suricata/src/detect-msg.c

/* MSG part of the detection engine. */

#include "suricata-common.h"
#include "detect.h"
#include "util-classification-config.h"
#include "util-debug.h"
#include "util-unittest.h"

#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"


int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *msgstr);
void DetectMsgRegisterTests(void);

void DetectMsgRegister (void) {
    sigmatch_table[DETECT_MSG].name = "msg";
    sigmatch_table[DETECT_MSG].Match = NULL;
    sigmatch_table[DETECT_MSG].Setup = DetectMsgSetup;
    sigmatch_table[DETECT_MSG].Free = NULL;
    sigmatch_table[DETECT_MSG].RegisterTests = DetectMsgRegisterTests;
}

int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *msgstr)
{
    char *str = NULL;
    uint16_t len;

    if (strlen(msgstr) == 0)
        goto error;

    /* strip "'s */
    if (msgstr[0] == '\"' && msgstr[strlen(msgstr)-1] == '\"') {
        str = SCStrdup(msgstr+1);
        str[strlen(msgstr)-2] = '\0';
    } else if (msgstr[1] == '\"' && msgstr[strlen(msgstr)-1] == '\"') {
        /* XXX do this parsing in a better way */
        str = SCStrdup(msgstr+2);
        str[strlen(msgstr)-3] = '\0';
        //printf("DetectMsgSetup: format hack applied: \'%s\'\n", str);
    } else {
        SCLogError(SC_ERR_INVALID_VALUE, "format error \'%s\'", msgstr);
        goto error;
    }

    len = strlen(str);
    if (len == 0)
        goto error;

    char converted = 0;

    {
        uint16_t i, x;
        uint8_t escape = 0;

        /* it doesn't matter if we need to escape or not we remove the extra "\" to mimic snort */
        for (i = 0, x = 0; i < len; i++) {
            //printf("str[%02u]: %c\n", i, str[i]);
            if(!escape && str[i] == '\\') {
                escape = 1;
            } else if (escape) {
                if (str[i] != ':' &&
                        str[i] != ';' &&
                        str[i] != '\\' &&
                        str[i] != '\"')
                {
                    SCLogDebug("character \"%c\" does not need to be escaped but is" ,str[i]);
                }
                escape = 0;
                converted = 1;

                str[x] = str[i];
                x++;
            }else{
                str[x] = str[i];
                x++;
            }

        }
#if 0 //def DEBUG
        if (SCLogDebugEnabled()) {
            for (i = 0; i < x; i++) {
                printf("%c", str[i]);
            }
            printf("\n");
        }
#endif

        if (converted) {
            len = x;
            str[len] = '\0';
        }
    }

    s->msg = SCMalloc(len + 1);
    if (s->msg == NULL)
        goto error;

    strlcpy(s->msg, str, len + 1);

    SCFree(str);
    return 0;

error:
    SCFree(str);
    return -1;
}

/* -------------------------------------Unittests-----------------------------*/

#ifdef UNITTESTS
static int DetectMsgParseTest01(void)
{
    int result = 0;
    Signature *sig = NULL;
    char *teststringparsed = "flow stateless to_server";
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    if (de_ctx == NULL)
        goto end;

    SCClassConfGenerateValidDummyClassConfigFD01();
    SCClassConfLoadClassficationConfigFile(de_ctx);
    SCClassConfDeleteDummyClassificationConfigFD();

    sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"flow stateless to_server\"; flow:stateless,to_server; content:\"flowstatelesscheck\"; classtype:bad-unknown; sid: 40000002; rev: 1;)");
    if(sig == NULL)
        goto end;

    if (strcmp(sig->msg, teststringparsed) != 0) {
        printf("got \"%s\", expected: \"%s\": ", sig->msg, teststringparsed);
        goto end;
    }

    result = 1;
end:
    if (sig != NULL)
        SigFree(sig);
    if (de_ctx != NULL)
        DetectEngineCtxFree(de_ctx);
    return result;
}

static int DetectMsgParseTest02(void)
{
    int result = 0;
    Signature *sig = NULL;
    char *teststringparsed = "msg escape tests wxy'\"\\;:";
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    if (de_ctx == NULL)
        goto end;

    sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"msg escape tests \\w\\x\\y\\'\\\"\\\\;\\:\"; flow:to_server,established; content:\"blah\"; uricontent:\"/blah/\"; sid: 100;)");
    if(sig == NULL)
        goto end;

    if (strcmp(sig->msg, teststringparsed) != 0) {
        printf("got \"%s\", expected: \"%s\": ",sig->msg, teststringparsed);
        goto end;
    }

    result = 1;
end:
    if (sig != NULL)
        SigFree(sig);
    if (de_ctx != NULL)
        DetectEngineCtxFree(de_ctx);
    return result;
}

#endif /* UNITTESTS */

/**
 * \brief this function registers unit tests for DetectMsg
 */
void DetectMsgRegisterTests(void) {
#ifdef UNITTESTS /* UNITTESTS */
    UtRegisterTest("DetectMsgParseTest01", DetectMsgParseTest01, 1);
    UtRegisterTest("DetectMsgParseTest02", DetectMsgParseTest02, 1);
#endif /* UNITTESTS */
}
Initial add of the files. 17 years ago			`/* MSG part of the detection engine. */`

Rename to Suricata. 16 years ago			`#include "suricata-common.h"`
Initial add of the files. 17 years ago			`#include "detect.h"`
Support for Classtype keyword and Classification Config file 16 years ago			`#include "util-classification-config.h"`
More logging API usage changes. 16 years ago			`#include "util-debug.h"`
detct-msg changes and unittests 16 years ago			`#include "util-unittest.h"`

			`#include "detect-parse.h"`
			`#include "detect-engine.h"`
			`#include "detect-engine-mpm.h"`

Initial add of the files. 17 years ago
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups. 17 years ago			`int DetectMsgSetup (DetectEngineCtx de_ctx, Signature s, SigMatch m, char msgstr);`
detct-msg changes and unittests 16 years ago			`void DetectMsgRegisterTests(void);`
Initial add of the files. 17 years ago
			`void DetectMsgRegister (void) {`
			`sigmatch_table[DETECT_MSG].name = "msg";`
			`sigmatch_table[DETECT_MSG].Match = NULL;`
			`sigmatch_table[DETECT_MSG].Setup = DetectMsgSetup;`
			`sigmatch_table[DETECT_MSG].Free = NULL;`
detct-msg changes and unittests 16 years ago			`sigmatch_table[DETECT_MSG].RegisterTests = DetectMsgRegisterTests;`
Initial add of the files. 17 years ago			`}`

Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups. 17 years ago			`int DetectMsgSetup (DetectEngineCtx de_ctx, Signature s, SigMatch m, char msgstr)`
Initial add of the files. 17 years ago			`{`
Fixes for issues found by static code analyzer. 16 years ago			`char *str = NULL;`
added support for escapes inside of msg keyword 16 years ago			`uint16_t len;`

			`if (strlen(msgstr) == 0)`
			`goto error;`
Initial add of the files. 17 years ago
			`/* strip "'s */`
			`if (msgstr[0] == '\"' && msgstr[strlen(msgstr)-1] == '\"') {`
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks. 16 years ago			`str = SCStrdup(msgstr+1);`
Initial add of the files. 17 years ago			`str[strlen(msgstr)-2] = '\0';`
Improve memory handling and parsing of the msg rule keyword. 17 years ago			`} else if (msgstr[1] == '\"' && msgstr[strlen(msgstr)-1] == '\"') {`
			`/* XXX do this parsing in a better way */`
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks. 16 years ago			`str = SCStrdup(msgstr+2);`
Improve memory handling and parsing of the msg rule keyword. 17 years ago			`str[strlen(msgstr)-3] = '\0';`
			`//printf("DetectMsgSetup: format hack applied: \'%s\'\n", str);`
			`} else {`
Improve information about errors on signature failure 16 years ago			`SCLogError(SC_ERR_INVALID_VALUE, "format error \'%s\'", msgstr);`
added support for escapes inside of msg keyword 16 years ago			`goto error;`
			`}`

			`len = strlen(str);`
			`if (len == 0)`
			`goto error;`

			`char converted = 0;`

			`{`
			`uint16_t i, x;`
			`uint8_t escape = 0;`

fixes to mimic snort escape behavior in msg 16 years ago			`/* it doesn't matter if we need to escape or not we remove the extra "\" to mimic snort */`
added support for escapes inside of msg keyword 16 years ago			`for (i = 0, x = 0; i < len; i++) {`
			`//printf("str[%02u]: %c\n", i, str[i]);`
			`if(!escape && str[i] == '\\') {`
			`escape = 1;`
			`} else if (escape) {`
fixes to mimic snort escape behavior in msg 16 years ago			`if (str[i] != ':' &&`
			`str[i] != ';' &&`
			`str[i] != '\\' &&`
			`str[i] != '\"')`
added support for escapes inside of msg keyword 16 years ago			`{`
silence a debug statement in the msg handling 16 years ago			`SCLogDebug("character \"%c\" does not need to be escaped but is" ,str[i]);`
added support for escapes inside of msg keyword 16 years ago			`}`
			`escape = 0;`
			`converted = 1;`
fixes to mimic snort escape behavior in msg 16 years ago
			`str[x] = str[i];`
			`x++;`
			`}else{`
added support for escapes inside of msg keyword 16 years ago			`str[x] = str[i];`
			`x++;`
			`}`
fixes to mimic snort escape behavior in msg 16 years ago
added support for escapes inside of msg keyword 16 years ago			`}`
More logging API usage changes. 16 years ago			`#if 0 //def DEBUG`
			`if (SCLogDebugEnabled()) {`
			`for (i = 0; i < x; i++) {`
			`printf("%c", str[i]);`
			`}`
			`printf("\n");`
added support for escapes inside of msg keyword 16 years ago			`}`
			`#endif`

			`if (converted) {`
			`len = x;`
Fix msg parsing. 16 years ago			`str[len] = '\0';`
added support for escapes inside of msg keyword 16 years ago			`}`
Initial add of the files. 17 years ago			`}`

Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks. 16 years ago			`s->msg = SCMalloc(len + 1);`
fixes to mimic snort escape behavior in msg 16 years ago			`if (s->msg == NULL)`
			`goto error;`

Add OpenBSD's strlcpy and strlcat and replace all strcat/strcpy/strncat/strncpy by those calls. 16 years ago			`strlcpy(s->msg, str, len + 1);`
Initial add of the files. 17 years ago
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks. 16 years ago			`SCFree(str);`
Initial add of the files. 17 years ago			`return 0;`

added support for escapes inside of msg keyword 16 years ago			`error:`
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks. 16 years ago			`SCFree(str);`
added support for escapes inside of msg keyword 16 years ago			`return -1;`
			`}`
detct-msg changes and unittests 16 years ago
			`/* -------------------------------------Unittests-----------------------------*/`

			`#ifdef UNITTESTS`
			`static int DetectMsgParseTest01(void)`
			`{`
			`int result = 0;`
			`Signature *sig = NULL;`
			`char *teststringparsed = "flow stateless to_server";`
			`DetectEngineCtx *de_ctx = DetectEngineCtxInit();`
			`if (de_ctx == NULL)`
			`goto end;`

Modify the classification config tests to use the buffer than a temp file and also fix an invalid free 16 years ago			`SCClassConfGenerateValidDummyClassConfigFD01();`
Support for Classtype keyword and Classification Config file 16 years ago			`SCClassConfLoadClassficationConfigFile(de_ctx);`
Modify the classification config tests to use the buffer than a temp file and also fix an invalid free 16 years ago			`SCClassConfDeleteDummyClassificationConfigFD();`
Support for Classtype keyword and Classification Config file 16 years ago
detct-msg changes and unittests 16 years ago			`sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"flow stateless to_server\"; flow:stateless,to_server; content:\"flowstatelesscheck\"; classtype:bad-unknown; sid: 40000002; rev: 1;)");`
			`if(sig == NULL)`
			`goto end;`

Fix msg parsing. 16 years ago			`if (strcmp(sig->msg, teststringparsed) != 0) {`
			`printf("got \"%s\", expected: \"%s\": ", sig->msg, teststringparsed);`
detct-msg changes and unittests 16 years ago			`goto end;`
			`}`

Fix msg parsing. 16 years ago			`result = 1;`
detct-msg changes and unittests 16 years ago			`end:`
Fix msg parsing. 16 years ago			`if (sig != NULL)`
			`SigFree(sig);`
			`if (de_ctx != NULL)`
			`DetectEngineCtxFree(de_ctx);`
detct-msg changes and unittests 16 years ago			`return result;`
			`}`

			`static int DetectMsgParseTest02(void)`
			`{`
			`int result = 0;`
			`Signature *sig = NULL;`
			`char *teststringparsed = "msg escape tests wxy'\"\\;:";`
			`DetectEngineCtx *de_ctx = DetectEngineCtxInit();`
			`if (de_ctx == NULL)`
			`goto end;`

			`sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"msg escape tests \\w\\x\\y\\'\\\"\\\\;\\:\"; flow:to_server,established; content:\"blah\"; uricontent:\"/blah/\"; sid: 100;)");`
			`if(sig == NULL)`
			`goto end;`

Fix msg parsing. 16 years ago			`if (strcmp(sig->msg, teststringparsed) != 0) {`
			`printf("got \"%s\", expected: \"%s\": ",sig->msg, teststringparsed);`
detct-msg changes and unittests 16 years ago			`goto end;`
			`}`

Fix msg parsing. 16 years ago			`result = 1;`
detct-msg changes and unittests 16 years ago			`end:`
Fix msg parsing. 16 years ago			`if (sig != NULL)`
			`SigFree(sig);`
			`if (de_ctx != NULL)`
			`DetectEngineCtxFree(de_ctx);`
detct-msg changes and unittests 16 years ago			`return result;`
			`}`

			`#endif /* UNITTESTS */`

			`/**`
			`* \brief this function registers unit tests for DetectMsg`
			`*/`
			`void DetectMsgRegisterTests(void) {`
			`#ifdef UNITTESTS /* UNITTESTS */`
			`UtRegisterTest("DetectMsgParseTest01", DetectMsgParseTest01, 1);`
			`UtRegisterTest("DetectMsgParseTest02", DetectMsgParseTest02, 1);`
			`#endif /* UNITTESTS */`
			`}`