/src/suricata7/src/detect-ftpdata.c

Source
/* Copyright (C) 2017-2020 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Eric Leblond <eric@regit.org>
 *
 * Match on ftp command used to trigger a ftp data transfer
 */

#include "suricata-common.h"
#include "util-unittest.h"

#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-state.h"

#include "app-layer-ftp.h"

#include "detect-ftpdata.h"

/**
 * \brief Regex for parsing our keyword options
 */
#define PARSE_REGEX  "^\\s*(stor|retr)\\s*$"
static DetectParseRegex parse_regex;

/* Prototypes of functions registered in DetectFtpdataRegister below */
static int DetectFtpdataMatch(DetectEngineThreadCtx *,
        Flow *, uint8_t, void *, void *,
        const Signature *, const SigMatchCtx *);
static int DetectFtpdataSetup (DetectEngineCtx *, Signature *, const char *);
static void DetectFtpdataFree (DetectEngineCtx *, void *);
#ifdef UNITTESTS
static void DetectFtpdataRegisterTests (void);
#endif
static int g_ftpdata_buffer_id = 0;

/**
 * \brief Registration function for ftpcommand: keyword
 *
 * This function is called once in the 'lifetime' of the engine.
 */
void DetectFtpdataRegister(void) {
    /* keyword name: this is how the keyword is used in a rule */
    sigmatch_table[DETECT_FTPDATA].name = "ftpdata_command";
    /* description: listed in "suricata --list-keywords=all" */
    sigmatch_table[DETECT_FTPDATA].desc = "match FTP command triggering a FTP data channel";
    sigmatch_table[DETECT_FTPDATA].url = "/rules/ftp-keywords.html#ftpdata-command";
    sigmatch_table[DETECT_FTPDATA].AppLayerTxMatch = DetectFtpdataMatch;
    /* setup function is called during signature parsing, when the ftpcommand
     * keyword is encountered in the rule */
    sigmatch_table[DETECT_FTPDATA].Setup = DetectFtpdataSetup;
    /* free function is called when the detect engine is freed. Normally at
     * shutdown, but also during rule reloads. */
    sigmatch_table[DETECT_FTPDATA].Free = DetectFtpdataFree;
    /* registers unittests into the system */
#ifdef UNITTESTS
    sigmatch_table[DETECT_FTPDATA].RegisterTests = DetectFtpdataRegisterTests;
#endif
    DetectAppLayerInspectEngineRegister2("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectGenericList, NULL);

    DetectAppLayerInspectEngineRegister2("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0,
            DetectEngineInspectGenericList, NULL);
    g_ftpdata_buffer_id = DetectBufferTypeGetByName("ftpdata_command");

    /* set up the PCRE for keyword parsing */
    DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
}

/**
 * \brief This function is used to check matches from the FTP App Layer Parser
 *
 * \param t pointer to thread vars
 * \param det_ctx pointer to the pattern matcher thread
 * \param p pointer to the current packet
 * \param m pointer to the sigmatch
 * \retval 0 no match
 * \retval 1 match
 */
static int DetectFtpdataMatch(DetectEngineThreadCtx *det_ctx,
        Flow *f, uint8_t flags,
        void *state, void *txv,
        const Signature *s, const SigMatchCtx *m)
{
    const DetectFtpdataData *ftpcommandd = (const DetectFtpdataData *) m;
    const FtpDataState *ftp_state = (const FtpDataState *)state;

    if (ftp_state == NULL)
        return 0;

    if (ftpcommandd->command == ftp_state->command) {
        /* Only match if the flow is in the good direction */
        if ((flags & STREAM_TOSERVER) && (ftpcommandd->command == FTP_COMMAND_RETR)) {
            return 0;
        } else if ((flags & STREAM_TOCLIENT) && (ftpcommandd->command == FTP_COMMAND_STOR)) {
            return 0;
        }
        return 1;
    }

    return 0;
}

/**
 * \brief This function is used to parse ftpcommand options passed via ftpcommand: keyword
 *
 * \param ftpcommandstr Pointer to the user provided ftpcommand options
 *
 * \retval ftpcommandd pointer to DetectFtpdataData on success
 * \retval NULL on failure
 */
static DetectFtpdataData *DetectFtpdataParse(const char *ftpcommandstr)
{
    DetectFtpdataData *ftpcommandd = NULL;
    char arg1[5] = "";
    size_t pcre2len;
    pcre2_match_data *match = NULL;

    int ret = DetectParsePcreExec(&parse_regex, &match, ftpcommandstr, 0, 0);
    if (ret != 2) {
        SCLogError("parse error, ret %" PRId32 "", ret);
        goto error;
    }

    pcre2len = sizeof(arg1);
    int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
    if (res < 0) {
        SCLogError("pcre2_substring_copy_bynumber failed");
        goto error;
    }
    SCLogDebug("Arg1 \"%s\"", arg1);

    ftpcommandd = SCMalloc(sizeof (DetectFtpdataData));
    if (unlikely(ftpcommandd == NULL))
        goto error;
    if (!strcmp(arg1, "stor")) {
        ftpcommandd->command = FTP_COMMAND_STOR;
    } else if (!strcmp(arg1, "retr")) {
        ftpcommandd->command = FTP_COMMAND_RETR;
    } else {
        SCLogError("Invalid command value");
        goto error;
    }

    pcre2_match_data_free(match);
    return ftpcommandd;

error:
    if (match) {
        pcre2_match_data_free(match);
    }
    if (ftpcommandd)
        SCFree(ftpcommandd);
    return NULL;
}

/**
 * \brief parse the options from the 'ftpcommand' keyword in the rule into
 *        the Signature data structure.
 *
 * \param de_ctx pointer to the Detection Engine Context
 * \param s pointer to the Current Signature
 * \param str pointer to the user provided ftpcommand options
 *
 * \retval 0 on Success
 * \retval -1 on Failure
 */
static int DetectFtpdataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (DetectSignatureSetAppProto(s, ALPROTO_FTPDATA) != 0)
        return -1;

    DetectFtpdataData *ftpcommandd = DetectFtpdataParse(str);
    if (ftpcommandd == NULL)
        return -1;

    SigMatch *sm = SigMatchAlloc();
    if (sm == NULL) {
        DetectFtpdataFree(de_ctx, ftpcommandd);
        return -1;
    }
    sm->type = DETECT_FTPDATA;
    sm->ctx = (void *)ftpcommandd;

    SigMatchAppendSMToList(s, sm, g_ftpdata_buffer_id);
    return 0;
}

/**
 * \brief this function will free memory associated with DetectFtpdataData
 *
 * \param ptr pointer to DetectFtpdataData
 */
static void DetectFtpdataFree(DetectEngineCtx *de_ctx, void *ptr) {
    DetectFtpdataData *ftpcommandd = (DetectFtpdataData *)ptr;

    /* do more specific cleanup here, if needed */

    SCFree(ftpcommandd);
}

#ifdef UNITTESTS

static int DetectFtpdataParseTest01(void)
{
    DetectFtpdataData *ftpcommandd = DetectFtpdataParse("stor");
    FAIL_IF_NULL(ftpcommandd);
    FAIL_IF(!(ftpcommandd->command == FTP_COMMAND_STOR));
    DetectFtpdataFree(NULL, ftpcommandd);
    PASS;
}

static int DetectFtpdataSignatureTest01(void)
{
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    Signature *sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:stor; sid:1; rev:1;)");
    FAIL_IF_NULL(sig);
    sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:retr; sid:2; rev:1;)");
    FAIL_IF_NULL(sig);
    sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:xxx; sid:3; rev:1;)");
    FAIL_IF_NOT_NULL(sig);

    DetectEngineCtxFree(de_ctx);
    PASS;
}

/**
 * \brief this function registers unit tests for DetectFtpdata
 */
static void DetectFtpdataRegisterTests(void)
{
    UtRegisterTest("DetectFtpdataParseTest01", DetectFtpdataParseTest01);
    UtRegisterTest("DetectFtpdataSignatureTest01",
                   DetectFtpdataSignatureTest01);
}
#endif /* UNITTESTS */

Coverage Report

Created: 2026-05-16 07:38

Line	Count	Source
1		/* Copyright (C) 2017-2020 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		/**
19		* \file
20		*
21		* \author Eric Leblond <eric@regit.org>
22		*
23		* Match on ftp command used to trigger a ftp data transfer
24		*/
25
26		#include "suricata-common.h"
27		#include "util-unittest.h"
28
29		#include "detect-parse.h"
30		#include "detect-engine.h"
31		#include "detect-engine-state.h"
32
33		#include "app-layer-ftp.h"
34
35		#include "detect-ftpdata.h"
36
37		/**
38		* \brief Regex for parsing our keyword options
39		*/
40	73	#define PARSE_REGEX "^\\s(stor\|retr)\\s$"
41		static DetectParseRegex parse_regex;
42
43		/* Prototypes of functions registered in DetectFtpdataRegister below */
44		static int DetectFtpdataMatch(DetectEngineThreadCtx *,
45		Flow , uint8_t, void , void *,
46		const Signature , const SigMatchCtx );
47		static int DetectFtpdataSetup (DetectEngineCtx , Signature , const char *);
48		static void DetectFtpdataFree (DetectEngineCtx , void );
49		#ifdef UNITTESTS
50		static void DetectFtpdataRegisterTests (void);
51		#endif
52		static int g_ftpdata_buffer_id = 0;
53
54		/**
55		* \brief Registration function for ftpcommand: keyword
56		*
57		* This function is called once in the 'lifetime' of the engine.
58		*/
59	73	void DetectFtpdataRegister(void) {
60		/* keyword name: this is how the keyword is used in a rule */
61	73	sigmatch_table[DETECT_FTPDATA].name = "ftpdata_command";
62		/* description: listed in "suricata --list-keywords=all" */
63	73	sigmatch_table[DETECT_FTPDATA].desc = "match FTP command triggering a FTP data channel";
64	73	sigmatch_table[DETECT_FTPDATA].url = "/rules/ftp-keywords.html#ftpdata-command";
65	73	sigmatch_table[DETECT_FTPDATA].AppLayerTxMatch = DetectFtpdataMatch;
66		/* setup function is called during signature parsing, when the ftpcommand
67		* keyword is encountered in the rule */
68	73	sigmatch_table[DETECT_FTPDATA].Setup = DetectFtpdataSetup;
69		/* free function is called when the detect engine is freed. Normally at
70		* shutdown, but also during rule reloads. */
71	73	sigmatch_table[DETECT_FTPDATA].Free = DetectFtpdataFree;
72		/* registers unittests into the system */
73		#ifdef UNITTESTS
74		sigmatch_table[DETECT_FTPDATA].RegisterTests = DetectFtpdataRegisterTests;
75		#endif
76	73	DetectAppLayerInspectEngineRegister2("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0,
77	73	DetectEngineInspectGenericList, NULL);
78
79	73	DetectAppLayerInspectEngineRegister2("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0,
80	73	DetectEngineInspectGenericList, NULL);
81	73	g_ftpdata_buffer_id = DetectBufferTypeGetByName("ftpdata_command");
82
83		/* set up the PCRE for keyword parsing */
84	73	DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
85	73	}
86
87		/**
88		* \brief This function is used to check matches from the FTP App Layer Parser
89		*
90		* \param t pointer to thread vars
91		* \param det_ctx pointer to the pattern matcher thread
92		* \param p pointer to the current packet
93		* \param m pointer to the sigmatch
94		* \retval 0 no match
95		* \retval 1 match
96		*/
97		static int DetectFtpdataMatch(DetectEngineThreadCtx *det_ctx,
98		Flow *f, uint8_t flags,
99		void state, void txv,
100		const Signature s, const SigMatchCtx m)
101	0	{
102	0	const DetectFtpdataData ftpcommandd = (const DetectFtpdataData ) m;
103	0	const FtpDataState ftp_state = (const FtpDataState )state;
104
105	0	if (ftp_state == NULL)
106	0	return 0;
107
108	0	if (ftpcommandd->command == ftp_state->command) {
109		/* Only match if the flow is in the good direction */
110	0	if ((flags & STREAM_TOSERVER) && (ftpcommandd->command == FTP_COMMAND_RETR)) {
111	0	return 0;
112	0	} else if ((flags & STREAM_TOCLIENT) && (ftpcommandd->command == FTP_COMMAND_STOR)) {
113	0	return 0;
114	0	}
115	0	return 1;
116	0	}
117
118	0	return 0;
119	0	}
120
121		/**
122		* \brief This function is used to parse ftpcommand options passed via ftpcommand: keyword
123		*
124		* \param ftpcommandstr Pointer to the user provided ftpcommand options
125		*
126		* \retval ftpcommandd pointer to DetectFtpdataData on success
127		* \retval NULL on failure
128		*/
129		static DetectFtpdataData DetectFtpdataParse(const char ftpcommandstr)
130	214	{
131	214	DetectFtpdataData *ftpcommandd = NULL;
132	214	char arg1[5] = "";
133	214	size_t pcre2len;
134	214	pcre2_match_data *match = NULL;
135
136	214	int ret = DetectParsePcreExec(&parse_regex, &match, ftpcommandstr, 0, 0);
137	214	if (ret != 2) {
138	212	SCLogError("parse error, ret %" PRId32 "", ret);
139	212	goto error;
140	212	}
141
142	2	pcre2len = sizeof(arg1);
143	2	int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
144	2	if (res < 0) {
145	0	SCLogError("pcre2_substring_copy_bynumber failed");
146	0	goto error;
147	0	}
148	2	SCLogDebug("Arg1 \"%s\"", arg1);
149
150	2	ftpcommandd = SCMalloc(sizeof (DetectFtpdataData));
151	2	if (unlikely(ftpcommandd == NULL))
152	0	goto error;
153	2	if (!strcmp(arg1, "stor")) {
154	2	ftpcommandd->command = FTP_COMMAND_STOR;
155	2	} else if (!strcmp(arg1, "retr")) {
156	0	ftpcommandd->command = FTP_COMMAND_RETR;
157	0	} else {
158	0	SCLogError("Invalid command value");
159	0	goto error;
160	0	}
161
162	2	pcre2_match_data_free(match);
163	2	return ftpcommandd;
164
165	212	error:
166	212	if (match) {
167	212	pcre2_match_data_free(match);
168	212	}
169	212	if (ftpcommandd)
170	0	SCFree(ftpcommandd);
171	212	return NULL;
172	2	}
173
174		/**
175		* \brief parse the options from the 'ftpcommand' keyword in the rule into
176		* the Signature data structure.
177		*
178		* \param de_ctx pointer to the Detection Engine Context
179		* \param s pointer to the Current Signature
180		* \param str pointer to the user provided ftpcommand options
181		*
182		* \retval 0 on Success
183		* \retval -1 on Failure
184		*/
185		static int DetectFtpdataSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
186	224	{
187	224	if (DetectSignatureSetAppProto(s, ALPROTO_FTPDATA) != 0)
188	10	return -1;
189
190	214	DetectFtpdataData *ftpcommandd = DetectFtpdataParse(str);
191	214	if (ftpcommandd == NULL)
192	212	return -1;
193
194	2	SigMatch *sm = SigMatchAlloc();
195	2	if (sm == NULL) {
196	0	DetectFtpdataFree(de_ctx, ftpcommandd);
197	0	return -1;
198	0	}
199	2	sm->type = DETECT_FTPDATA;
200	2	sm->ctx = (void *)ftpcommandd;
201
202	2	SigMatchAppendSMToList(s, sm, g_ftpdata_buffer_id);
203	2	return 0;
204	2	}
205
206		/**
207		* \brief this function will free memory associated with DetectFtpdataData
208		*
209		* \param ptr pointer to DetectFtpdataData
210		*/
211	2	static void DetectFtpdataFree(DetectEngineCtx de_ctx, void ptr) {
212	2	DetectFtpdataData ftpcommandd = (DetectFtpdataData )ptr;
213
214		/* do more specific cleanup here, if needed */
215
216	2	SCFree(ftpcommandd);
217	2	}
218
219		#ifdef UNITTESTS
220
221		static int DetectFtpdataParseTest01(void)
222		{
223		DetectFtpdataData *ftpcommandd = DetectFtpdataParse("stor");
224		FAIL_IF_NULL(ftpcommandd);
225		FAIL_IF(!(ftpcommandd->command == FTP_COMMAND_STOR));
226		DetectFtpdataFree(NULL, ftpcommandd);
227		PASS;
228		}
229
230		static int DetectFtpdataSignatureTest01(void)
231		{
232		DetectEngineCtx *de_ctx = DetectEngineCtxInit();
233		FAIL_IF_NULL(de_ctx);
234
235		Signature *sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:stor; sid:1; rev:1;)");
236		FAIL_IF_NULL(sig);
237		sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:retr; sid:2; rev:1;)");
238		FAIL_IF_NULL(sig);
239		sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:xxx; sid:3; rev:1;)");
240		FAIL_IF_NOT_NULL(sig);
241
242		DetectEngineCtxFree(de_ctx);
243		PASS;
244		}
245
246		/**
247		* \brief this function registers unit tests for DetectFtpdata
248		*/
249		static void DetectFtpdataRegisterTests(void)
250		{
251		UtRegisterTest("DetectFtpdataParseTest01", DetectFtpdataParseTest01);
252		UtRegisterTest("DetectFtpdataSignatureTest01",
253		DetectFtpdataSignatureTest01);
254		}
255		#endif /* UNITTESTS */