/src/suricata7/src/detect-quic-version.c

Source
/* Copyright (C) 2021 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 *
 * Implements the quic.version
 */

#include "suricata-common.h"
#include "conf.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-mpm.h"
#include "detect-engine-content-inspection.h"
#include "detect-engine-uint.h"
#include "detect-quic-version.h"
#include "util-byte.h"
#include "util-unittest.h"
#include "rust.h"

#ifdef UNITTESTS
static void DetectQuicVersionRegisterTests(void);
#endif

#define BUFFER_NAME  "quic_version"
#define KEYWORD_NAME "quic.version"
#define KEYWORD_ID   DETECT_AL_QUIC_VERSION

static int quic_version_id = 0;

static int DetectQuicVersionSetup(DetectEngineCtx *, Signature *, const char *);

static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;

        if (rs_quic_tx_get_version(txv, &b, &b_len) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
        InspectionBufferApplyTransforms(buffer, transforms);
    }
    return buffer;
}

/**
 * \brief Registration function for quic.version: keyword
 */
void DetectQuicVersionRegister(void)
{
    sigmatch_table[DETECT_AL_QUIC_VERSION].name = KEYWORD_NAME;
    sigmatch_table[DETECT_AL_QUIC_VERSION].desc = "match Quic version";
    sigmatch_table[DETECT_AL_QUIC_VERSION].url = "/rules/quic-keywords.html#quic-version";
    sigmatch_table[DETECT_AL_QUIC_VERSION].Setup = DetectQuicVersionSetup;
    sigmatch_table[DETECT_AL_QUIC_VERSION].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
#ifdef UNITTESTS
    sigmatch_table[DETECT_AL_QUIC_VERSION].RegisterTests = DetectQuicVersionRegisterTests;
#endif

    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetVersionData, ALPROTO_QUIC, 1);
    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
            GetVersionData, ALPROTO_QUIC, 1);

    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
            DetectEngineInspectBufferGeneric, GetVersionData);
    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOCLIENT, 1,
            DetectEngineInspectBufferGeneric, GetVersionData);

    quic_version_id = DetectBufferTypeGetByName(BUFFER_NAME);
}

/**
 * \internal
 * \brief this function is used to add the parsed sigmatch  into the current signature
 *
 * \param de_ctx pointer to the Detection Engine Context
 * \param s pointer to the Current Signature
 * \param rawstr pointer to the user provided options
 *
 * \retval 0 on Success
 * \retval -1 on Failure
 */
static int DetectQuicVersionSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
    if (DetectBufferSetActiveList(de_ctx, s, quic_version_id) < 0)
        return -1;

    if (DetectSignatureSetAppProto(s, ALPROTO_QUIC) < 0)
        return -1;

    return 0;
}

#ifdef UNITTESTS

/**
 * \test QuicVersionTestParse01 is a test for a valid value
 *
 *  \retval 1 on success
 *  \retval 0 on failure
 */
static int QuicVersionTestParse01(void)
{
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    Signature *sig = DetectEngineAppendSig(
            de_ctx, "alert ip any any -> any any (quic.version; content:\"Q046\"; sid:1; rev:1;)");
    FAIL_IF_NULL(sig);

    sig = DetectEngineAppendSig(
            de_ctx, "alert ip any any -> any any (quic.version; content:\"|00|\"; sid:2; rev:1;)");
    FAIL_IF_NULL(sig);

    DetectEngineCtxFree(de_ctx);

    PASS;
}

/**
 * \test QuicVersionTestParse03 is a test for an invalid value
 *
 *  \retval 1 on success
 *  \retval 0 on failure
 */
static int QuicVersionTestParse03(void)
{
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    Signature *sig = DetectEngineAppendSig(
            de_ctx, "alert ip any any -> any any (quic.version:; sid:1; rev:1;)");
    FAIL_IF_NOT_NULL(sig);

    DetectEngineCtxFree(de_ctx);

    PASS;
}

/**
 * \brief this function registers unit tests for QuicVersion
 */
void DetectQuicVersionRegisterTests(void)
{
    UtRegisterTest("QuicVersionTestParse01", QuicVersionTestParse01);
    UtRegisterTest("QuicVersionTestParse03", QuicVersionTestParse03);
}

#endif /* UNITTESTS */

Line	Count	Source
1		/* Copyright (C) 2021 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		/**
19		*
20		* Implements the quic.version
21		*/
22
23		#include "suricata-common.h"
24		#include "conf.h"
25		#include "detect.h"
26		#include "detect-parse.h"
27		#include "detect-engine.h"
28		#include "detect-engine-prefilter.h"
29		#include "detect-engine-mpm.h"
30		#include "detect-engine-content-inspection.h"
31		#include "detect-engine-uint.h"
32		#include "detect-quic-version.h"
33		#include "util-byte.h"
34		#include "util-unittest.h"
35		#include "rust.h"
36
37		#ifdef UNITTESTS
38		static void DetectQuicVersionRegisterTests(void);
39		#endif
40
41	365	#define BUFFER_NAME "quic_version"
42	73	#define KEYWORD_NAME "quic.version"
43		#define KEYWORD_ID DETECT_AL_QUIC_VERSION
44
45		static int quic_version_id = 0;
46
47		static int DetectQuicVersionSetup(DetectEngineCtx , Signature , const char *);
48
49		static InspectionBuffer GetVersionData(DetectEngineThreadCtx det_ctx,
50		const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
51		const int list_id)
52	1.05k	{
53	1.05k	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
54	1.05k	if (buffer->inspect == NULL) {
55	538	uint32_t b_len = 0;
56	538	const uint8_t *b = NULL;
57
58	538	if (rs_quic_tx_get_version(txv, &b, &b_len) != 1)
59	17	return NULL;
60	521	if (b == NULL \|\| b_len == 0)
61	0	return NULL;
62
63	521	InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
64	521	InspectionBufferApplyTransforms(buffer, transforms);
65	521	}
66	1.03k	return buffer;
67	1.05k	}
68
69		/**
70		* \brief Registration function for quic.version: keyword
71		*/
72		void DetectQuicVersionRegister(void)
73	73	{
74	73	sigmatch_table[DETECT_AL_QUIC_VERSION].name = KEYWORD_NAME;
75	73	sigmatch_table[DETECT_AL_QUIC_VERSION].desc = "match Quic version";
76	73	sigmatch_table[DETECT_AL_QUIC_VERSION].url = "/rules/quic-keywords.html#quic-version";
77	73	sigmatch_table[DETECT_AL_QUIC_VERSION].Setup = DetectQuicVersionSetup;
78	73	sigmatch_table[DETECT_AL_QUIC_VERSION].flags \|= SIGMATCH_NOOPT \| SIGMATCH_INFO_STICKY_BUFFER;
79		#ifdef UNITTESTS
80		sigmatch_table[DETECT_AL_QUIC_VERSION].RegisterTests = DetectQuicVersionRegisterTests;
81		#endif
82
83	73	DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
84	73	GetVersionData, ALPROTO_QUIC, 1);
85	73	DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
86	73	GetVersionData, ALPROTO_QUIC, 1);
87
88	73	DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
89	73	DetectEngineInspectBufferGeneric, GetVersionData);
90	73	DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOCLIENT, 1,
91	73	DetectEngineInspectBufferGeneric, GetVersionData);
92
93	73	quic_version_id = DetectBufferTypeGetByName(BUFFER_NAME);
94	73	}
95
96		/**
97		* \internal
98		* \brief this function is used to add the parsed sigmatch into the current signature
99		*
100		* \param de_ctx pointer to the Detection Engine Context
101		* \param s pointer to the Current Signature
102		* \param rawstr pointer to the user provided options
103		*
104		* \retval 0 on Success
105		* \retval -1 on Failure
106		*/
107		static int DetectQuicVersionSetup(DetectEngineCtx de_ctx, Signature s, const char *rawstr)
108	824	{
109	824	if (DetectBufferSetActiveList(de_ctx, s, quic_version_id) < 0)
110	2	return -1;
111
112	822	if (DetectSignatureSetAppProto(s, ALPROTO_QUIC) < 0)
113	10	return -1;
114
115	812	return 0;
116	822	}
117
118		#ifdef UNITTESTS
119
120		/**
121		* \test QuicVersionTestParse01 is a test for a valid value
122		*
123		* \retval 1 on success
124		* \retval 0 on failure
125		*/
126		static int QuicVersionTestParse01(void)
127		{
128		DetectEngineCtx *de_ctx = DetectEngineCtxInit();
129		FAIL_IF_NULL(de_ctx);
130
131		Signature *sig = DetectEngineAppendSig(
132		de_ctx, "alert ip any any -> any any (quic.version; content:\"Q046\"; sid:1; rev:1;)");
133		FAIL_IF_NULL(sig);
134
135		sig = DetectEngineAppendSig(
136		de_ctx, "alert ip any any -> any any (quic.version; content:\"\|00\|\"; sid:2; rev:1;)");
137		FAIL_IF_NULL(sig);
138
139		DetectEngineCtxFree(de_ctx);
140
141		PASS;
142		}
143
144		/**
145		* \test QuicVersionTestParse03 is a test for an invalid value
146		*
147		* \retval 1 on success
148		* \retval 0 on failure
149		*/
150		static int QuicVersionTestParse03(void)
151		{
152		DetectEngineCtx *de_ctx = DetectEngineCtxInit();
153		FAIL_IF_NULL(de_ctx);
154
155		Signature *sig = DetectEngineAppendSig(
156		de_ctx, "alert ip any any -> any any (quic.version:; sid:1; rev:1;)");
157		FAIL_IF_NOT_NULL(sig);
158
159		DetectEngineCtxFree(de_ctx);
160
161		PASS;
162		}
163
164		/**
165		* \brief this function registers unit tests for QuicVersion
166		*/
167		void DetectQuicVersionRegisterTests(void)
168		{
169		UtRegisterTest("QuicVersionTestParse01", QuicVersionTestParse01);
170		UtRegisterTest("QuicVersionTestParse03", QuicVersionTestParse03);
171		}
172
173		#endif /* UNITTESTS */

Coverage Report

Created: 2025-12-31 06:43