/src/suricata7/src/detect-ike-spi.c
Line | Count | Source |
1 | | /* Copyright (C) 2020 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * |
20 | | * \author Frank Honza <frank.honza@dcso.de> |
21 | | */ |
22 | | |
23 | | #include "suricata-common.h" |
24 | | #include "threads.h" |
25 | | #include "decode.h" |
26 | | #include "detect.h" |
27 | | |
28 | | #include "detect-parse.h" |
29 | | #include "detect-engine.h" |
30 | | #include "detect-engine-mpm.h" |
31 | | #include "detect-engine-prefilter.h" |
32 | | #include "detect-urilen.h" |
33 | | |
34 | | #include "flow.h" |
35 | | #include "flow-var.h" |
36 | | #include "flow-util.h" |
37 | | |
38 | | #include "util-debug.h" |
39 | | #include "util-unittest.h" |
40 | | #include "util-unittest-helper.h" |
41 | | #include "util-spm.h" |
42 | | |
43 | | #include "app-layer.h" |
44 | | #include "app-layer-parser.h" |
45 | | |
46 | | #include "detect-ike-spi.h" |
47 | | #include "stream-tcp.h" |
48 | | |
49 | | #include "rust.h" |
50 | | #include "app-layer-ike.h" |
51 | | #include "rust-bindings.h" |
52 | | |
53 | 34 | #define KEYWORD_NAME_INITIATOR "ike.init_spi" |
54 | 34 | #define KEYWORD_DOC_INITIATOR "ike-keywords.html#ike-init_spi"; |
55 | 136 | #define BUFFER_NAME_INITIATOR "ike.init_spi" |
56 | 34 | #define BUFFER_DESC_INITIATOR "ike init spi" |
57 | | |
58 | 34 | #define KEYWORD_NAME_RESPONDER "ike.resp_spi" |
59 | 34 | #define KEYWORD_DOC_RESPONDER "ike-keywords.html#ike-resp_spi"; |
60 | 136 | #define BUFFER_NAME_RESPONDER "ike.resp_spi" |
61 | 34 | #define BUFFER_DESC_RESPONDER "ike resp spi" |
62 | | |
63 | | static int g_buffer_initiator_id = 0; |
64 | | static int g_buffer_responder_id = 0; |
65 | | |
66 | | static int DetectSpiInitiatorSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) |
67 | 1.86k | { |
68 | 1.86k | if (DetectBufferSetActiveList(de_ctx, s, g_buffer_initiator_id) < 0) |
69 | 21 | return -1; |
70 | | |
71 | 1.84k | if (DetectSignatureSetAppProto(s, ALPROTO_IKE) < 0) |
72 | 348 | return -1; |
73 | | |
74 | 1.49k | return 0; |
75 | 1.84k | } |
76 | | |
77 | | static int DetectSpiResponderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) |
78 | 2.60k | { |
79 | 2.60k | if (DetectBufferSetActiveList(de_ctx, s, g_buffer_responder_id) < 0) |
80 | 1 | return -1; |
81 | | |
82 | 2.60k | if (DetectSignatureSetAppProto(s, ALPROTO_IKE) < 0) |
83 | 417 | return -1; |
84 | | |
85 | 2.19k | return 0; |
86 | 2.60k | } |
87 | | |
88 | | static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx, |
89 | | const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, |
90 | | const int list_id) |
91 | 1.31k | { |
92 | 1.31k | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
93 | 1.31k | if (buffer->inspect == NULL) { |
94 | 664 | const uint8_t *b = NULL; |
95 | 664 | uint32_t b_len = 0; |
96 | | |
97 | 664 | if (rs_ike_state_get_spi_initiator(txv, &b, &b_len) != 1) |
98 | 0 | return NULL; |
99 | 664 | if (b == NULL || b_len == 0) |
100 | 0 | return NULL; |
101 | | |
102 | 664 | InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); |
103 | 664 | InspectionBufferApplyTransforms(buffer, transforms); |
104 | 664 | } |
105 | | |
106 | 1.31k | return buffer; |
107 | 1.31k | } |
108 | | |
109 | | static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, |
110 | | const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, |
111 | | const int list_id) |
112 | 99 | { |
113 | 99 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
114 | 99 | if (buffer->inspect == NULL) { |
115 | 52 | const uint8_t *b = NULL; |
116 | 52 | uint32_t b_len = 0; |
117 | | |
118 | 52 | if (rs_ike_state_get_spi_responder(txv, &b, &b_len) != 1) |
119 | 0 | return NULL; |
120 | 52 | if (b == NULL || b_len == 0) |
121 | 0 | return NULL; |
122 | | |
123 | 52 | InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); |
124 | 52 | InspectionBufferApplyTransforms(buffer, transforms); |
125 | 52 | } |
126 | | |
127 | 99 | return buffer; |
128 | 99 | } |
129 | | |
130 | | void DetectIkeSpiRegister(void) |
131 | 34 | { |
132 | | // register initiator |
133 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].name = KEYWORD_NAME_INITIATOR; |
134 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].url = |
135 | 34 | "/rules/" KEYWORD_DOC_INITIATOR sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].desc = |
136 | 34 | "sticky buffer to match on the IKE spi initiator"; |
137 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].Setup = DetectSpiInitiatorSetup; |
138 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].flags |= |
139 | 34 | SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; |
140 | | |
141 | 34 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME_INITIATOR, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, |
142 | 34 | DetectEngineInspectBufferGeneric, GetInitiatorData); |
143 | | |
144 | 34 | DetectAppLayerMpmRegister2(BUFFER_NAME_INITIATOR, SIG_FLAG_TOSERVER, 1, |
145 | 34 | PrefilterGenericMpmRegister, GetInitiatorData, ALPROTO_IKE, 1); |
146 | | |
147 | 34 | DetectBufferTypeSetDescriptionByName(BUFFER_NAME_INITIATOR, BUFFER_DESC_INITIATOR); |
148 | | |
149 | 34 | g_buffer_initiator_id = DetectBufferTypeGetByName(BUFFER_NAME_INITIATOR); |
150 | 34 | SCLogDebug("registering " BUFFER_NAME_INITIATOR " rule option"); |
151 | | |
152 | | // register responder |
153 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].name = KEYWORD_NAME_RESPONDER; |
154 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].url = |
155 | 34 | "/rules/" KEYWORD_DOC_RESPONDER sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].desc = |
156 | 34 | "sticky buffer to match on the IKE spi responder"; |
157 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].Setup = DetectSpiResponderSetup; |
158 | 34 | sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].flags |= |
159 | 34 | SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; |
160 | | |
161 | 34 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME_RESPONDER, ALPROTO_IKE, SIG_FLAG_TOCLIENT, 1, |
162 | 34 | DetectEngineInspectBufferGeneric, GetResponderData); |
163 | | |
164 | 34 | DetectAppLayerMpmRegister2(BUFFER_NAME_RESPONDER, SIG_FLAG_TOCLIENT, 1, |
165 | 34 | PrefilterGenericMpmRegister, GetResponderData, ALPROTO_IKE, 1); |
166 | | |
167 | 34 | DetectBufferTypeSetDescriptionByName(BUFFER_NAME_RESPONDER, BUFFER_DESC_RESPONDER); |
168 | | |
169 | 34 | g_buffer_responder_id = DetectBufferTypeGetByName(BUFFER_NAME_RESPONDER); |
170 | 34 | SCLogDebug("registering " BUFFER_NAME_RESPONDER " rule option"); |
171 | 34 | } |