/src/suricata7/src/detect-dhcp-rebinding-time.c
Line | Count | Source |
1 | | /* Copyright (C) 2022 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | #include "suricata-common.h" |
19 | | #include "rust.h" |
20 | | #include "detect-dhcp-rebinding-time.h" |
21 | | #include "detect-engine.h" |
22 | | #include "detect-engine-mpm.h" |
23 | | #include "detect-engine-prefilter.h" |
24 | | #include "detect-engine-uint.h" |
25 | | #include "detect-parse.h" |
26 | | |
27 | | static int g_buffer_id = 0; |
28 | | |
29 | | /** |
30 | | * \internal |
31 | | * \brief Function to match rebinding time of a TX |
32 | | * |
33 | | * \param t Pointer to thread vars. |
34 | | * \param det_ctx Pointer to the pattern matcher thread. |
35 | | * \param f Pointer to the current flow. |
36 | | * \param flags Flags. |
37 | | * \param state App layer state. |
38 | | * \param s Pointer to the Signature. |
39 | | * \param m Pointer to the sigmatch that we will cast into |
40 | | * DetectU64Data. |
41 | | * |
42 | | * \retval 0 no match. |
43 | | * \retval 1 match. |
44 | | */ |
45 | | static int DetectDHCPRebindingTimeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, |
46 | | void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) |
47 | 6 | { |
48 | 6 | SCEnter(); |
49 | | |
50 | 6 | uint64_t res; |
51 | 6 | if (rs_dhcp_tx_get_rebinding_time(txv, &res)) { |
52 | 1 | const DetectU64Data *dd = (const DetectU64Data *)ctx; |
53 | 1 | if (DetectU64Match(res, dd)) { |
54 | 0 | SCReturnInt(1); |
55 | 0 | } |
56 | 1 | } |
57 | 6 | SCReturnInt(0); |
58 | 6 | } |
59 | | |
60 | | /** |
61 | | * \internal |
62 | | * \brief Function to free memory associated with DetectU64Data. |
63 | | * |
64 | | * \param de_ptr Pointer to DetectU64Data. |
65 | | */ |
66 | | static void DetectDHCPRebindingTimeFree(DetectEngineCtx *de_ctx, void *ptr) |
67 | 13 | { |
68 | 13 | rs_detect_u64_free(ptr); |
69 | 13 | } |
70 | | |
71 | | /** |
72 | | * \brief Function to add the parsed dhcp rebinding time field into the current signature. |
73 | | * |
74 | | * \param de_ctx Pointer to the Detection Engine Context. |
75 | | * \param s Pointer to the Current Signature. |
76 | | * \param rawstr Pointer to the user provided flags options. |
77 | | * \param type Defines if this is notBefore or notAfter. |
78 | | * |
79 | | * \retval 0 on Success. |
80 | | * \retval -1 on Failure. |
81 | | */ |
82 | | static int DetectDHCPRebindingTimeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) |
83 | 89 | { |
84 | 89 | if (DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0) |
85 | 67 | return -1; |
86 | | |
87 | 22 | DetectU64Data *dd = DetectU64Parse(rawstr); |
88 | 22 | if (dd == NULL) { |
89 | 9 | SCLogError("Parsing \'%s\' failed for %s", rawstr, |
90 | 9 | sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].name); |
91 | 9 | return -1; |
92 | 9 | } |
93 | | |
94 | | /* okay so far so good, lets get this into a SigMatch |
95 | | * and put it in the Signature. */ |
96 | 13 | SigMatch *sm = SigMatchAlloc(); |
97 | 13 | if (sm == NULL) |
98 | 0 | goto error; |
99 | | |
100 | 13 | sm->type = DETECT_AL_DHCP_REBINDING_TIME; |
101 | 13 | sm->ctx = (void *)dd; |
102 | | |
103 | 13 | SigMatchAppendSMToList(s, sm, g_buffer_id); |
104 | 13 | return 0; |
105 | | |
106 | 0 | error: |
107 | 0 | DetectDHCPRebindingTimeFree(de_ctx, dd); |
108 | 0 | return -1; |
109 | 13 | } |
110 | | |
111 | | /** |
112 | | * \brief Registration function for dhcp.procedure keyword. |
113 | | */ |
114 | | void DetectDHCPRebindingTimeRegister(void) |
115 | 34 | { |
116 | 34 | sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].name = "dhcp.rebinding_time"; |
117 | 34 | sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].desc = "match DHCP rebinding time"; |
118 | 34 | sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].url = |
119 | 34 | "/rules/dhcp-keywords.html#dhcp-rebinding-time"; |
120 | 34 | sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].AppLayerTxMatch = DetectDHCPRebindingTimeMatch; |
121 | 34 | sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].Setup = DetectDHCPRebindingTimeSetup; |
122 | 34 | sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].Free = DetectDHCPRebindingTimeFree; |
123 | | |
124 | 34 | DetectAppLayerInspectEngineRegister2("dhcp.rebinding-time", ALPROTO_DHCP, SIG_FLAG_TOSERVER, 0, |
125 | 34 | DetectEngineInspectGenericList, NULL); |
126 | | |
127 | 34 | DetectAppLayerInspectEngineRegister2("dhcp.rebinding-time", ALPROTO_DHCP, SIG_FLAG_TOCLIENT, 0, |
128 | 34 | DetectEngineInspectGenericList, NULL); |
129 | | |
130 | 34 | g_buffer_id = DetectBufferTypeGetByName("dhcp.rebinding-time"); |
131 | 34 | } |