Coverage Report

Created: 2026-06-30 07:20

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/src/detect-ike-spi.c
Line
Count
Source
1
/* Copyright (C) 2020 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
/**
19
 *
20
 * \author Frank Honza <frank.honza@dcso.de>
21
 */
22
23
#include "suricata-common.h"
24
#include "threads.h"
25
#include "decode.h"
26
#include "detect.h"
27
28
#include "detect-parse.h"
29
#include "detect-engine.h"
30
#include "detect-engine-mpm.h"
31
#include "detect-engine-prefilter.h"
32
#include "detect-urilen.h"
33
34
#include "flow.h"
35
#include "flow-var.h"
36
#include "flow-util.h"
37
38
#include "util-debug.h"
39
#include "util-unittest.h"
40
#include "util-unittest-helper.h"
41
#include "util-spm.h"
42
43
#include "app-layer.h"
44
#include "app-layer-parser.h"
45
46
#include "detect-ike-spi.h"
47
#include "stream-tcp.h"
48
49
#include "rust.h"
50
#include "app-layer-ike.h"
51
#include "rust-bindings.h"
52
53
34
#define KEYWORD_NAME_INITIATOR "ike.init_spi"
54
34
#define KEYWORD_DOC_INITIATOR  "ike-keywords.html#ike-init_spi";
55
136
#define BUFFER_NAME_INITIATOR  "ike.init_spi"
56
34
#define BUFFER_DESC_INITIATOR  "ike init spi"
57
58
34
#define KEYWORD_NAME_RESPONDER "ike.resp_spi"
59
34
#define KEYWORD_DOC_RESPONDER  "ike-keywords.html#ike-resp_spi";
60
136
#define BUFFER_NAME_RESPONDER  "ike.resp_spi"
61
34
#define BUFFER_DESC_RESPONDER  "ike resp spi"
62
63
static int g_buffer_initiator_id = 0;
64
static int g_buffer_responder_id = 0;
65
66
static int DetectSpiInitiatorSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
67
1.86k
{
68
1.86k
    if (DetectBufferSetActiveList(de_ctx, s, g_buffer_initiator_id) < 0)
69
21
        return -1;
70
71
1.84k
    if (DetectSignatureSetAppProto(s, ALPROTO_IKE) < 0)
72
348
        return -1;
73
74
1.49k
    return 0;
75
1.84k
}
76
77
static int DetectSpiResponderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
78
2.60k
{
79
2.60k
    if (DetectBufferSetActiveList(de_ctx, s, g_buffer_responder_id) < 0)
80
1
        return -1;
81
82
2.60k
    if (DetectSignatureSetAppProto(s, ALPROTO_IKE) < 0)
83
417
        return -1;
84
85
2.19k
    return 0;
86
2.60k
}
87
88
static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx,
89
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
90
        const int list_id)
91
1.31k
{
92
1.31k
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
93
1.31k
    if (buffer->inspect == NULL) {
94
664
        const uint8_t *b = NULL;
95
664
        uint32_t b_len = 0;
96
97
664
        if (rs_ike_state_get_spi_initiator(txv, &b, &b_len) != 1)
98
0
            return NULL;
99
664
        if (b == NULL || b_len == 0)
100
0
            return NULL;
101
102
664
        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
103
664
        InspectionBufferApplyTransforms(buffer, transforms);
104
664
    }
105
106
1.31k
    return buffer;
107
1.31k
}
108
109
static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx,
110
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
111
        const int list_id)
112
99
{
113
99
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
114
99
    if (buffer->inspect == NULL) {
115
52
        const uint8_t *b = NULL;
116
52
        uint32_t b_len = 0;
117
118
52
        if (rs_ike_state_get_spi_responder(txv, &b, &b_len) != 1)
119
0
            return NULL;
120
52
        if (b == NULL || b_len == 0)
121
0
            return NULL;
122
123
52
        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
124
52
        InspectionBufferApplyTransforms(buffer, transforms);
125
52
    }
126
127
99
    return buffer;
128
99
}
129
130
void DetectIkeSpiRegister(void)
131
34
{
132
    // register initiator
133
34
    sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].name = KEYWORD_NAME_INITIATOR;
134
34
    sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].url =
135
34
            "/rules/" KEYWORD_DOC_INITIATOR sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].desc =
136
34
                    "sticky buffer to match on the IKE spi initiator";
137
34
    sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].Setup = DetectSpiInitiatorSetup;
138
34
    sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].flags |=
139
34
            SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
140
141
34
    DetectAppLayerInspectEngineRegister2(BUFFER_NAME_INITIATOR, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1,
142
34
            DetectEngineInspectBufferGeneric, GetInitiatorData);
143
144
34
    DetectAppLayerMpmRegister2(BUFFER_NAME_INITIATOR, SIG_FLAG_TOSERVER, 1,
145
34
            PrefilterGenericMpmRegister, GetInitiatorData, ALPROTO_IKE, 1);
146
147
34
    DetectBufferTypeSetDescriptionByName(BUFFER_NAME_INITIATOR, BUFFER_DESC_INITIATOR);
148
149
34
    g_buffer_initiator_id = DetectBufferTypeGetByName(BUFFER_NAME_INITIATOR);
150
34
    SCLogDebug("registering " BUFFER_NAME_INITIATOR " rule option");
151
152
    // register responder
153
34
    sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].name = KEYWORD_NAME_RESPONDER;
154
34
    sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].url =
155
34
            "/rules/" KEYWORD_DOC_RESPONDER sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].desc =
156
34
                    "sticky buffer to match on the IKE spi responder";
157
34
    sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].Setup = DetectSpiResponderSetup;
158
34
    sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].flags |=
159
34
            SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
160
161
34
    DetectAppLayerInspectEngineRegister2(BUFFER_NAME_RESPONDER, ALPROTO_IKE, SIG_FLAG_TOCLIENT, 1,
162
34
            DetectEngineInspectBufferGeneric, GetResponderData);
163
164
34
    DetectAppLayerMpmRegister2(BUFFER_NAME_RESPONDER, SIG_FLAG_TOCLIENT, 1,
165
34
            PrefilterGenericMpmRegister, GetResponderData, ALPROTO_IKE, 1);
166
167
34
    DetectBufferTypeSetDescriptionByName(BUFFER_NAME_RESPONDER, BUFFER_DESC_RESPONDER);
168
169
34
    g_buffer_responder_id = DetectBufferTypeGetByName(BUFFER_NAME_RESPONDER);
170
34
    SCLogDebug("registering " BUFFER_NAME_RESPONDER " rule option");
171
34
}