | |
134 | 41.4k | uint8_t frame_type = (uint8_t)raw_frame_type; |
135 | | /* TODO we can have TS and TC specific frames */ |
136 | 41.4k | const int buffer_id = DetectEngineBufferTypeRegisterWithFrameEngines(de_ctx, buffer_name, |
137 | 41.4k | SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, keyword_alproto, frame_type); |
138 | 41.4k | if (buffer_id < 0) |
139 | 0 | return -1; |
140 | | |
141 | 41.4k | if (DetectBufferSetActiveList(de_ctx, s, buffer_id) < 0) |
142 | 10 | return -1; |
143 | | |
144 | 41.4k | FrameConfigEnable(keyword_alproto, frame_type); |
145 | 41.4k | return 0; |
146 | 41.4k | } |
147 | | |
148 | | #ifdef UNITTESTS |
149 | | |
150 | | static int DetectFrameTestBadRules(void) |
151 | | { |
152 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
153 | | FAIL_IF_NULL(de_ctx); |
154 | | |
155 | | const char *sigs[] = { |
156 | | "alert tcp-pkt any any -> any any (frame:tls.pdu; content:\"a\"; sid:1;)", |
157 | | "alert udp any any -> any any (frame:tls.pdu; content:\"a\"; sid:2;)", |
158 | | "alert smb any any -> any any (frame:tls.pdu; content:\"a\"; sid:3;)", |
159 | | "alert tcp any any -> any any (frame:tls; content:\"a\"; sid:4;)", |
160 | | "alert tls any any -> any any (content:\"abc\"; frame:tls.pdu; content:\"a\"; sid:5;)", |
161 | | "alert tls any any -> any any (tls.version:1.0; frame:tls.pdu; content:\"a\"; sid:6;)", |
162 | | "alert tls any any -> any any (frame:smb1.pdu; content:\"a\"; sid:7;)", |
163 | | NULL, |
164 | | }; |
165 | | |
166 | | const char **sig = sigs; |
167 | | while (*sig) { |
168 | | SCLogDebug("sig %s", *sig); |
169 | | Signature *s = DetectEngineAppendSig(de_ctx, *sig); |
170 | | FAIL_IF_NOT_NULL(s); |
171 | | sig++; |
172 | | } |
173 | | |
174 | | DetectEngineCtxFree(de_ctx); |
175 | | PASS; |
176 | | } |
177 | | |
178 | | static void DetectFrameRegisterTests(void) |
179 | | { |
180 | | UtRegisterTest("DetectFrameTestBadRules", DetectFrameTestBadRules); |
181 | | } |
182 | | #endif |
183 | | |
184 | | /** |
185 | | * \brief Registration function for keyword: ja3_hash |
186 | | */ |
187 | | void DetectFrameRegister(void) |
188 | 73 | { |
189 | 73 | sigmatch_table[DETECT_FRAME].name = "frame"; |
190 | 73 | sigmatch_table[DETECT_FRAME].desc = "sticky buffer for inspecting app-layer frames"; |
191 | 73 | sigmatch_table[DETECT_FRAME].Setup = DetectFrameSetup; |
192 | 73 | sigmatch_table[DETECT_FRAME].flags = SIGMATCH_INFO_STICKY_BUFFER; |
193 | | #ifdef UNITTESTS |
194 | | sigmatch_table[DETECT_FRAME].RegisterTests = DetectFrameRegisterTests; |
195 | | #endif |
196 | 73 | } |