diff --git a/src/Makefile.am b/src/Makefile.am index 6f98d9f604..1e7314ebed 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -111,6 +111,7 @@ detect-flags.c detect-flags.h \ detect-fragbits.c detect-fragbits.h \ detect-fragoffset.c detect-fragoffset.h \ detect-gid.c detect-gid.h \ +detect-mark.c detect-mark.h \ detect-noalert.c detect-noalert.h \ detect-csum.c detect-csum.h \ detect-ttl.c detect-ttl.h \ diff --git a/src/decode.h b/src/decode.h index 4b7592002e..f8cbc3a3ac 100644 --- a/src/decode.h +++ b/src/decode.h @@ -813,6 +813,7 @@ void AddressDebugPrint(Address *); #define PKT_HAS_FLOW 0x0080 #define PKT_PSEUDO_STREAM_END 0x0100 /**< Pseudo packet to end the stream */ #define PKT_STREAM_MODIFIED 0x0200 /**< Packet is modified by the stream engine, we need to recalc the csum and reinject/replace */ +#define PKT_MARK_MODIFIED 0x0400 /**< Packet mark is modified */ /** \brief return 1 if the packet is a pseudo packet */ #define PKT_IS_PSEUDOPKT(p) ((p)->flags & PKT_PSEUDO_STREAM_END) diff --git a/src/detect-mark.c b/src/detect-mark.c new file mode 100644 index 0000000000..4838522276 --- /dev/null +++ b/src/detect-mark.c @@ -0,0 +1,347 @@ +/* Copyright (C) 2011 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Eric Leblond + * + * Implements the mark keyword. Based on detect-gid + * by Breno Silva + */ + +#include "suricata-common.h" +#include "suricata.h" +#include "decode.h" +#include "detect.h" +#include "flow-var.h" +#include "decode-events.h" + +#include "detect-mark.h" +#include "detect-parse.h" + +#include "util-unittest.h" +#include "util-debug.h" + +#define PARSE_REGEX "([0x]*[0-9a-f]+)/([0x]*[0-9a-f]+)" + +static pcre *parse_regex; +static pcre_extra *parse_regex_study; + +static int DetectMarkSetup (DetectEngineCtx *, Signature *, char *); +int DetectMarkPacket(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m); +void DetectMarkDataFree(void *ptr); + +/** + * \brief Registration function for nfq_set_mark: keyword + */ + +void DetectMarkRegister (void) { + sigmatch_table[DETECT_MARK].name = "nfq_set_mark"; + sigmatch_table[DETECT_MARK].Match = DetectMarkPacket; + sigmatch_table[DETECT_MARK].Setup = DetectMarkSetup; + sigmatch_table[DETECT_MARK].Free = DetectMarkDataFree; + sigmatch_table[DETECT_MARK].RegisterTests = MarkRegisterTests; + + const char *eb; + int opts = 0; + int eo; + + parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); + if(parse_regex == NULL) + { + SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb); + goto error; + } + + parse_regex_study = pcre_study(parse_regex, 0, &eb); + if(eb != NULL) + { + SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb); + goto error; + } + +error: + return; + +} + +#ifdef NFQ +/** + * \internal + * \brief This function is used to parse mark options passed via mark: keyword + * + * \param rawstr Pointer to the user provided mark options + * + * \retval 0 on success + * \retval < 0 on failure + */ +static void * DetectMarkParse (char *rawstr) +{ + int ret = 0, res = 0; +#define MAX_SUBSTRINGS 30 + int ov[MAX_SUBSTRINGS]; + const char *str_ptr = NULL; + char *ptr = NULL; + char *endptr = NULL; + uint32_t mark; + uint32_t mask; + DetectMarkData *data; + + ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS); + if (ret < 1) { + SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr); + return NULL; + } + + res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr); + if (res < 0) { + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + return NULL; + } + + ptr = (char *)str_ptr; + + if (ptr == NULL) + return NULL; + + errno = 0; + mark = strtoul(ptr, &endptr, 0); + if (errno == ERANGE) { + SCLogError(SC_ERR_NUMERIC_VALUE_ERANGE, "Numeric value out of range"); + SCFree(ptr); + return NULL; + } /* If there is no numeric value in the given string then strtoull(), makes + endptr equals to ptr and return 0 as result */ + else if (endptr == ptr && mark == 0) { + SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "No numeric value"); + SCFree(ptr); + return NULL; + } else if (endptr == ptr) { + SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "Invalid numeric value"); + SCFree(ptr); + return NULL; + } + + res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr); + if (res < 0) { + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + return NULL; + } + + SCFree(ptr); + ptr = (char *)str_ptr; + + if (ptr == NULL) { + data = SCMalloc(sizeof(DetectMarkData)); + if (data == NULL) { + return NULL; + } + data->mark = mark; + data->mask = 0xffff; + return data; + } + + errno = 0; + mask = strtoul(ptr, &endptr, 0); + if (errno == ERANGE) { + SCLogError(SC_ERR_NUMERIC_VALUE_ERANGE, "Numeric value out of range"); + SCFree(ptr); + return NULL; + } /* If there is no numeric value in the given string then strtoull(), makes + endptr equals to ptr and return 0 as result */ + else if (endptr == ptr && mask == 0) { + SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "No numeric value"); + SCFree(ptr); + return NULL; + } + else if (endptr == ptr) { + SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "Invalid numeric value"); + SCFree(ptr); + return NULL; + } + + SCLogDebug("Rule will set mark 0x%x with mask 0x%x", mark, mask); + SCFree(ptr); + + data = SCMalloc(sizeof(DetectMarkData)); + if (data == NULL) { + return NULL; + } + data->mark = mark; + data->mask = mask; + return data; +} + +#endif /* NFQ */ + +/** + * \internal + * \brief this function is used to add the parsed mark into the current signature + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param rawstr pointer to the user provided mark options + * + * \retval 0 on Success + * \retval -1 on Failure + */ +static int DetectMarkSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) +{ +#ifdef NFQ + DetectMarkData *data = NULL; + SigMatch *sm = NULL; + + data = DetectMarkParse(rawstr); + + if (data == NULL) { + return -1; + } else { + sm = SigMatchAlloc(); + if (sm == NULL) { + DetectMarkDataFree(data); + return -1; + } + + sm->type = DETECT_MARK; + sm->ctx = (void *)data; + + /* Append it to the list of tags */ + SigMatchAppendTag(s, sm); + return 0; + } +#else + return 0; +#endif +} + +void DetectMarkDataFree(void *ptr) +{ + DetectMarkData *data = (DetectMarkData *)ptr; + SCFree(data); +} + + +int DetectMarkPacket(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m) +{ + DetectMarkData *nf_data = (DetectMarkData *) m->ctx; +#ifdef NFQ + if (nf_data->mask) { + p->nfq_v.mark = (nf_data->mark & nf_data->mask) + | (p->nfq_v.mark & ~(nf_data->mask)); + p->flags |= PKT_MARK_MODIFIED; + } +#endif + return 1; +} + +/* + * ONLY TESTS BELOW THIS COMMENT + */ + +#if defined UNITTESTS && defined NFQ +/** + * \test MarkTestParse01 is a test for a valid mark value + * + * \retval 1 on succces + * \retval 0 on failure + */ +static int MarkTestParse01 (void) { + DetectMarkData *data; + + data = DetectMarkParse("1/1"); + + if (data == NULL) { + return 0; + } + + DetectMarkDataFree(data); + return 1; +} + +/** + * \test MarkTestParse02 is a test for an invalid mark value + * + * \retval 1 on succces + * \retval 0 on failure + */ +static int MarkTestParse02 (void) { + DetectMarkData *data; + + data = DetectMarkParse("4"); + + if (data == NULL) { + return 0; + } + + DetectMarkDataFree(data); + return 1; +} + +/** + * \test MarkTestParse03 is a test for a valid mark value + * + * \retval 1 on succces + * \retval 0 on failure + */ +static int MarkTestParse03 (void) { + DetectMarkData *data; + + data = DetectMarkParse("0x10/0xff"); + + if (data == NULL) { + return 0; + } + + DetectMarkDataFree(data); + return 1; +} + +/** + * \test MarkTestParse04 is a test for a invalid mark value + * + * \retval 1 on succces + * \retval 0 on failure + */ +static int MarkTestParse04 (void) { + DetectMarkData *data; + + data = DetectMarkParse("0x1g/0xff"); + + if (data == NULL) { + return 0; + } + + DetectMarkDataFree(data); + return 1; +} + + + +#endif /* UNITTESTS */ + +/** + * \brief this function registers unit tests for Mark + */ +void MarkRegisterTests(void) { +#if defined UNITTESTS && defined NFQ + UtRegisterTest("MarkTestParse01", MarkTestParse01, 1); + UtRegisterTest("MarkTestParse02", MarkTestParse02, 0); + UtRegisterTest("MarkTestParse03", MarkTestParse03, 1); + UtRegisterTest("MarkTestParse04", MarkTestParse04, 0); +#endif /* UNITTESTS */ +} diff --git a/src/detect-mark.h b/src/detect-mark.h new file mode 100644 index 0000000000..3c3b8593d5 --- /dev/null +++ b/src/detect-mark.h @@ -0,0 +1,61 @@ +/* Copyright (C) 2011 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Eric Leblond + * + * Based on detect-mark.h by Breno Silva + * + * Implements the nfq_set_mark keyword + */ + +#ifndef __DETECT_MARK_H__ +#define __DETECT_MARK_H__ + +#include "decode.h" +#include "detect.h" + +/** + * \struct DetectMarkData_ + * DetectMarkData_ is used to store nfq_set_mark: input value + */ + +/** + * \typedef DetectMarkData + * A typedef for DetectMarkData_ + */ + +typedef struct DetectMarkData_ { + uint32_t mark; /**< Rule mark */ + uint32_t mask; /**< Rule mask */ +} DetectMarkData; + +/** + * Registration function for nfq_set_mark: keyword + */ + +void DetectMarkRegister (void); + +/** + * This function registers unit tests for Mark + */ + +void MarkRegisterTests(void); + +#endif /*__DETECT_MARK_H__ */ diff --git a/src/detect.c b/src/detect.c index c8018239bf..2fac62facb 100644 --- a/src/detect.c +++ b/src/detect.c @@ -3966,6 +3966,7 @@ void SigTableSetup(void) { DetectFragBitsRegister(); DetectFragOffsetRegister(); DetectGidRegister(); + DetectMarkRegister(); DetectCsumRegister(); DetectStreamSizeRegister(); DetectTtlRegister(); diff --git a/src/detect.h b/src/detect.h index fab3aea597..fee18953ff 100644 --- a/src/detect.h +++ b/src/detect.h @@ -40,6 +40,7 @@ #include "util-radix-tree.h" #include "detect-threshold.h" +#include "detect-mark.h" //#include "detect-engine-tag.h" #define COUNTER_DETECT_ALERTS 1 @@ -969,6 +970,7 @@ enum { DETECT_FRAGBITS, DETECT_FRAGOFFSET, DETECT_GID, + DETECT_MARK, DETECT_AL_TLS_VERSION, DETECT_AL_HTTP_COOKIE,