suricata/src/detect-window.c

/**
 * \file
 * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
 *
 * WINDOW tcp window option, part of the detection engine.
 */

#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"

#include "detect-window.h"
#include "flow.h"
#include "flow-var.h"

#include "util-unittest.h"

/**
 * \brief Regex for parsing our window option
 */
#define PARSE_REGEX  "^\\s*([!])?\\s*([0-9]{1,9}+)\\s*$"

static pcre *parse_regex;
static pcre_extra *parse_regex_study;

int DetectWindowMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectWindowSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectWindowRegisterTests(void);
void DetectWindowFree(void *);

/**
 * \brief Registration function for window: keyword
 */
void DetectWindowRegister (void) {
    sigmatch_table[DETECT_WINDOW].name = "window";
    sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch;
    sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup;
    sigmatch_table[DETECT_WINDOW].Free  = DetectWindowFree;
    sigmatch_table[DETECT_WINDOW].RegisterTests = DetectWindowRegisterTests;

    const char *eb;
    int eo;
    int opts = 0;

	#ifdef WINDOW_DEBUG
	printf("detect-window: Registering window rule option\n");
	#endif

    parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
    if(parse_regex == NULL)
    {
        printf("pcre compile of \"%s\" failed at offset %" PRId32 ": %s\n", PARSE_REGEX, eo, eb);
        goto error;
    }

    parse_regex_study = pcre_study(parse_regex, 0, &eb);
    if(eb != NULL)
    {
        printf("pcre study failed: %s\n", eb);
        goto error;
    }
    return;

error:
    /* XXX */
    return;
}

/**
 * \brief This function is used to match the window size on a packet
 *
 * \param t pointer to thread vars
 * \param det_ctx pointer to the pattern matcher thread
 * \param p pointer to the current packet
 * \param m pointer to the sigmatch that we will cast into DetectWindowData
 *
 * \retval 0 no match
 * \retval 1 match
 */
int DetectWindowMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m)
{
    int ret=0;
    DetectWindowData *wd = (DetectWindowData *)m->ctx;

    if(wd != NULL)
    {

        /**
         * To match a packet with a widow size rule, we need a TCP packet,
         * and we must look if the size is negated or not
         */
        if (!(PKT_IS_TCP(p))) {
            return 0;
        }

        if((!wd->negated && wd->size==TCP_GET_WINDOW(p)) || (wd->negated && wd->size!=TCP_GET_WINDOW(p)))
	    {
		    #ifdef WINDOW_DEBUG
            printf("detect-window: packet is TCP Proto and matched with packet window size %d and rule option size %d negated: %d!!!\n", TCP_GET_WINDOW(p), wd->size, wd->negated);
		    #endif
		    ret=1;
        }
    }

    return ret;
}

/**
 * \brief This function is used to parse window options passed via window: keyword
 *
 * \param windowstr Pointer to the user provided window options (negation! and size)
 *
 * \retval wd pointer to DetectWindowData on success
 * \retval NULL on failure
 */
DetectWindowData *DetectWindowParse (char *windowstr)
{
    DetectWindowData *wd = NULL;
    char *args[3] = {NULL,NULL,NULL}; /* PR: Why PCRE MAX_SUBSTRING must be multiple of 3? */
	#define MAX_SUBSTRINGS 30

    int ret = 0, res = 0;
    int ov[MAX_SUBSTRINGS];


    ret = pcre_exec(parse_regex, parse_regex_study, windowstr, strlen(windowstr), 0, 0, ov, MAX_SUBSTRINGS);

    if (ret < 1 || ret > 3) {
        goto error;
    }

    wd = malloc(sizeof(DetectWindowData));
    if (wd == NULL) {
        printf("DetectWindowParse malloc failed\n");
        goto error;
    }


    if (ret > 1) {
        const char *str_ptr;
        res = pcre_get_substring((char *)windowstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
        if (res < 0) {
            printf("DetectWindowParse: pcre_get_substring failed\n");
            goto error;
        }
        args[0] = (char *)str_ptr;
        // Detect if it's negated
        if(args[0][0]=='!')
            wd->negated=1;
        else
            wd->negated=0;

#ifdef WINDOW_DEBUG
        if(wd->negated)
            printf("detect-window: Negation: %s\n", windowstr);
#endif

        if (ret > 2) {
            res = pcre_get_substring((char *)windowstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
            if (res < 0) {
                printf("DetectWindowParse: pcre_get_substring failed\n");
                goto error;
            }
            wd->size = atoi((char *)str_ptr);

            // Get the window size if it's a valid value (in packets, we should alert if this doesn't happend from decode)
            if(wd->size > MAX_WINDOW_VALUE)
            {
                goto error;
            }

#ifdef WINDOW_DEBUG
            printf("detect-window: window size-> %u\n", wd->size);
#endif
        }
    }

	int i=0;
    for (i = 0; i < (ret -1); i++){
        if (args[i] != NULL) free(args[i]);
    }
    return wd;

error:
    for (i = 0; i < (ret -1); i++){
        if (args[i] != NULL) free(args[i]);
    }
    if (wd != NULL) DetectWindowFree(wd);
    return NULL;

}

/**
 * \brief this function is used to add the parsed window sizedata into the current signature
 *
 * \param de_ctx pointer to the Detection Engine Context
 * \param s pointer to the Current Signature
 * \param m pointer to the Current SigMatch
 * \param windowstr pointer to the user provided window options
 *
 * \retval 0 on Success
 * \retval -1 on Failure
 */
int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *windowstr)
{
    DetectWindowData *wd = NULL;
    SigMatch *sm = NULL;

    wd = DetectWindowParse(windowstr);
    if (wd == NULL) goto error;

    /* Okay so far so good, lets get this into a SigMatch
     * and put it in the Signature. */
    sm = SigMatchAlloc();
    if (sm == NULL)
        goto error;

    sm->type = DETECT_WINDOW;
    sm->ctx = (void *)wd;

    SigMatchAppend(s,m,sm);

    return 0;

error:
    if (wd != NULL) DetectWindowFree(wd);
    if (sm != NULL) free(sm);
    return -1;

}

/**
 * \brief this function will free memory associated with DetectWindowData
 *
 * \param wd pointer to DetectWindowData
 */
void DetectWindowFree(void *ptr) {
    DetectWindowData *wd = (DetectWindowData *)ptr;
    free(wd);
}

#ifdef UNITTESTS /* UNITTESTS */

/**
 * \test DetectWindowTestParse01 is a test to make sure that we set the size correctly
 *  when given valid window opt
 */
int DetectWindowTestParse01 (void) {
    int result = 0;
    DetectWindowData *wd = NULL;
    wd = DetectWindowParse("35402");
    if (wd != NULL &&wd->size==35402) {
        DetectWindowFree(wd);
        result = 1;
    }

    return result;
}

/**
 * \test DetectWindowTestParse02 is a test for setting the window opt negated
 */
int DetectWindowTestParse02 (void) {
    int result = 0;
    DetectWindowData *wd = NULL;
    wd = DetectWindowParse("!35402");
    if (wd != NULL) {
        if (wd->negated == 1 && wd->size==35402) {
            result = 1;
        } else {
            printf("expected wd->negated=1 and wd->size=35402\n");
        }
        DetectWindowFree(wd);
    }

    return result;
}

/**
 * \test DetectWindowTestParse03 is a test to check for an empty value
 */
int DetectWindowTestParse03 (void) {
    int result = 0;
    DetectWindowData *wd = NULL;
    wd = DetectWindowParse("");
    if (wd == NULL) {
        result = 1;
    } else {
        printf("expected a NULL pointer (It was an empty string)\n");
    }
    DetectWindowFree(wd);

    return result;
}

/**
 * \test DetectWindowTestParse03 is a test to check for a big value
 */
int DetectWindowTestParse04 (void) {
    int result = 0;
    DetectWindowData *wd = NULL;
    wd = DetectWindowParse("1235402");
    if (wd != NULL) {
        printf("expected a NULL pointer (It was exceeding the MAX window size)\n");
        DetectWindowFree(wd);
    }else
        result=1;

    return result;
}


/**
 * \test DetectWindowTestPacket01 is a test to check window with constructed packets, expecting to match a negated size
 * Parse Window Data: if th_win is not 55455 it should Match!
 * The packet is less than 55455 so it must match
 */

int DetectWindowTestPacket01 (void) {
    int result = 0;
    DetectWindowData *wd = NULL;


    wd = DetectWindowParse("!55455");
    if (wd == NULL)
    {
        printf("DetectWindowTestPacket01: expected a DetectWindowData pointer (got NULL)\n");
        return 0;
    }
    /* Buid and decode the packet */
    uint8_t raw_eth [] = {
    0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
	,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
	,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
	,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
	,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
	,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
	,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
	,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
	,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
	,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
	,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
	,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
	,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
	,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
	,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
	,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
	,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
	,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
	,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
	,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
	,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
	,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
	,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
	,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
	,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
	,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
	,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
	,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
	,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
	,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };

    Packet q;
    ThreadVars tv;
    DecodeThreadVars dtv;

    memset(&tv, 0, sizeof(ThreadVars));
    memset(&q, 0, sizeof(Packet));
    memset(&dtv, 0, sizeof(DecodeThreadVars));

    FlowInitConfig(FLOW_QUIET);
    DecodeEthernet(&tv, &dtv, &q, raw_eth, sizeof(raw_eth), NULL);
    FlowShutdown();

    Packet *p=&q;

    if (!(PKT_IS_TCP(p))) {
        printf("detect-window: TestPacket01: Packet is not TCP\n");
        return 0;
    }


    /* We dont need DetectEngineThreadCtx inside DetectWindowMatch, its just to pass it to
     the function, since this is a test for this option
     Also a Signature is not really needed
    */

    DetectEngineThreadCtx *det_ctx=NULL;
    Signature *s=NULL;

    SigMatch m;
    m.ctx=wd;

    /* Now that we have what we need, just try to Match! */
    result=DetectWindowMatch (&tv, det_ctx, p, s, &m);

    return result;
}


/**
 * \test DetectWindowTestPacket02 is a test to check window with constructed packets, expecting to match a size
 * Parse Window Data: if th_win is 190 it should Match!
 * The packet tcp window is 190 so it must match
 */

int DetectWindowTestPacket02 (void) {
    int result = 0;
    DetectWindowData *wd = NULL;

    wd = DetectWindowParse("117");
    if (wd == NULL)
    {
        printf("DetectWindowTestPacket02: expected a DetectWindowData pointer (got NULL)\n");
        return 0;
    }

    uint8_t raw_eth [] = {
    0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
	,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
	,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
	,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
	,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
	,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
	,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
	,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
	,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
	,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
	,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
	,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
	,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
	,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
	,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
	,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
	,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
	,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
	,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
	,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
	,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
	,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
	,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
	,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
	,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
	,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
	,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
	,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
	,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
	,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };

    Packet q;
    ThreadVars tv;
    DecodeThreadVars dtv;

    memset(&tv, 0, sizeof(ThreadVars));
    memset(&q, 0, sizeof(Packet));
    memset(&dtv, 0, sizeof(DecodeThreadVars));

    FlowInitConfig(FLOW_QUIET);
    DecodeEthernet(&tv, &dtv, &q, raw_eth, sizeof(raw_eth), NULL);
    FlowShutdown();

    Packet *p=&q;

    if (!(PKT_IS_TCP(p))) {
        printf("DetectWindowTestPacket02: TestPacket01: Packet is not TCP\n");
        return 0;
    }


    DetectEngineThreadCtx *det_ctx=NULL;
    Signature *s=NULL;
    SigMatch m;
    m.ctx=wd;

    /* Now that we have what we need, just try to Match! */
    result=DetectWindowMatch (&tv, det_ctx, p, s, &m);

    return result;
}

#endif /* UNITTESTS */

/**
 * \brief this function registers unit tests for DetectWindow
 */
void DetectWindowRegisterTests(void) {
    #ifdef UNITTESTS /* UNITTESTS */
    UtRegisterTest("DetectWindowTestParse01", DetectWindowTestParse01, 1);
    UtRegisterTest("DetectWindowTestParse02", DetectWindowTestParse02, 1);
    UtRegisterTest("DetectWindowTestParse03", DetectWindowTestParse03, 1);
    UtRegisterTest("DetectWindowTestParse04", DetectWindowTestParse04, 1);
    UtRegisterTest("DetectWindowTestPacket01"  , DetectWindowTestPacket01  , 1);
    UtRegisterTest("DetectWindowTestPacket02"  , DetectWindowTestPacket02  , 1);
    #endif /* UNITTESTS */
}