|
|
|
|
/* Copyright (C) 2020 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Philippe Antoine <p.antoine@catenacyber.fr>
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "suricata-common.h"
|
|
|
|
|
|
|
|
|
|
#include "util-byte.h"
|
|
|
|
|
#include "detect-parse.h"
|
|
|
|
|
#include "detect-engine-uint.h"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Regex for parsing our options
|
|
|
|
|
*/
|
|
|
|
|
#define PARSE_REGEX "^\\s*([0-9]*)?\\s*([<>=-]+)?\\s*([0-9]+)?\\s*$"
|
|
|
|
|
|
|
|
|
|
static DetectParseRegex uint_pcre;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
|
|
|
|
|
{
|
|
|
|
|
switch (du32->mode) {
|
|
|
|
|
case DETECT_UINT_EQ:
|
|
|
|
|
if (parg == du32->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_LT:
|
|
|
|
|
if (parg < du32->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_LTE:
|
|
|
|
|
if (parg <= du32->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_GT:
|
|
|
|
|
if (parg > du32->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_GTE:
|
|
|
|
|
if (parg >= du32->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_RA:
|
|
|
|
|
if (parg > du32->arg1 && parg < du32->arg2) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
default:
|
|
|
|
|
BUG_ON("unknown mode");
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function is used to parse u32 options passed via some u32 keyword
|
|
|
|
|
*
|
|
|
|
|
* \param u32str Pointer to the user provided u32 options
|
|
|
|
|
*
|
|
|
|
|
* \retval DetectU32Data pointer to DetectU32Data on success
|
|
|
|
|
* \retval NULL on failure
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
DetectU32Data *DetectU32Parse (const char *u32str)
|
|
|
|
|
{
|
|
|
|
|
/* We initialize these to please static checkers, these values will
|
|
|
|
|
either be updated or not used later on */
|
|
|
|
|
DetectU32Data u32da = {0, 0, 0};
|
|
|
|
|
DetectU32Data *u32d = NULL;
|
|
|
|
|
char arg1[16] = "";
|
|
|
|
|
char arg2[16] = "";
|
|
|
|
|
char arg3[16] = "";
|
|
|
|
|
|
|
|
|
|
int ret = 0, res = 0;
|
|
|
|
|
size_t pcre2len;
|
|
|
|
|
|
|
|
|
|
ret = DetectParsePcreExec(&uint_pcre, u32str, 0, 0);
|
|
|
|
|
if (ret < 2 || ret > 4) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pcre2len = sizeof(arg1);
|
|
|
|
|
res = pcre2_substring_copy_bynumber(uint_pcre.match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("Arg1 \"%s\"", arg1);
|
|
|
|
|
|
|
|
|
|
if (ret >= 3) {
|
|
|
|
|
pcre2len = sizeof(arg2);
|
|
|
|
|
res = pcre2_substring_copy_bynumber(uint_pcre.match, 2, (PCRE2_UCHAR8 *)arg2, &pcre2len);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("Arg2 \"%s\"", arg2);
|
|
|
|
|
|
|
|
|
|
if (ret >= 4) {
|
|
|
|
|
pcre2len = sizeof(arg3);
|
|
|
|
|
res = pcre2_substring_copy_bynumber(
|
|
|
|
|
uint_pcre.match, 3, (PCRE2_UCHAR8 *)arg3, &pcre2len);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("Arg3 \"%s\"", arg3);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen(arg2) > 0) {
|
|
|
|
|
/*set the values*/
|
|
|
|
|
switch(arg2[0]) {
|
|
|
|
|
case '<':
|
|
|
|
|
case '>':
|
|
|
|
|
if (strlen(arg3) == 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg3), arg3) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCLogDebug("u32 is %"PRIu32"",u32da.arg1);
|
|
|
|
|
if (strlen(arg1) > 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (arg2[0] == '<') {
|
|
|
|
|
if (arg2[1] == '=') {
|
|
|
|
|
u32da.mode = DETECT_UINT_LTE;
|
|
|
|
|
} else {
|
|
|
|
|
u32da.mode = DETECT_UINT_LT;
|
|
|
|
|
}
|
|
|
|
|
} else { // arg2[0] == '>'
|
|
|
|
|
if (arg2[1] == '=') {
|
|
|
|
|
u32da.mode = DETECT_UINT_GTE;
|
|
|
|
|
} else {
|
|
|
|
|
u32da.mode = DETECT_UINT_GT;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case '-':
|
|
|
|
|
if (strlen(arg1)== 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
if (strlen(arg3)== 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
u32da.mode = DETECT_UINT_RA;
|
|
|
|
|
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
if (ByteExtractStringUint32(&u32da.arg2, 10, strlen(arg3), arg3) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCLogDebug("u32 is %"PRIu32" to %"PRIu32"", u32da.arg1, u32da.arg2);
|
|
|
|
|
if (u32da.arg1 >= u32da.arg2) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid u32 range. ");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
u32da.mode = DETECT_UINT_EQ;
|
|
|
|
|
|
|
|
|
|
if (strlen(arg2) > 0 ||
|
|
|
|
|
strlen(arg3) > 0 ||
|
|
|
|
|
strlen(arg1) == 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
u32da.mode = DETECT_UINT_EQ;
|
|
|
|
|
|
|
|
|
|
if (strlen(arg3) > 0 ||
|
|
|
|
|
strlen(arg1) == 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
u32d = SCCalloc(1, sizeof (DetectU32Data));
|
|
|
|
|
if (unlikely(u32d == NULL))
|
|
|
|
|
return NULL;
|
|
|
|
|
u32d->arg1 = u32da.arg1;
|
|
|
|
|
u32d->arg2 = u32da.arg2;
|
|
|
|
|
u32d->mode = u32da.mode;
|
|
|
|
|
|
|
|
|
|
return u32d;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx)
|
|
|
|
|
{
|
|
|
|
|
const DetectU32Data *a = smctx;
|
|
|
|
|
v->u8[0] = a->mode;
|
|
|
|
|
v->u32[1] = a->arg1;
|
|
|
|
|
v->u32[2] = a->arg2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx)
|
|
|
|
|
{
|
|
|
|
|
const DetectU32Data *a = smctx;
|
|
|
|
|
if (v.u8[0] == a->mode &&
|
|
|
|
|
v.u32[1] == a->arg1 &&
|
|
|
|
|
v.u32[2] == a->arg2)
|
|
|
|
|
return true;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool g_detect_uint_registered = false;
|
|
|
|
|
|
|
|
|
|
void DetectUintRegister(void)
|
|
|
|
|
{
|
|
|
|
|
if (g_detect_uint_registered == false) {
|
|
|
|
|
// register only once
|
|
|
|
|
DetectSetupParseRegexes(PARSE_REGEX, &uint_pcre);
|
|
|
|
|
g_detect_uint_registered = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//same as u32 but with u8
|
|
|
|
|
int DetectU8Match(const uint8_t parg, const DetectU8Data *du8)
|
|
|
|
|
{
|
|
|
|
|
switch (du8->mode) {
|
|
|
|
|
case DETECT_UINT_EQ:
|
|
|
|
|
if (parg == du8->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_LT:
|
|
|
|
|
if (parg < du8->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_LTE:
|
|
|
|
|
if (parg <= du8->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_GT:
|
|
|
|
|
if (parg > du8->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_GTE:
|
|
|
|
|
if (parg >= du8->arg1) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
case DETECT_UINT_RA:
|
|
|
|
|
if (parg > du8->arg1 && parg < du8->arg2) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
default:
|
|
|
|
|
BUG_ON("unknown mode");
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function is used to parse u8 options passed via some u8 keyword
|
|
|
|
|
*
|
|
|
|
|
* \param u8str Pointer to the user provided u8 options
|
|
|
|
|
*
|
|
|
|
|
* \retval DetectU8Data pointer to DetectU8Data on success
|
|
|
|
|
* \retval NULL on failure
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
DetectU8Data *DetectU8Parse (const char *u8str)
|
|
|
|
|
{
|
|
|
|
|
/* We initialize these to please static checkers, these values will
|
|
|
|
|
either be updated or not used later on */
|
|
|
|
|
DetectU8Data u8da = {0, 0, 0};
|
|
|
|
|
DetectU8Data *u8d = NULL;
|
|
|
|
|
char arg1[16] = "";
|
|
|
|
|
char arg2[16] = "";
|
|
|
|
|
char arg3[16] = "";
|
|
|
|
|
|
|
|
|
|
int ret = 0, res = 0;
|
|
|
|
|
size_t pcre2len;
|
|
|
|
|
|
|
|
|
|
ret = DetectParsePcreExec(&uint_pcre, u8str, 0, 0);
|
|
|
|
|
if (ret < 2 || ret > 4) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pcre2len = sizeof(arg1);
|
|
|
|
|
res = pcre2_substring_copy_bynumber(uint_pcre.match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("Arg1 \"%s\"", arg1);
|
|
|
|
|
|
|
|
|
|
if (ret >= 3) {
|
|
|
|
|
pcre2len = sizeof(arg2);
|
|
|
|
|
res = pcre2_substring_copy_bynumber(uint_pcre.match, 2, (PCRE2_UCHAR8 *)arg2, &pcre2len);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("Arg2 \"%s\"", arg2);
|
|
|
|
|
|
|
|
|
|
if (ret >= 4) {
|
|
|
|
|
pcre2len = sizeof(arg3);
|
|
|
|
|
res = pcre2_substring_copy_bynumber(
|
|
|
|
|
uint_pcre.match, 3, (PCRE2_UCHAR8 *)arg3, &pcre2len);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("Arg3 \"%s\"", arg3);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen(arg2) > 0) {
|
|
|
|
|
/*set the values*/
|
|
|
|
|
switch(arg2[0]) {
|
|
|
|
|
case '<':
|
|
|
|
|
case '>':
|
|
|
|
|
if (StringParseUint8(&u8da.arg1, 10, strlen(arg3), arg3) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint8 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCLogDebug("u8 is %"PRIu8"",u8da.arg1);
|
|
|
|
|
if (strlen(arg1) > 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (arg2[0] == '<') {
|
|
|
|
|
if (arg2[1] == '=') {
|
|
|
|
|
u8da.mode = DETECT_UINT_LTE;
|
|
|
|
|
} else {
|
|
|
|
|
u8da.mode = DETECT_UINT_LT;
|
|
|
|
|
}
|
|
|
|
|
} else { // arg2[0] == '>'
|
|
|
|
|
if (arg2[1] == '=') {
|
|
|
|
|
u8da.mode = DETECT_UINT_GTE;
|
|
|
|
|
} else {
|
|
|
|
|
u8da.mode = DETECT_UINT_GT;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case '-':
|
|
|
|
|
u8da.mode = DETECT_UINT_RA;
|
|
|
|
|
if (StringParseUint8(&u8da.arg1, 10, strlen(arg1), arg1) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint8 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
if (StringParseUint8(&u8da.arg2, 10, strlen(arg3), arg3) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint8 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCLogDebug("u8 is %"PRIu8" to %"PRIu8"", u8da.arg1, u8da.arg2);
|
|
|
|
|
if (u8da.arg1 >= u8da.arg2) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid u8 range. ");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
u8da.mode = DETECT_UINT_EQ;
|
|
|
|
|
|
|
|
|
|
if (strlen(arg2) > 0 ||
|
|
|
|
|
strlen(arg3) > 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (StringParseUint8(&u8da.arg1, 10, strlen(arg1), arg1) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint8 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
u8da.mode = DETECT_UINT_EQ;
|
|
|
|
|
|
|
|
|
|
if (strlen(arg3) > 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (StringParseUint8(&u8da.arg1, 10, strlen(arg1), arg1) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint8 failed");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
u8d = SCCalloc(1, sizeof (DetectU8Data));
|
|
|
|
|
if (unlikely(u8d == NULL))
|
|
|
|
|
return NULL;
|
|
|
|
|
u8d->arg1 = u8da.arg1;
|
|
|
|
|
u8d->arg2 = u8da.arg2;
|
|
|
|
|
u8d->mode = u8da.mode;
|
|
|
|
|
|
|
|
|
|
return u8d;
|
|
|
|
|
}
|
