/src/suricata7/src/detect-icmpv4hdr.c
Line | Count | Source |
1 | | /* Copyright (C) 2020 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Jeff Lucovsky <jeff@lucovsky.org> |
22 | | * |
23 | | */ |
24 | | |
25 | | #include "suricata-common.h" |
26 | | |
27 | | #include "detect.h" |
28 | | #include "detect-engine.h" |
29 | | #include "detect-engine-mpm.h" |
30 | | #include "detect-icmpv4hdr.h" |
31 | | |
32 | | /* prototypes */ |
33 | | static int DetectIcmpv4HdrSetup(DetectEngineCtx *, Signature *, const char *); |
34 | | #ifdef UNITTESTS |
35 | | void DetectIcmpv4HdrRegisterTests(void); |
36 | | #endif |
37 | | |
38 | | static int g_icmpv4hdr_buffer_id = 0; |
39 | | |
40 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
41 | | const DetectEngineTransforms *transforms, Packet *p, const int list_id); |
42 | | |
43 | | /** |
44 | | * \brief Registration function for icmpv4.hdr: keyword |
45 | | */ |
46 | | void DetectIcmpv4HdrRegister(void) |
47 | 34 | { |
48 | 34 | sigmatch_table[DETECT_ICMPV4HDR].name = "icmpv4.hdr"; |
49 | 34 | sigmatch_table[DETECT_ICMPV4HDR].desc = "sticky buffer to match on the ICMP v4 header"; |
50 | 34 | sigmatch_table[DETECT_ICMPV4HDR].url = "/rules/header-keywords.html#icmpv4-hdr"; |
51 | 34 | sigmatch_table[DETECT_ICMPV4HDR].Setup = DetectIcmpv4HdrSetup; |
52 | 34 | sigmatch_table[DETECT_ICMPV4HDR].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; |
53 | | #ifdef UNITTESTS |
54 | | sigmatch_table[DETECT_ICMPV4HDR].RegisterTests = DetectIcmpv4HdrRegisterTests; |
55 | | #endif |
56 | | |
57 | 34 | g_icmpv4hdr_buffer_id = DetectBufferTypeRegister("icmpv4.hdr"); |
58 | 34 | BUG_ON(g_icmpv4hdr_buffer_id < 0); |
59 | | |
60 | 34 | DetectBufferTypeSupportsPacket("icmpv4.hdr"); |
61 | | |
62 | 34 | DetectPktMpmRegister("icmpv4.hdr", 2, PrefilterGenericMpmPktRegister, GetData); |
63 | | |
64 | 34 | DetectPktInspectEngineRegister("icmpv4.hdr", GetData, DetectEngineInspectPktBufferGeneric); |
65 | | |
66 | 34 | return; |
67 | 34 | } |
68 | | |
69 | | /** |
70 | | * \brief setup icmpv4.hdr sticky buffer |
71 | | * |
72 | | * \param de_ctx pointer to the Detection Engine Context |
73 | | * \param s pointer to the Current Signature |
74 | | * \param _unused unused |
75 | | * |
76 | | * \retval 0 on Success |
77 | | * \retval -1 on Failure |
78 | | */ |
79 | | static int DetectIcmpv4HdrSetup(DetectEngineCtx *de_ctx, Signature *s, const char *_unused) |
80 | 1.34k | { |
81 | 1.34k | if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMP))) |
82 | 42 | return -1; |
83 | | |
84 | 1.30k | s->proto.flags |= DETECT_PROTO_IPV4; |
85 | 1.30k | s->flags |= SIG_FLAG_REQUIRE_PACKET; |
86 | | |
87 | 1.30k | if (DetectBufferSetActiveList(de_ctx, s, g_icmpv4hdr_buffer_id) < 0) |
88 | 2 | return -1; |
89 | | |
90 | 1.30k | return 0; |
91 | 1.30k | } |
92 | | |
93 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
94 | | const DetectEngineTransforms *transforms, Packet *p, const int list_id) |
95 | 986 | { |
96 | 986 | SCEnter(); |
97 | | |
98 | 986 | if (p->icmpv4h == NULL) { |
99 | 946 | SCReturnPtr(NULL, "InspectionBuffer"); |
100 | 946 | } |
101 | | |
102 | 40 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
103 | 40 | if (buffer->inspect == NULL) { |
104 | 29 | uint16_t hlen = ICMPV4_GET_HLEN_ICMPV4H(p); |
105 | 29 | if (((uint8_t *)p->icmpv4h + (ptrdiff_t)hlen) > |
106 | 29 | ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) { |
107 | 0 | SCLogDebug("data out of range: %p > %p", ((uint8_t *)p->icmpv4h + (ptrdiff_t)hlen), |
108 | 0 | ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))); |
109 | 0 | SCReturnPtr(NULL, "InspectionBuffer"); |
110 | 0 | } |
111 | | |
112 | 29 | const uint32_t data_len = hlen; |
113 | 29 | const uint8_t *data = (const uint8_t *)p->icmpv4h; |
114 | | |
115 | 29 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
116 | 29 | InspectionBufferApplyTransforms(buffer, transforms); |
117 | 29 | } |
118 | | |
119 | 40 | SCReturnPtr(buffer, "InspectionBuffer"); |
120 | 40 | } |
121 | | |
122 | | #ifdef UNITTESTS |
123 | | #include "tests/detect-icmpv4hdr.c" |
124 | | #endif |