aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/snmp: rename keywords to snmp.<name>, and make rust mandatory

Browse Source
pull/3926/head
Pierre Chifflier 6 years ago
parent 031cbbe868
commit c67a53773b
3 changed files with 34 additions and 68 deletions
Show Stats Download Patch File Download Diff File

37
src/detect-snmp-community.c
Unescape Escape View File

@ -20,7 +20,7 @@
*
* \author Pierre Chifflier <chifflier@wzdftpd.net>
*
* Set up of the "snmp_community" keyword to allow content
* Set up of the "snmp.community" keyword to allow content
* inspections on the decoded snmp community.
*/
@ -33,14 +33,6 @@
#include "detect-snmp-community.h"
#include "app-layer-parser.h"
#ifndef HAVE_RUST
void DetectSNMPCommunityRegister(void)
{
}
#else
#include "rust-snmp-snmp-gen.h"
#include "rust-snmp-detect-gen.h"
@ -55,34 +47,33 @@ static int g_snmp_rust_id = 0;
void DetectSNMPCommunityRegister(void)
{
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].name = "snmp_community";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].name = "snmp.community";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].desc =
"SNMP content modififier to match on the snmp community";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].Setup =
DetectSNMPCommunitySetup;
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].RegisterTests =
DetectSNMPCommunityRegisterTests;
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp_community";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp.community";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
/* register inspect engines */
DetectAppLayerInspectEngineRegister("snmp_community",
DetectAppLayerInspectEngineRegister("snmp.community",
ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectSNMPCommunity);
DetectAppLayerInspectEngineRegister("snmp_community",
DetectAppLayerInspectEngineRegister("snmp.community",
ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0,
DetectEngineInspectSNMPCommunity);
g_snmp_rust_id = DetectBufferTypeGetByName("snmp_community");
SCLogDebug("SNMP community detect registered.");
g_snmp_rust_id = DetectBufferTypeGetByName("snmp.community");
}
static int DetectSNMPCommunitySetup(DetectEngineCtx *de_ctx, Signature *s,
const char *str)
{
s->init_data->list = g_snmp_rust_id;
if (DetectBufferSetActiveList(s, g_snmp_rust_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0)
return -1;
@ -107,8 +98,8 @@ static int DetectEngineInspectSNMPCommunity(ThreadVars *tv,
if (data != NULL) {
ret = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
NULL, f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
}
return ret;
@ -170,7 +161,7 @@ static int DetectSNMPCommunityTest(void)
s = DetectEngineAppendSig(de_ctx,
"alert snmp any any -> any any ("
"msg:\"SNMP Test Rule\"; "
"snmp_community; content:\"[R0_C@cti!]\"; "
"snmp.community; content:\"[R0_C@cti!]\"; "
"sid:1; rev:1;)");
FAIL_IF_NULL(s);
@ -178,7 +169,7 @@ static int DetectSNMPCommunityTest(void)
s = DetectEngineAppendSig(de_ctx,
"alert snmp any any -> any any ("
"msg:\"SNMP Test Rule\"; "
"snmp_community; content:\"private\"; "
"snmp.community; content:\"private\"; "
"sid:2; rev:1;)");
FAIL_IF_NULL(s);
@ -222,5 +213,3 @@ static void DetectSNMPCommunityRegisterTests(void)
DetectSNMPCommunityTest);
#endif /* UNITTESTS */
}
#endif

31
src/detect-snmp-pdu_type.c
Unescape Escape View File

@ -30,19 +30,11 @@
#include "detect-snmp-pdu_type.h"
#include "app-layer-parser.h"
#ifndef HAVE_RUST
void DetectSNMPPduTypeRegister(void)
{
}
#else
#include "rust-snmp-snmp-gen.h"
#include "rust-snmp-detect-gen.h"
/**
* [snmp_pdu_type]:<type>;
* [snmp.pdu_type]:<type>;
*/
#define PARSE_REGEX "^\\s*([0-9]+)\\s*$"
static pcre *parse_regex;
@ -70,28 +62,27 @@ static int DetectSNMPPduTypeMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *
void DetectSNMPPduTypeRegister(void)
{
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].name = "snmp_pdu_type";
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].name = "snmp.pdu_type";
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].desc = "match SNMP Pdu type";
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp_pdu_type";
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp.pdu_type";
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Match = NULL;
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].AppLayerTxMatch = DetectSNMPPduTypeMatch;
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Setup = DetectSNMPPduTypeSetup;
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Free = DetectSNMPPduTypeFree;
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].RegisterTests = DetectSNMPPduTypeRegisterTests;
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].flags |= SIGMATCH_NOOPT;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
DetectAppLayerInspectEngineRegister("snmp_pdu_type",
DetectAppLayerInspectEngineRegister("snmp.pdu_type",
ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectSNMPRequestGeneric);
DetectAppLayerInspectEngineRegister("snmp_pdu_type",
DetectAppLayerInspectEngineRegister("snmp.pdu_type",
ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0,
DetectEngineInspectSNMPRequestGeneric);
g_snmp_pdu_type_buffer_id = DetectBufferTypeGetByName("snmp_pdu_type");
SCLogDebug("g_snmp_pdu_type_buffer_id %d", g_snmp_pdu_type_buffer_id);
g_snmp_pdu_type_buffer_id = DetectBufferTypeGetByName("snmp.pdu_type");
}
static int DetectEngineInspectSNMPRequestGeneric(ThreadVars *tv,
@ -139,7 +130,7 @@ static int DetectSNMPPduTypeMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx
/**
* \internal
* \brief Function to parse options passed via snmp_pdu_type keywords.
* \brief Function to parse options passed via snmp.pdu_type keywords.
*
* \param rawstr Pointer to the user provided options.
*
@ -177,7 +168,7 @@ static DetectSNMPPduTypeData *DetectSNMPPduTypeParse (const char *rawstr)
dd->pdu_type = strtoul(value1, &endptr, 10);
if (endptr == NULL || *endptr != '\0') {
SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid character as arg "
"to snmp_pdu_type keyword");
"to snmp.pdu_type keyword");
goto error;
}
@ -224,7 +215,7 @@ static int DetectSNMPPduTypeSetup (DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_AL_SNMP_PDU_TYPE;
sm->ctx = (void *)dd;
SCLogDebug("snmp_pdu_type %d", dd->pdu_type);
SCLogDebug("snmp.pdu_type %d", dd->pdu_type);
SigMatchAppendSMToList(s, sm, g_snmp_pdu_type_buffer_id);
return 0;
@ -274,5 +265,3 @@ static void DetectSNMPPduTypeRegisterTests(void)
UtRegisterTest("SNMPValidityTestParse01", SNMPValidityTestParse01);
#endif /* UNITTESTS */
}
#endif

34
src/detect-snmp-version.c
Unescape Escape View File

@ -30,19 +30,11 @@
#include "detect-snmp-version.h"
#include "app-layer-parser.h"
#ifndef HAVE_RUST
void DetectSNMPVersionRegister(void)
{
}
#else
#include "rust-snmp-snmp-gen.h"
#include "rust-snmp-detect-gen.h"
/**
* [snmp_version]:[<|>|<=|>=]<version>;
* [snmp.version]:[<|>|<=|>=]<version>;
*/
#define PARSE_REGEX "^\\s*(<=|>=|<|>)?\\s*([0-9]+)\\s*$"
static pcre *parse_regex;
@ -78,33 +70,31 @@ static int DetectSNMPVersionMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *
const SigMatchCtx *);
/**
* \brief Registration function for snmp_procedure keyword.
* \brief Registration function for snmp.procedure keyword.
*/
void DetectSNMPVersionRegister (void)
{
sigmatch_table[DETECT_AL_SNMP_VERSION].name = "snmp_version";
sigmatch_table[DETECT_AL_SNMP_VERSION].name = "snmp.version";
sigmatch_table[DETECT_AL_SNMP_VERSION].desc = "match SNMP version";
sigmatch_table[DETECT_AL_SNMP_VERSION].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp_version";
sigmatch_table[DETECT_AL_SNMP_VERSION].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp.version";
sigmatch_table[DETECT_AL_SNMP_VERSION].Match = NULL;
sigmatch_table[DETECT_AL_SNMP_VERSION].AppLayerTxMatch = DetectSNMPVersionMatch;
sigmatch_table[DETECT_AL_SNMP_VERSION].Setup = DetectSNMPVersionSetup;
sigmatch_table[DETECT_AL_SNMP_VERSION].Free = DetectSNMPVersionFree;
sigmatch_table[DETECT_AL_SNMP_VERSION].RegisterTests = DetectSNMPVersionRegisterTests;
sigmatch_table[DETECT_AL_SNMP_VERSION].flags |= SIGMATCH_NOOPT;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
DetectAppLayerInspectEngineRegister("snmp_version",
DetectAppLayerInspectEngineRegister("snmp.version",
ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectSNMPRequestGeneric);
DetectAppLayerInspectEngineRegister("snmp_version",
DetectAppLayerInspectEngineRegister("snmp.version",
ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0,
DetectEngineInspectSNMPRequestGeneric);
g_snmp_version_buffer_id = DetectBufferTypeGetByName("snmp_version");
SCLogDebug("g_snmp_version_buffer_id %d", g_snmp_version_buffer_id);
g_snmp_version_buffer_id = DetectBufferTypeGetByName("snmp.version");
}
static int DetectEngineInspectSNMPRequestGeneric(ThreadVars *tv,
@ -181,7 +171,7 @@ static int DetectSNMPVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx
/**
* \internal
* \brief Function to parse options passed via snmp_version keywords.
* \brief Function to parse options passed via snmp.version keywords.
*
* \param rawstr Pointer to the user provided options.
*
@ -243,7 +233,7 @@ static DetectSNMPVersionData *DetectSNMPVersionParse (const char *rawstr)
dd->version = strtoul(value1, &endptr, 10);
if (endptr == NULL || *endptr != '\0') {
SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid character as arg "
"to snmp_version keyword");
"to snmp.version keyword");
goto error;
}
@ -292,7 +282,7 @@ static int DetectSNMPVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_AL_SNMP_VERSION;
sm->ctx = (void *)dd;
SCLogDebug("snmp_version %d", dd->version);
SCLogDebug("snmp.version %d", dd->version);
SigMatchAppendSMToList(s, sm, g_snmp_version_buffer_id);
return 0;
@ -360,5 +350,3 @@ static void DetectSNMPVersionRegisterTests(void)
UtRegisterTest("SNMPValidityTestParse02", SNMPValidityTestParse02);
#endif /* UNITTESTS */
}
#endif

Write Preview
Loading…
Cancel
Save