/src/suricata7/src/detect-tcpmss.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2020 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Victor Julien <victor@inliniac.net> |
22 | | * |
23 | | */ |
24 | | |
25 | | #include "suricata-common.h" |
26 | | |
27 | | #include "detect.h" |
28 | | #include "detect-parse.h" |
29 | | #include "detect-engine-prefilter-common.h" |
30 | | #include "detect-engine-uint.h" |
31 | | #include "util-byte.h" |
32 | | |
33 | | #include "detect-tcpmss.h" |
34 | | |
35 | | |
36 | | /* prototypes */ |
37 | | static int DetectTcpmssMatch (DetectEngineThreadCtx *, Packet *, |
38 | | const Signature *, const SigMatchCtx *); |
39 | | static int DetectTcpmssSetup (DetectEngineCtx *, Signature *, const char *); |
40 | | void DetectTcpmssFree (DetectEngineCtx *, void *); |
41 | | #ifdef UNITTESTS |
42 | | void DetectTcpmssRegisterTests (void); |
43 | | #endif |
44 | | static int PrefilterSetupTcpmss(DetectEngineCtx *de_ctx, SigGroupHead *sgh); |
45 | | static bool PrefilterTcpmssIsPrefilterable(const Signature *s); |
46 | | |
47 | | /** |
48 | | * \brief Registration function for tcpmss: keyword |
49 | | */ |
50 | | |
51 | | void DetectTcpmssRegister(void) |
52 | 34 | { |
53 | 34 | sigmatch_table[DETECT_TCPMSS].name = "tcp.mss"; |
54 | 34 | sigmatch_table[DETECT_TCPMSS].desc = "match on TCP MSS option field"; |
55 | 34 | sigmatch_table[DETECT_TCPMSS].url = "/rules/header-keywords.html#tcpmss"; |
56 | 34 | sigmatch_table[DETECT_TCPMSS].Match = DetectTcpmssMatch; |
57 | 34 | sigmatch_table[DETECT_TCPMSS].Setup = DetectTcpmssSetup; |
58 | 34 | sigmatch_table[DETECT_TCPMSS].Free = DetectTcpmssFree; |
59 | 34 | sigmatch_table[DETECT_TCPMSS].SupportsPrefilter = PrefilterTcpmssIsPrefilterable; |
60 | 34 | sigmatch_table[DETECT_TCPMSS].SetupPrefilter = PrefilterSetupTcpmss; |
61 | | |
62 | 34 | return; |
63 | 34 | } |
64 | | |
65 | | /** |
66 | | * \brief This function is used to match TCPMSS rule option on a packet with those passed via |
67 | | * tcpmss: |
68 | | * |
69 | | * \param det_ctx pointer to the pattern matcher thread |
70 | | * \param p pointer to the current packet |
71 | | * \param ctx pointer to the sigmatch that we will cast into DetectU16Data |
72 | | * |
73 | | * \retval 0 no match |
74 | | * \retval 1 match |
75 | | */ |
76 | | static int DetectTcpmssMatch (DetectEngineThreadCtx *det_ctx, Packet *p, |
77 | | const Signature *s, const SigMatchCtx *ctx) |
78 | 15.1k | { |
79 | | |
80 | 15.1k | if (!(PKT_IS_TCP(p)) || PKT_IS_PSEUDOPKT(p)) |
81 | 1.64k | return 0; |
82 | | |
83 | 13.4k | if (!(TCP_HAS_MSS(p))) |
84 | 11.3k | return 0; |
85 | | |
86 | 2.07k | uint16_t ptcpmss = TCP_GET_MSS(p); |
87 | | |
88 | 2.07k | const DetectU16Data *tcpmssd = (const DetectU16Data *)ctx; |
89 | 2.07k | return DetectU16Match(ptcpmss, tcpmssd); |
90 | 13.4k | } |
91 | | |
92 | | /** |
93 | | * \brief this function is used to attach the parsed tcpmss data into the current signature |
94 | | * |
95 | | * \param de_ctx pointer to the Detection Engine Context |
96 | | * \param s pointer to the Current Signature |
97 | | * \param tcpmssstr pointer to the user provided tcpmss options |
98 | | * |
99 | | * \retval 0 on Success |
100 | | * \retval -1 on Failure |
101 | | */ |
102 | | static int DetectTcpmssSetup (DetectEngineCtx *de_ctx, Signature *s, const char *tcpmssstr) |
103 | 2.59k | { |
104 | 2.59k | DetectU16Data *tcpmssd = DetectU16Parse(tcpmssstr); |
105 | 2.59k | if (tcpmssd == NULL) |
106 | 285 | return -1; |
107 | | |
108 | 2.30k | SigMatch *sm = SigMatchAlloc(); |
109 | 2.30k | if (sm == NULL) { |
110 | 0 | DetectTcpmssFree(de_ctx, tcpmssd); |
111 | 0 | return -1; |
112 | 0 | } |
113 | | |
114 | 2.30k | sm->type = DETECT_TCPMSS; |
115 | 2.30k | sm->ctx = (SigMatchCtx *)tcpmssd; |
116 | | |
117 | 2.30k | SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); |
118 | 2.30k | s->flags |= SIG_FLAG_REQUIRE_PACKET; |
119 | | |
120 | 2.30k | return 0; |
121 | 2.30k | } |
122 | | |
123 | | /** |
124 | | * \brief this function will free memory associated with DetectU16Data |
125 | | * |
126 | | * \param ptr pointer to DetectU16Data |
127 | | */ |
128 | | void DetectTcpmssFree(DetectEngineCtx *de_ctx, void *ptr) |
129 | 2.30k | { |
130 | 2.30k | rs_detect_u16_free(ptr); |
131 | 2.30k | } |
132 | | |
133 | | /* prefilter code */ |
134 | | |
135 | | static void |
136 | | PrefilterPacketTcpmssMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx) |
137 | 1.22k | { |
138 | 1.22k | if (!(PKT_IS_TCP(p)) || PKT_IS_PSEUDOPKT(p)) |
139 | 68 | return; |
140 | | |
141 | 1.15k | if (!(TCP_HAS_MSS(p))) |
142 | 1.06k | return; |
143 | | |
144 | 87 | uint16_t ptcpmss = TCP_GET_MSS(p); |
145 | | |
146 | | /* during setup Suricata will automatically see if there is another |
147 | | * check that can be added: alproto, sport or dport */ |
148 | 87 | const PrefilterPacketHeaderCtx *ctx = pectx; |
149 | 87 | if (!PrefilterPacketHeaderExtraMatch(ctx, p)) |
150 | 0 | return; |
151 | | |
152 | 87 | DetectU16Data du16; |
153 | 87 | du16.mode = ctx->v1.u8[0]; |
154 | 87 | du16.arg1 = ctx->v1.u16[1]; |
155 | 87 | du16.arg2 = ctx->v1.u16[2]; |
156 | | /* if we match, add all the sigs that use this prefilter. This means |
157 | | * that these will be inspected further */ |
158 | 87 | if (DetectU16Match(ptcpmss, &du16)) { |
159 | 0 | SCLogDebug("packet matches tcpmss/hl %u", ptcpmss); |
160 | 0 | PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt); |
161 | 0 | } |
162 | 87 | } |
163 | | |
164 | | static int PrefilterSetupTcpmss(DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
165 | 422 | { |
166 | 422 | return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TCPMSS, PrefilterPacketU16Set, |
167 | 422 | PrefilterPacketU16Compare, PrefilterPacketTcpmssMatch); |
168 | 422 | } |
169 | | |
170 | | static bool PrefilterTcpmssIsPrefilterable(const Signature *s) |
171 | 0 | { |
172 | 0 | const SigMatch *sm; |
173 | 0 | for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) { |
174 | 0 | switch (sm->type) { |
175 | 0 | case DETECT_TCPMSS: |
176 | 0 | return true; |
177 | 0 | } |
178 | 0 | } |
179 | 0 | return false; |
180 | 0 | } |