aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/rfb: move keywords to rust

Browse Source 
Ticket: 7178

On the way, convert rfb.secresult to a generic integer with enumeration
cf ticket 6723
pull/11616/head
Philippe Antoine 1 year ago committed by Victor Julien
parent a673e1913b
commit 62a186ceef
14 changed files with 234 additions and 662 deletions
Show Stats Download Patch File Download Diff File

3
doc/userguide/rules/rfb-keywords.rst
Unescape Escape View File

@ -25,9 +25,12 @@ rfb.secresult
Match on the value of the RFB security result, e.g. ``ok``, ``fail``, ``toomany`` or ``unknown``.
rfb.secresult uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
Examples::
rfb.secresult: ok;
rfb.secresult: !0;
rfb.secresult: unknown;

231
rust/src/rfb/detect.rs
Unescape Escape View File

@ -17,48 +17,239 @@
// Author: Frank Honza <frank.honza@dcso.de>
use crate::rfb::rfb::*;
use super::parser::RFBSecurityResultStatus;
use super::rfb::{RFBTransaction, ALPROTO_RFB};
use crate::detect::uint::{
detect_match_uint, detect_parse_uint_enum, rs_detect_u32_free, rs_detect_u32_parse,
DetectUintData,
};
use crate::detect::{
DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister,
DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt,
SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT,
};
use std::ffi::CStr;
use std::os::raw::{c_int, c_void};
use std::ptr;
#[no_mangle]
pub unsafe extern "C" fn rs_rfb_tx_get_name(
tx: &mut RFBTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
) -> u8 {
unsafe extern "C" fn rfb_name_get_data(
tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, RFBTransaction);
if let Some(ref r) = tx.tc_server_init {
let p = &r.name;
if !p.is_empty() {
*buffer = p.as_ptr();
*buffer_len = p.len() as u32;
return 1;
return true;
}
}
*buffer = ptr::null();
*buffer_len = 0;
return false;
}
return 0;
unsafe extern "C" fn rfb_name_get(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int,
) -> *mut c_void {
return DetectHelperGetData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
rfb_name_get_data,
);
}
#[no_mangle]
pub unsafe extern "C" fn rs_rfb_tx_get_sectype(tx: &mut RFBTransaction, sectype: *mut u32) -> u8 {
if let Some(ref r) = tx.chosen_security_type {
*sectype = *r;
return 1;
static mut G_RFB_NAME_BUFFER_ID: c_int = 0;
static mut G_RFB_SEC_TYPE_KW_ID: c_int = 0;
static mut G_RFB_SEC_TYPE_BUFFER_ID: c_int = 0;
static mut G_RFB_SEC_RESULT_KW_ID: c_int = 0;
static mut G_RFB_SEC_RESULT_BUFFER_ID: c_int = 0;
unsafe extern "C" fn rfb_name_setup(
de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
) -> c_int {
if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 {
return -1;
}
if DetectBufferSetActiveList(de, s, G_RFB_NAME_BUFFER_ID) < 0 {
return -1;
}
return 0;
}
*sectype = 0;
unsafe extern "C" fn rfb_sec_type_setup(
de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
) -> c_int {
if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 {
return -1;
}
let ctx = rs_detect_u32_parse(raw) as *mut c_void;
if ctx.is_null() {
return -1;
}
if SigMatchAppendSMToList(de, s, G_RFB_SEC_TYPE_KW_ID, ctx, G_RFB_SEC_TYPE_BUFFER_ID).is_null()
{
rfb_sec_type_free(std::ptr::null_mut(), ctx);
return -1;
}
return 0;
}
fn rfb_sec_type_match_aux(tx: &mut RFBTransaction, ctx: &DetectUintData<u32>) -> c_int {
if let Some(r) = tx.chosen_security_type {
if detect_match_uint(ctx, r) {
return 1;
}
}
return 0;
}
#[no_mangle]
pub unsafe extern "C" fn rs_rfb_tx_get_secresult(
tx: &mut RFBTransaction, secresult: *mut u32,
) -> u8 {
if let Some(ref r) = tx.tc_security_result {
*secresult = r.status;
return 1;
unsafe extern "C" fn rfb_sec_type_match(
_de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
_sig: *const c_void, ctx: *const c_void,
) -> c_int {
let ctx = cast_pointer!(ctx, DetectUintData<u32>);
let tx = cast_pointer!(tx, RFBTransaction);
return rfb_sec_type_match_aux(tx, ctx);
}
unsafe extern "C" fn rfb_sec_type_free(_de: *mut c_void, ctx: *mut c_void) {
let ctx = cast_pointer!(ctx, DetectUintData<u32>);
rs_detect_u32_free(ctx);
}
unsafe extern "C" fn rfb_parse_sec_result(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u8> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
if let Ok(s) = ft_name.to_str() {
if let Some(ctx) = detect_parse_uint_enum::<u32, RFBSecurityResultStatus>(s) {
let boxed = Box::new(ctx);
return Box::into_raw(boxed) as *mut _;
}
}
return std::ptr::null_mut();
}
unsafe extern "C" fn rfb_sec_result_setup(
de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
) -> c_int {
if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 {
return -1;
}
let ctx = rfb_parse_sec_result(raw) as *mut c_void;
if ctx.is_null() {
return -1;
}
if SigMatchAppendSMToList(
de,
s,
G_RFB_SEC_RESULT_KW_ID,
ctx,
G_RFB_SEC_RESULT_BUFFER_ID,
)
.is_null()
{
rfb_sec_result_free(std::ptr::null_mut(), ctx);
return -1;
}
return 0;
}
fn rfb_sec_result_match_aux(tx: &RFBTransaction, ctx: &DetectUintData<u32>) -> c_int {
if let Some(r) = &tx.tc_security_result {
if detect_match_uint(ctx, r.status) {
return 1;
}
}
return 0;
}
unsafe extern "C" fn rfb_sec_result_match(
_de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
_sig: *const c_void, ctx: *const c_void,
) -> c_int {
let tx = cast_pointer!(tx, RFBTransaction);
let ctx = cast_pointer!(ctx, DetectUintData<u32>);
return rfb_sec_result_match_aux(tx, ctx);
}
unsafe extern "C" fn rfb_sec_result_free(_de: *mut c_void, ctx: *mut c_void) {
// Just unbox...
let ctx = cast_pointer!(ctx, DetectUintData<u32>);
rs_detect_u32_free(ctx);
}
#[no_mangle]
pub unsafe extern "C" fn ScDetectRfbRegister() {
let kw = SCSigTableElmt {
name: b"rfb.name\0".as_ptr() as *const libc::c_char,
desc: b"sticky buffer to match on the RFB desktop name\0".as_ptr() as *const libc::c_char,
url: b"/rules/rfb-keywords.html#rfb-name\0".as_ptr() as *const libc::c_char,
Setup: rfb_name_setup,
flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER,
AppLayerTxMatch: None,
Free: None,
};
let _g_rfb_name_kw_id = DetectHelperKeywordRegister(&kw);
G_RFB_NAME_BUFFER_ID = DetectHelperBufferMpmRegister(
b"rfb.name\0".as_ptr() as *const libc::c_char,
b"rfb name\0".as_ptr() as *const libc::c_char,
ALPROTO_RFB,
true, //toclient
false,
rfb_name_get,
);
let kw = SCSigTableElmt {
name: b"rfb.sectype\0".as_ptr() as *const libc::c_char,
desc: b"match RFB security type\0".as_ptr() as *const libc::c_char,
url: b"/rules/rfb-keywords.html#rfb-sectype\0".as_ptr() as *const libc::c_char,
AppLayerTxMatch: Some(rfb_sec_type_match),
Setup: rfb_sec_type_setup,
Free: Some(rfb_sec_type_free),
flags: 0,
};
G_RFB_SEC_TYPE_KW_ID = DetectHelperKeywordRegister(&kw);
G_RFB_SEC_TYPE_BUFFER_ID = DetectHelperBufferRegister(
b"rfb.sectype\0".as_ptr() as *const libc::c_char,
ALPROTO_RFB,
false, // only to server
true,
);
let kw = SCSigTableElmt {
name: b"rfb.secresult\0".as_ptr() as *const libc::c_char,
desc: b"match RFB security result\0".as_ptr() as *const libc::c_char,
url: b"/rules/rfb-keywords.html#rfb-secresult\0".as_ptr() as *const libc::c_char,
AppLayerTxMatch: Some(rfb_sec_result_match),
Setup: rfb_sec_result_setup,
Free: Some(rfb_sec_result_free),
flags: 0,
};
G_RFB_SEC_RESULT_KW_ID = DetectHelperKeywordRegister(&kw);
G_RFB_SEC_RESULT_BUFFER_ID = DetectHelperBufferRegister(
b"rfb.secresult\0".as_ptr() as *const libc::c_char,
ALPROTO_RFB,
true, // only to client
false,
);
}
#[cfg(test)]
mod test {
use super::*;
use crate::detect::uint::DetectUintMode;
#[test]
fn test_rfb_parse_sec_result() {
let ctx = detect_parse_uint_enum::<u32, RFBSecurityResultStatus>("fail").unwrap();
assert_eq!(ctx.arg1, 1);
assert_eq!(ctx.mode, DetectUintMode::DetectUintModeEqual);
assert!(detect_parse_uint_enum::<u32, RFBSecurityResultStatus>("invalidopt").is_none());
}
}

15
rust/src/rfb/logger.rs
Unescape Escape View File

@ -17,7 +17,9 @@
// Author: Frank Honza <frank.honza@dcso.de>
use super::parser::RFBSecurityResultStatus;
use super::rfb::RFBTransaction;
use crate::detect::EnumString;
use crate::jsonbuilder::{JsonBuilder, JsonError};
use std;
use std::fmt::Write;
@ -67,15 +69,14 @@ fn log_rfb(tx: &RFBTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> {
_ => (),
}
if let Some(security_result) = &tx.tc_security_result {
let _ = match security_result.status {
0 => js.set_string("security_result", "OK")?,
1 => js.set_string("security-result", "FAIL")?,
2 => js.set_string("security_result", "TOOMANY")?,
_ => js.set_string(
if let Some(status) = RFBSecurityResultStatus::from_u(security_result.status) {
js.set_string("security_result", &status.to_str().to_uppercase())?;
} else {
js.set_string(
"security_result",
&format!("UNKNOWN ({})", security_result.status),
)?,
};
)?;
}
}
js.close()?; // Close authentication.

10
rust/src/rfb/parser.rs
Unescape Escape View File

@ -78,6 +78,16 @@ pub struct ServerSecurityType {
pub security_type: u32,
}
#[derive(Clone, Debug, Default, EnumStringU32)]
#[repr(u32)]
pub enum RFBSecurityResultStatus {
#[default]
Ok = 0,
Fail = 1,
TooMany = 2,
Unknown = 3,
}
pub struct SecurityResult {
pub status: u32,
}

2
rust/src/rfb/rfb.rs
Unescape Escape View File

@ -27,7 +27,7 @@ use nom7::Err;
use std;
use std::ffi::CString;
static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN;
pub(super) static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN;
#[derive(FromPrimitive, Debug, AppLayerEvent)]
pub enum RFBEvent {

6
src/Makefile.am
Unescape Escape View File

@ -259,9 +259,6 @@ noinst_HEADERS = \
detect-replace.h \
detect-requires.h \
detect-rev.h \
detect-rfb-name.h \
detect-rfb-secresult.h \
detect-rfb-sectype.h \
detect-rpc.h \
detect-sameip.h \
detect-sid.h \
@ -842,9 +839,6 @@ libsuricata_c_a_SOURCES = \
detect-replace.c \
detect-requires.c \
detect-rev.c \
detect-rfb-name.c \
detect-rfb-secresult.c \
detect-rfb-sectype.c \
detect-rpc.c \
detect-sameip.c \
detect-sid.c \

7
src/detect-engine-register.c
Unescape Escape View File

@ -208,9 +208,6 @@
#include "detect-sip-stat-msg.h"
#include "detect-sip-request-line.h"
#include "detect-sip-response-line.h"
#include "detect-rfb-secresult.h"
#include "detect-rfb-sectype.h"
#include "detect-rfb-name.h"
#include "detect-target.h"
#include "detect-template-rust-buffer.h"
#include "detect-quic-sni.h"
@ -672,9 +669,6 @@ void SigTableSetup(void)
DetectSipStatMsgRegister();
DetectSipRequestLineRegister();
DetectSipResponseLineRegister();
DetectRfbSecresultRegister();
DetectRfbSectypeRegister();
DetectRfbNameRegister();
DetectTargetRegister();
DetectTemplateRustBufferRegister();
DetectQuicSniRegister();
@ -709,6 +703,7 @@ void SigTableSetup(void)
ScDetectWebsocketRegister();
ScDetectEnipRegister();
ScDetectMqttRegister();
ScDetectRfbRegister();
/* close keyword registration */
DetectBufferTypeCloseRegistration();

3
src/detect-engine-register.h
Unescape Escape View File

@ -280,9 +280,6 @@ enum DetectKeywordId {
DETECT_AL_SIP_STAT_MSG,
DETECT_AL_SIP_REQUEST_LINE,
DETECT_AL_SIP_RESPONSE_LINE,
DETECT_AL_RFB_SECRESULT,
DETECT_AL_RFB_SECTYPE,
DETECT_AL_RFB_NAME,
DETECT_TEMPLATE,
DETECT_TEMPLATE2,
DETECT_IPV4HDR,

110
src/detect-rfb-name.c
Unescape Escape View File

@ -1,110 +0,0 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
*
* \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
*/
#include "suricata-common.h"
#include "threads.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-prefilter.h"
#include "detect-urilen.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "detect-rfb-name.h"
#include "stream-tcp.h"
#include "rust.h"
#include "app-layer-rfb.h"
#include "rust-bindings.h"
#define KEYWORD_NAME "rfb.name"
#define KEYWORD_DOC "rfb-keywords.html#rfb-name";
#define BUFFER_NAME "rfb.name"
#define BUFFER_DESC "rfb name"
static int g_buffer_id = 0;
static int DetectRfbNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_RFB) < 0)
return -1;
return 0;
}
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t _flow_flags, void *txv, const int list_id)
{
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
const uint8_t *b = NULL;
uint32_t b_len = 0;
if (rs_rfb_tx_get_name(txv, &b, &b_len) != 1)
return NULL;
if (b == NULL || b_len == 0)
return NULL;
InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
void DetectRfbNameRegister(void)
{
sigmatch_table[DETECT_AL_RFB_NAME].name = KEYWORD_NAME;
sigmatch_table[DETECT_AL_RFB_NAME].url = "/rules/" KEYWORD_DOC
sigmatch_table[DETECT_AL_RFB_NAME].desc = "sticky buffer to match on the RFB desktop name";
sigmatch_table[DETECT_AL_RFB_NAME].Setup = DetectRfbNameSetup;
sigmatch_table[DETECT_AL_RFB_NAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_RFB, SIG_FLAG_TOCLIENT, 1,
DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 1, PrefilterGenericMpmRegister,
GetData, ALPROTO_RFB, 1);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
SCLogDebug("registering " BUFFER_NAME " rule option");
}

29
src/detect-rfb-name.h
Unescape Escape View File

@ -1,29 +0,0 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Frank Honza
*/
#ifndef SURICATA_DETECT_RFB_NAME_H
#define SURICATA_DETECT_RFB_NAME_H
void DetectRfbNameRegister(void);
#endif /* SURICATA_DETECT_RFB_NAME_H */

285
src/detect-rfb-secresult.c
Unescape Escape View File

@ -1,285 +0,0 @@
/* Copyright (C) 2020-2021 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
*/
#include "suricata-common.h"
#include "conf.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-content-inspection.h"
#include "detect-rfb-secresult.h"
#include "util-unittest.h"
#include "rust.h"
#define PARSE_REGEX "\\S[A-z]"
static DetectParseRegex parse_regex;
static int rfb_secresult_id = 0;
static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
void *txv, const Signature *s,
const SigMatchCtx *ctx);
static int DetectRfbSecresultSetup (DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void RfbSecresultRegisterTests(void);
#endif
void DetectRfbSecresultFree(DetectEngineCtx *, void *);
typedef struct DetectRfbSecresultData_ {
uint32_t result; /** result code */
} DetectRfbSecresultData;
/**
* \brief Registration function for rfb.secresult: keyword
*/
void DetectRfbSecresultRegister (void)
{
sigmatch_table[DETECT_AL_RFB_SECRESULT].name = "rfb.secresult";
sigmatch_table[DETECT_AL_RFB_SECRESULT].desc = "match RFB security result";
sigmatch_table[DETECT_AL_RFB_SECRESULT].url = "/rules/rfb-keywords.html#rfb-secresult";
sigmatch_table[DETECT_AL_RFB_SECRESULT].AppLayerTxMatch = DetectRfbSecresultMatch;
sigmatch_table[DETECT_AL_RFB_SECRESULT].Setup = DetectRfbSecresultSetup;
sigmatch_table[DETECT_AL_RFB_SECRESULT].Free = DetectRfbSecresultFree;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_RFB_SECRESULT].RegisterTests = RfbSecresultRegisterTests;
#endif
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
DetectAppLayerInspectEngineRegister("rfb.secresult", ALPROTO_RFB, SIG_FLAG_TOCLIENT, 1,
DetectEngineInspectGenericList, NULL);
rfb_secresult_id = DetectBufferTypeGetByName("rfb.secresult");
}
enum {
RFB_SECRESULT_OK = 0,
RFB_SECRESULT_FAIL,
RFB_SECRESULT_TOOMANY,
RFB_SECRESULT_UNKNOWN
};
/**
* \struct DetectRfbSecresult_
* DetectRfbSecresult_ is used to store values
*/
struct DetectRfbSecresult_ {
const char *result;
uint16_t code;
} results[] = {
{ "ok", RFB_SECRESULT_OK, },
{ "fail", RFB_SECRESULT_FAIL, },
{ "toomany", RFB_SECRESULT_TOOMANY, },
{ "unknown", RFB_SECRESULT_UNKNOWN, },
{ NULL, 0 },
};
/**
* \internal
* \brief Function to match security result of a RFB TX
*
* \param det_ctx Pointer to the pattern matcher thread.
* \param f Pointer to the current flow.
* \param flags Flags.
* \param state App layer state.
* \param txv Pointer to the RFBTransaction.
* \param s Pointer to the Signature.
* \param ctx Pointer to the sigmatch that we will cast into DetectRfbSecresultData.
*
* \retval 0 no match.
* \retval 1 match.
*/
static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
void *txv, const Signature *s,
const SigMatchCtx *ctx)
{
const DetectRfbSecresultData *de = (const DetectRfbSecresultData *)ctx;
uint32_t resultcode;
int ret = 0;
if (!de)
return 0;
ret = rs_rfb_tx_get_secresult(txv, &resultcode);
if (ret == 0) {
return 0;
}
if (de->result < 3) {
/* we are asking for a defined code... */
if (resultcode == de->result) {
/* ... which needs to match */
return 1;
}
} else {
/* we are asking for an unknown code */
if (resultcode > 2) {
/* match any unknown code */
return 1;
}
}
return 0;
}
/**
* \internal
* \brief This function is used to parse options passed via rfb.secresults: keyword
*
* \param rawstr Pointer to the user provided secresult options
*
* \retval de pointer to DetectRfbSecresultData on success
* \retval NULL on failure
*/
static DetectRfbSecresultData *DetectRfbSecresultParse (const char *rawstr)
{
int i;
DetectRfbSecresultData *de = NULL;
int found = 0;
pcre2_match_data *match = NULL;
int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
if (ret < 1) {
SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
goto error;
}
for(i = 0; results[i].result != NULL; i++) {
if((strcasecmp(results[i].result,rawstr)) == 0) {
found = 1;
break;
}
}
if(found == 0) {
SCLogError("unknown secresult value %s", rawstr);
goto error;
}
de = SCMalloc(sizeof(DetectRfbSecresultData));
if (unlikely(de == NULL))
goto error;
de->result = results[i].code;
pcre2_match_data_free(match);
return de;
error:
if (match) {
pcre2_match_data_free(match);
}
if (de) SCFree(de);
return NULL;
}
/**
* \internal
* \brief this function is used to add the parsed secresult into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param rawstr pointer to the user provided secresult options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectRfbSecresultSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
DetectRfbSecresultData *de = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_RFB) < 0)
return -1;
de = DetectRfbSecresultParse(rawstr);
if (de == NULL)
goto error;
if (SigMatchAppendSMToList(
de_ctx, s, DETECT_AL_RFB_SECRESULT, (SigMatchCtx *)de, rfb_secresult_id) == NULL) {
goto error;
}
return 0;
error:
if (de)
SCFree(de);
return -1;
}
/**
* \internal
* \brief this function will free memory associated with DetectRfbSecresultData
*
* \param de pointer to DetectRfbSecresultData
*/
void DetectRfbSecresultFree(DetectEngineCtx *de_ctx, void *de_ptr)
{
DetectRfbSecresultData *de = (DetectRfbSecresultData *)de_ptr;
if(de) SCFree(de);
}
/*
* ONLY TESTS BELOW THIS COMMENT
*/
#ifdef UNITTESTS
/**
* \test RfbSecresultTestParse01 is a test for a valid secresult value
*/
static int RfbSecresultTestParse01 (void)
{
DetectRfbSecresultData *de = DetectRfbSecresultParse("fail");
FAIL_IF_NULL(de);
DetectRfbSecresultFree(NULL, de);
PASS;
}
/**
* \test RfbSecresultTestParse02 is a test for an invalid secresult value
*/
static int RfbSecresultTestParse02 (void)
{
DetectRfbSecresultData *de = DetectRfbSecresultParse("invalidopt");
FAIL_IF_NOT_NULL(de);
PASS;
}
/**
* \brief this function registers unit tests for RfbSecresult
*/
void RfbSecresultRegisterTests(void)
{
UtRegisterTest("RfbSecresultTestParse01", RfbSecresultTestParse01);
UtRegisterTest("RfbSecresultTestParse02", RfbSecresultTestParse02);
}
#endif /* UNITTESTS */

29
src/detect-rfb-secresult.h
Unescape Escape View File

@ -1,29 +0,0 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
*/
#ifndef SURICATA_DETECT_RFB_SECRESULT_H
#define SURICATA_DETECT_RFB_SECRESULT_H
void DetectRfbSecresultRegister(void);
#endif /*SURICATA_DETECT_RFB_SECRESULT_H */

137
src/detect-rfb-sectype.c
Unescape Escape View File

@ -1,137 +0,0 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
*
* \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
*/
#include "suricata-common.h"
#include "conf.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-content-inspection.h"
#include "detect-rfb-sectype.h"
#include "detect-engine-uint.h"
#include "app-layer-parser.h"
#include "util-byte.h"
#include "rust-bindings.h"
static int DetectRfbSectypeSetup (DetectEngineCtx *, Signature *s, const char *str);
static void DetectRfbSectypeFree(DetectEngineCtx *, void *);
static int g_rfb_sectype_buffer_id = 0;
static int DetectRfbSectypeMatch (DetectEngineThreadCtx *, Flow *,
uint8_t, void *, void *, const Signature *,
const SigMatchCtx *);
/**
* \brief Registration function for rfb.sectype keyword.
*/
void DetectRfbSectypeRegister (void)
{
sigmatch_table[DETECT_AL_RFB_SECTYPE].name = "rfb.sectype";
sigmatch_table[DETECT_AL_RFB_SECTYPE].desc = "match RFB security type";
sigmatch_table[DETECT_AL_RFB_SECTYPE].url = "/rules/rfb-keywords.html#rfb-sectype";
sigmatch_table[DETECT_AL_RFB_SECTYPE].AppLayerTxMatch = DetectRfbSectypeMatch;
sigmatch_table[DETECT_AL_RFB_SECTYPE].Setup = DetectRfbSectypeSetup;
sigmatch_table[DETECT_AL_RFB_SECTYPE].Free = DetectRfbSectypeFree;
DetectAppLayerInspectEngineRegister(
"rfb.sectype", ALPROTO_RFB, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);
g_rfb_sectype_buffer_id = DetectBufferTypeGetByName("rfb.sectype");
}
/**
* \internal
* \brief Function to match security type of a RFB TX
*
* \param det_ctx Pointer to the pattern matcher thread.
* \param f Pointer to the current flow.
* \param flags Flags.
* \param state App layer state.
* \param txv Pointer to the RFBTransaction.
* \param s Pointer to the Signature.
* \param ctx Pointer to the sigmatch that we will cast into DetectU32Data.
*
* \retval 0 no match.
* \retval 1 match.
*/
static int DetectRfbSectypeMatch (DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
void *txv, const Signature *s,
const SigMatchCtx *ctx)
{
SCEnter();
const DetectU32Data *dd = (const DetectU32Data *)ctx;
uint32_t version;
rs_rfb_tx_get_sectype(txv, &version);
if (DetectU32Match(version, dd))
SCReturnInt(1);
SCReturnInt(0);
}
/**
* \brief Function to add the parsed RFB security type field into the current signature.
*
* \param de_ctx Pointer to the Detection Engine Context.
* \param s Pointer to the Current Signature.
* \param rawstr Pointer to the user provided flags options.
*
* \retval 0 on Success.
* \retval -1 on Failure.
*/
static int DetectRfbSectypeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
if (DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0)
return -1;
DetectU32Data *dd = DetectU32Parse(rawstr);
if (dd == NULL) {
SCLogError("Parsing \'%s\' failed", rawstr);
return -1;
}
/* okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_RFB_SECTYPE, (SigMatchCtx *)dd,
g_rfb_sectype_buffer_id) == NULL) {
goto error;
}
return 0;
error:
DetectRfbSectypeFree(de_ctx, dd);
return -1;
}
/**
* \internal
* \brief Function to free memory associated with DetectU32Data.
*
* \param de_ptr Pointer to DetectU32Data.
*/
static void DetectRfbSectypeFree(DetectEngineCtx *de_ctx, void *ptr)
{
rs_detect_u32_free(ptr);
}

29
src/detect-rfb-sectype.h
Unescape Escape View File

@ -1,29 +0,0 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
*/
#ifndef SURICATA_DETECT_RFB_SECTYPE_H
#define SURICATA_DETECT_RFB_SECTYPE_H
void DetectRfbSectypeRegister(void);
#endif /* SURICATA_DETECT_RFB_SECTYPE_H */
Write Preview
Loading…
Cancel
Save