/src/suricata/src/detect-icmpv4hdr.c
Line | Count | Source |
1 | | /* Copyright (C) 2020 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Jeff Lucovsky <jeff@lucovsky.org> |
22 | | * |
23 | | */ |
24 | | |
25 | | #include "suricata-common.h" |
26 | | |
27 | | #include "detect.h" |
28 | | #include "detect-engine.h" |
29 | | #include "detect-engine-buffer.h" |
30 | | #include "detect-engine-mpm.h" |
31 | | #include "detect-icmpv4hdr.h" |
32 | | #include "detect-engine-prefilter.h" |
33 | | |
34 | | /* prototypes */ |
35 | | static int DetectIcmpv4HdrSetup(DetectEngineCtx *, Signature *, const char *); |
36 | | #ifdef UNITTESTS |
37 | | void DetectIcmpv4HdrRegisterTests(void); |
38 | | #endif |
39 | | |
40 | | static int g_icmpv4hdr_buffer_id = 0; |
41 | | |
42 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
43 | | const DetectEngineTransforms *transforms, Packet *p, const int list_id); |
44 | | |
45 | | /** |
46 | | * \brief Registration function for icmpv4.hdr: keyword |
47 | | */ |
48 | | void DetectIcmpv4HdrRegister(void) |
49 | 39 | { |
50 | 39 | sigmatch_table[DETECT_ICMPV4HDR].name = "icmpv4.hdr"; |
51 | 39 | sigmatch_table[DETECT_ICMPV4HDR].desc = "sticky buffer to match on the ICMP v4 header"; |
52 | 39 | sigmatch_table[DETECT_ICMPV4HDR].url = "/rules/header-keywords.html#icmpv4-hdr"; |
53 | 39 | sigmatch_table[DETECT_ICMPV4HDR].Setup = DetectIcmpv4HdrSetup; |
54 | 39 | sigmatch_table[DETECT_ICMPV4HDR].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; |
55 | | #ifdef UNITTESTS |
56 | | sigmatch_table[DETECT_ICMPV4HDR].RegisterTests = DetectIcmpv4HdrRegisterTests; |
57 | | #endif |
58 | | |
59 | 39 | g_icmpv4hdr_buffer_id = DetectBufferTypeRegister("icmpv4.hdr"); |
60 | 39 | BUG_ON(g_icmpv4hdr_buffer_id < 0); |
61 | | |
62 | 39 | DetectBufferTypeSupportsPacket("icmpv4.hdr"); |
63 | | |
64 | 39 | DetectPktMpmRegister("icmpv4.hdr", 2, PrefilterGenericMpmPktRegister, GetData); |
65 | | |
66 | 39 | DetectPktInspectEngineRegister("icmpv4.hdr", GetData, DetectEngineInspectPktBufferGeneric); |
67 | 39 | } |
68 | | |
69 | | /** |
70 | | * \brief setup icmpv4.hdr sticky buffer |
71 | | * |
72 | | * \param de_ctx pointer to the Detection Engine Context |
73 | | * \param s pointer to the Current Signature |
74 | | * \param _unused unused |
75 | | * |
76 | | * \retval 0 on Success |
77 | | * \retval -1 on Failure |
78 | | */ |
79 | | static int DetectIcmpv4HdrSetup(DetectEngineCtx *de_ctx, Signature *s, const char *_unused) |
80 | 1.21k | { |
81 | 1.21k | if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMP))) |
82 | 57 | return -1; |
83 | | |
84 | 1.15k | s->proto.flags |= DETECT_PROTO_IPV4; |
85 | 1.15k | s->flags |= SIG_FLAG_REQUIRE_PACKET; |
86 | | |
87 | 1.15k | if (SCDetectBufferSetActiveList(de_ctx, s, g_icmpv4hdr_buffer_id) < 0) |
88 | 2 | return -1; |
89 | | |
90 | 1.15k | return 0; |
91 | 1.15k | } |
92 | | |
93 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
94 | | const DetectEngineTransforms *transforms, Packet *p, const int list_id) |
95 | 13.6k | { |
96 | 13.6k | SCEnter(); |
97 | | |
98 | 13.6k | if (!PacketIsICMPv4(p)) { |
99 | 13.3k | SCReturnPtr(NULL, "InspectionBuffer"); |
100 | 13.3k | } |
101 | | |
102 | 268 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
103 | 268 | if (buffer->inspect == NULL) { |
104 | 172 | const ICMPV4Hdr *icmpv4h = PacketGetICMPv4(p); |
105 | 172 | uint16_t hlen = ICMPV4_GET_HLEN_ICMPV4H(p); |
106 | 172 | if (((uint8_t *)icmpv4h + (ptrdiff_t)hlen) > |
107 | 172 | ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) { |
108 | 0 | SCLogDebug("data out of range: %p > %p", ((uint8_t *)icmpv4h + (ptrdiff_t)hlen), |
109 | 0 | ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))); |
110 | 0 | SCReturnPtr(NULL, "InspectionBuffer"); |
111 | 0 | } |
112 | | |
113 | 172 | const uint32_t data_len = hlen; |
114 | 172 | const uint8_t *data = (const uint8_t *)icmpv4h; |
115 | | |
116 | 172 | InspectionBufferSetupAndApplyTransforms( |
117 | 172 | det_ctx, list_id, buffer, data, data_len, transforms); |
118 | 172 | } |
119 | | |
120 | 268 | SCReturnPtr(buffer, "InspectionBuffer"); |
121 | 268 | } |
122 | | |
123 | | #ifdef UNITTESTS |
124 | | #include "tests/detect-icmpv4hdr.c" |
125 | | #endif |