You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
suricata/src/detect-window.c

497 lines
16 KiB
C

/**
* \file
* \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
*
* WINDOW tcp window option, part of the detection engine.
*/
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-window.h"
#include "flow.h"
#include "flow-var.h"
#include "util-unittest.h"
/**
* \brief Regex for parsing our window option
*/
#define PARSE_REGEX "^\\s*([!])?\\s*([0-9]{1,9}+)\\s*$"
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectWindowMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectWindowSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectWindowRegisterTests(void);
void DetectWindowFree(void *);
/**
* \brief Registration function for window: keyword
*/
void DetectWindowRegister (void) {
sigmatch_table[DETECT_WINDOW].name = "window";
sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch;
sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup;
sigmatch_table[DETECT_WINDOW].Free = DetectWindowFree;
sigmatch_table[DETECT_WINDOW].RegisterTests = DetectWindowRegisterTests;
const char *eb;
int eo;
int opts = 0;
#ifdef WINDOW_DEBUG
printf("detect-window: Registering window rule option\n");
#endif
parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
if(parse_regex == NULL)
{
printf("pcre compile of \"%s\" failed at offset %" PRId32 ": %s\n", PARSE_REGEX, eo, eb);
goto error;
}
parse_regex_study = pcre_study(parse_regex, 0, &eb);
if(eb != NULL)
{
printf("pcre study failed: %s\n", eb);
goto error;
}
return;
error:
/* XXX */
return;
}
/**
* \brief This function is used to match the window size on a packet
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectWindowData
*
* \retval 0 no match
* \retval 1 match
*/
int DetectWindowMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m)
{
int ret=0;
DetectWindowData *wd = (DetectWindowData *)m->ctx;
if(wd != NULL)
{
/**
* To match a packet with a widow size rule, we need a TCP packet,
* and we must look if the size is negated or not
*/
if (!(PKT_IS_TCP(p))) {
return 0;
}
if((!wd->negated && wd->size==TCP_GET_WINDOW(p)) || (wd->negated && wd->size!=TCP_GET_WINDOW(p)))
{
#ifdef WINDOW_DEBUG
printf("detect-window: packet is TCP Proto and matched with packet window size %d and rule option size %d negated: %d!!!\n", TCP_GET_WINDOW(p), wd->size, wd->negated);
#endif
ret=1;
}
}
return ret;
}
/**
* \brief This function is used to parse window options passed via window: keyword
*
* \param windowstr Pointer to the user provided window options (negation! and size)
*
* \retval wd pointer to DetectWindowData on success
* \retval NULL on failure
*/
DetectWindowData *DetectWindowParse (char *windowstr)
{
DetectWindowData *wd = NULL;
char *args[3] = {NULL,NULL,NULL}; /* PR: Why PCRE MAX_SUBSTRING must be multiple of 3? */
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
ret = pcre_exec(parse_regex, parse_regex_study, windowstr, strlen(windowstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 1 || ret > 3) {
goto error;
}
wd = malloc(sizeof(DetectWindowData));
if (wd == NULL) {
printf("DetectWindowParse malloc failed\n");
goto error;
}
if (ret > 1) {
const char *str_ptr;
res = pcre_get_substring((char *)windowstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
if (res < 0) {
printf("DetectWindowParse: pcre_get_substring failed\n");
goto error;
}
args[0] = (char *)str_ptr;
// Detect if it's negated
if(args[0][0]=='!')
wd->negated=1;
else
wd->negated=0;
#ifdef WINDOW_DEBUG
if(wd->negated)
printf("detect-window: Negation: %s\n", windowstr);
#endif
if (ret > 2) {
res = pcre_get_substring((char *)windowstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
if (res < 0) {
printf("DetectWindowParse: pcre_get_substring failed\n");
goto error;
}
wd->size = atoi((char *)str_ptr);
// Get the window size if it's a valid value (in packets, we should alert if this doesn't happend from decode)
if(wd->size > MAX_WINDOW_VALUE)
{
goto error;
}
#ifdef WINDOW_DEBUG
printf("detect-window: window size-> %u\n", wd->size);
#endif
}
}
int i=0;
for (i = 0; i < (ret -1); i++){
if (args[i] != NULL) free(args[i]);
}
return wd;
error:
for (i = 0; i < (ret -1); i++){
if (args[i] != NULL) free(args[i]);
}
if (wd != NULL) DetectWindowFree(wd);
return NULL;
}
/**
* \brief this function is used to add the parsed window sizedata into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param m pointer to the Current SigMatch
* \param windowstr pointer to the user provided window options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *windowstr)
{
DetectWindowData *wd = NULL;
SigMatch *sm = NULL;
wd = DetectWindowParse(windowstr);
if (wd == NULL) goto error;
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_WINDOW;
sm->ctx = (void *)wd;
SigMatchAppend(s,m,sm);
return 0;
error:
if (wd != NULL) DetectWindowFree(wd);
if (sm != NULL) free(sm);
return -1;
}
/**
* \brief this function will free memory associated with DetectWindowData
*
* \param wd pointer to DetectWindowData
*/
void DetectWindowFree(void *ptr) {
DetectWindowData *wd = (DetectWindowData *)ptr;
free(wd);
}
#ifdef UNITTESTS /* UNITTESTS */
/**
* \test DetectWindowTestParse01 is a test to make sure that we set the size correctly
* when given valid window opt
*/
int DetectWindowTestParse01 (void) {
int result = 0;
DetectWindowData *wd = NULL;
wd = DetectWindowParse("35402");
if (wd != NULL &&wd->size==35402) {
DetectWindowFree(wd);
result = 1;
}
return result;
}
/**
* \test DetectWindowTestParse02 is a test for setting the window opt negated
*/
int DetectWindowTestParse02 (void) {
int result = 0;
DetectWindowData *wd = NULL;
wd = DetectWindowParse("!35402");
if (wd != NULL) {
if (wd->negated == 1 && wd->size==35402) {
result = 1;
} else {
printf("expected wd->negated=1 and wd->size=35402\n");
}
DetectWindowFree(wd);
}
return result;
}
/**
* \test DetectWindowTestParse03 is a test to check for an empty value
*/
int DetectWindowTestParse03 (void) {
int result = 0;
DetectWindowData *wd = NULL;
wd = DetectWindowParse("");
if (wd == NULL) {
result = 1;
} else {
printf("expected a NULL pointer (It was an empty string)\n");
}
DetectWindowFree(wd);
return result;
}
/**
* \test DetectWindowTestParse03 is a test to check for a big value
*/
int DetectWindowTestParse04 (void) {
int result = 0;
DetectWindowData *wd = NULL;
wd = DetectWindowParse("1235402");
if (wd != NULL) {
printf("expected a NULL pointer (It was exceeding the MAX window size)\n");
DetectWindowFree(wd);
}else
result=1;
return result;
}
/**
* \test DetectWindowTestPacket01 is a test to check window with constructed packets, expecting to match a negated size
* Parse Window Data: if th_win is not 55455 it should Match!
* The packet is less than 55455 so it must match
*/
int DetectWindowTestPacket01 (void) {
int result = 0;
DetectWindowData *wd = NULL;
wd = DetectWindowParse("!55455");
if (wd == NULL)
{
printf("DetectWindowTestPacket01: expected a DetectWindowData pointer (got NULL)\n");
return 0;
}
/* Buid and decode the packet */
uint8_t raw_eth [] = {
0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
Packet q;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&q, 0, sizeof(Packet));
memset(&dtv, 0, sizeof(DecodeThreadVars));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, &q, raw_eth, sizeof(raw_eth), NULL);
FlowShutdown();
Packet *p=&q;
if (!(PKT_IS_TCP(p))) {
printf("detect-window: TestPacket01: Packet is not TCP\n");
return 0;
}
/* We dont need DetectEngineThreadCtx inside DetectWindowMatch, its just to pass it to
the function, since this is a test for this option
Also a Signature is not really needed
*/
DetectEngineThreadCtx *det_ctx=NULL;
Signature *s=NULL;
SigMatch m;
m.ctx=wd;
/* Now that we have what we need, just try to Match! */
result=DetectWindowMatch (&tv, det_ctx, p, s, &m);
return result;
}
/**
* \test DetectWindowTestPacket02 is a test to check window with constructed packets, expecting to match a size
* Parse Window Data: if th_win is 190 it should Match!
* The packet tcp window is 190 so it must match
*/
int DetectWindowTestPacket02 (void) {
int result = 0;
DetectWindowData *wd = NULL;
wd = DetectWindowParse("117");
if (wd == NULL)
{
printf("DetectWindowTestPacket02: expected a DetectWindowData pointer (got NULL)\n");
return 0;
}
uint8_t raw_eth [] = {
0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
Packet q;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&q, 0, sizeof(Packet));
memset(&dtv, 0, sizeof(DecodeThreadVars));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, &q, raw_eth, sizeof(raw_eth), NULL);
FlowShutdown();
Packet *p=&q;
if (!(PKT_IS_TCP(p))) {
printf("DetectWindowTestPacket02: TestPacket01: Packet is not TCP\n");
return 0;
}
DetectEngineThreadCtx *det_ctx=NULL;
Signature *s=NULL;
SigMatch m;
m.ctx=wd;
/* Now that we have what we need, just try to Match! */
result=DetectWindowMatch (&tv, det_ctx, p, s, &m);
return result;
}
#endif /* UNITTESTS */
/**
* \brief this function registers unit tests for DetectWindow
*/
void DetectWindowRegisterTests(void) {
#ifdef UNITTESTS /* UNITTESTS */
UtRegisterTest("DetectWindowTestParse01", DetectWindowTestParse01, 1);
UtRegisterTest("DetectWindowTestParse02", DetectWindowTestParse02, 1);
UtRegisterTest("DetectWindowTestParse03", DetectWindowTestParse03, 1);
UtRegisterTest("DetectWindowTestParse04", DetectWindowTestParse04, 1);
UtRegisterTest("DetectWindowTestPacket01" , DetectWindowTestPacket01 , 1);
UtRegisterTest("DetectWindowTestPacket02" , DetectWindowTestPacket02 , 1);
#endif /* UNITTESTS */
}