aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dcerpc: simplify common detect code

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 402eb645a0
commit d318bfc934
7 changed files with 52 additions and 67 deletions
Show Stats Download Patch File Download Diff File

10
src/app-layer-smb.c
Unescape Escape View File

@ -670,7 +670,7 @@ static int32_t DataParser(void *smb_state, AppLayerParserState *pstate,
int32_t parsed = 0; int32_t parsed = 0;
if (sstate->andx.paddingparsed) { if (sstate->andx.paddingparsed) {
parsed = DCERPCParser(&sstate->dcerpc, input, input_len); parsed = DCERPCParser(&sstate->ds.dcerpc, input, input_len);
if (parsed == -1 || parsed > sstate->bytecount.bytecountleft || parsed > (int32_t)input_len) { if (parsed == -1 || parsed > sstate->bytecount.bytecountleft || parsed > (int32_t)input_len) {
SCReturnInt(-1); SCReturnInt(-1);
} else { } else {
@ -1435,7 +1435,7 @@ static void *SMBStateAlloc(void)
SCReturnPtr(NULL, "void"); SCReturnPtr(NULL, "void");
} }
DCERPCInit(&s->dcerpc); DCERPCInit(&s->ds.dcerpc);
SCReturnPtr(s, "void"); SCReturnPtr(s, "void");
} }
@ -1448,7 +1448,7 @@ static void SMBStateFree(void *s)
SCEnter(); SCEnter();
SMBState *sstate = (SMBState *) s; SMBState *sstate = (SMBState *) s;
DCERPCCleanup(&sstate->dcerpc); DCERPCCleanup(&sstate->ds.dcerpc);
SCFree(s); SCFree(s);
SCReturn; SCReturn;
@ -1705,7 +1705,7 @@ int SMBParserTest02(void)
goto end; goto end;
} }
printUUID("BIND", smb_state->dcerpc.dcerpcbindbindack.uuid_entry); printUUID("BIND", smb_state->ds.dcerpc.dcerpcbindbindack.uuid_entry);
result = 1; result = 1;
end: end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
@ -2012,7 +2012,7 @@ int SMBParserTest03(void)
goto end; goto end;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
printUUID("BIND", smb_state->dcerpc.dcerpcbindbindack.uuid_entry); printUUID("BIND", smb_state->ds.dcerpc.dcerpcbindbindack.uuid_entry);
result = 1; result = 1;
end: end:
if (alp_tctx != NULL) if (alp_tctx != NULL)

3
src/app-layer-smb.h
Unescape Escape View File

@ -30,6 +30,7 @@
#include "stream.h" #include "stream.h"
#include "app-layer-nbss.h" #include "app-layer-nbss.h"
#include "app-layer-dcerpc-common.h" #include "app-layer-dcerpc-common.h"
#include "app-layer-dcerpc.h"
typedef struct SMBHdr_ { typedef struct SMBHdr_ {
uint8_t protocol[4]; uint8_t protocol[4];
@ -83,7 +84,7 @@ typedef struct SMBState_ {
SMBWordCount wordcount; SMBWordCount wordcount;
SMBByteCount bytecount; SMBByteCount bytecount;
SMBAndX andx; SMBAndX andx;
DCERPC dcerpc; DCERPCState ds;
uint8_t dcerpc_present; uint8_t dcerpc_present;
uint8_t data_needed_for_dir; uint8_t data_needed_for_dir;
} SMBState; } SMBState;

20
src/detect-dce-iface.c
Unescape Escape View File

@ -229,6 +229,24 @@ static inline int DetectDceIfaceMatchIfaceVersion(uint16_t version,
} }
} }
#include "app-layer-smb.h"
DCERPCState *DetectDceGetState(AppProto alproto, void *alstate)
{
switch(alproto) {
case ALPROTO_DCERPC:
return alstate;
case ALPROTO_SMB: {
SMBState *smb_state = (SMBState *)alstate;
return &smb_state->ds;
}
case ALPROTO_SMB2:
// not implemented
return NULL;
}
return NULL;
}
/** /**
* \brief App layer match function for the "dce_iface" keyword. * \brief App layer match function for the "dce_iface" keyword.
* *
@ -253,7 +271,7 @@ static int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
DCERPCUuidEntry *item = NULL; DCERPCUuidEntry *item = NULL;
int i = 0; int i = 0;
DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m->ctx; DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m->ctx;
DCERPCState *dcerpc_state = (DCERPCState *)state; DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
if (dcerpc_state == NULL) { if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow"); SCLogDebug("No DCERPCState for the flow");
SCReturnInt(0); SCReturnInt(0);

4
src/detect-dce-iface.h
Unescape Escape View File

@ -24,6 +24,8 @@
#ifndef __DETECT_DCE_IFACE_H__ #ifndef __DETECT_DCE_IFACE_H__
#define __DETECT_DCE_IFACE_H__ #define __DETECT_DCE_IFACE_H__
#include "app-layer-dcerpc.h"
typedef enum DetectDceIfaceOperators_ { typedef enum DetectDceIfaceOperators_ {
DETECT_DCE_IFACE_OP_NONE = 0, DETECT_DCE_IFACE_OP_NONE = 0,
DETECT_DCE_IFACE_OP_LT, DETECT_DCE_IFACE_OP_LT,
@ -41,4 +43,6 @@ typedef struct DetectDceIfaceData_ {
void DetectDceIfaceRegister(void); void DetectDceIfaceRegister(void);
DCERPCState *DetectDceGetState(AppProto alproto, void *alstate);
#endif /* __DETECT_DCE_IFACE_H__ */ #endif /* __DETECT_DCE_IFACE_H__ */

3
src/detect-dce-opnum.c
Unescape Escape View File

@ -41,6 +41,7 @@
#include "queue.h" #include "queue.h"
#include "stream-tcp-reassemble.h" #include "stream-tcp-reassemble.h"
#include "detect-dce-opnum.h" #include "detect-dce-opnum.h"
#include "detect-dce-iface.h"
#include "util-debug.h" #include "util-debug.h"
#include "util-unittest.h" #include "util-unittest.h"
@ -247,7 +248,7 @@ static int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m->ctx; DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m->ctx;
DetectDceOpnumRange *dor = dce_data->range; DetectDceOpnumRange *dor = dce_data->range;
DCERPCState *dcerpc_state = (DCERPCState *)state; DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
if (dcerpc_state == NULL) { if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow"); SCLogDebug("No DCERPCState for the flow");
SCReturnInt(0); SCReturnInt(0);

4
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -47,6 +47,8 @@
#include "util-unittest.h" #include "util-unittest.h"
#include "util-unittest-helper.h" #include "util-unittest-helper.h"
#include "detect-dce-iface.h"
/** /**
* \brief Do the content inspection & validation for a signature against dce stub. * \brief Do the content inspection & validation for a signature against dce stub.
* *
@ -66,7 +68,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
Flow *f, uint8_t flags, void *alstate) Flow *f, uint8_t flags, void *alstate)
{ {
SCEnter(); SCEnter();
DCERPCState *dcerpc_state = (DCERPCState *)alstate; DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, alstate);
uint8_t *dce_stub_data = NULL; uint8_t *dce_stub_data = NULL;
uint16_t dce_stub_data_len; uint16_t dce_stub_data_len;
int r = 0; int r = 0;

75
src/detect-engine-state.c
Unescape Escape View File

@ -628,20 +628,10 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
} }
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH); KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH);
if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
SMBState *smb_state = (SMBState *)alstate; flags, alstate) == 1) {
if (smb_state->dcerpc_present && inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f, dmatch = 1;
flags, &smb_state->dcerpc) == 1) {
inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
dmatch = 1;
}
} else {
if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
dmatch = 1;
}
} }
} }
@ -658,20 +648,10 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
while (1) { while (1) {
if (sigmatch_table[smd->type].AppLayerMatch != NULL) { if (sigmatch_table[smd->type].AppLayerMatch != NULL) {
int match = 0; int match = 0;
if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { KEYWORD_PROFILING_START;
SMBState *smb_state = (SMBState *)alstate; match = sigmatch_table[smd->type].
if (smb_state->dcerpc_present) { AppLayerMatch(tv, det_ctx, f, flags, alstate, s, smd);
KEYWORD_PROFILING_START; KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
match = sigmatch_table[smd->type].
AppLayerMatch(tv, det_ctx, f, flags, &smb_state->dcerpc, s, smd);
KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
}
} else {
KEYWORD_PROFILING_START;
match = sigmatch_table[smd->type].
AppLayerMatch(tv, det_ctx, f, flags, alstate, s, smd);
KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
}
if (match == 0) { if (match == 0) {
break; break;
@ -968,20 +948,10 @@ static int DoInspectFlowRule(ThreadVars *tv,
while(1) { while(1) {
if (sigmatch_table[smd->type].AppLayerMatch != NULL) { if (sigmatch_table[smd->type].AppLayerMatch != NULL) {
int match = 0; int match = 0;
if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { KEYWORD_PROFILING_START;
SMBState *smb_state = (SMBState *)alstate; match = sigmatch_table[smd->type].
if (smb_state->dcerpc_present) { AppLayerMatch(tv, det_ctx, f, flags, alstate, s, smd);
KEYWORD_PROFILING_START; KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
match = sigmatch_table[smd->type].
AppLayerMatch(tv, det_ctx, f, flags, &smb_state->dcerpc, s, smd);
KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
}
} else {
KEYWORD_PROFILING_START;
match = sigmatch_table[smd->type].
AppLayerMatch(tv, det_ctx, f, flags, alstate, s, smd);
KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
}
if (match == 0) if (match == 0)
break; break;
@ -1014,22 +984,11 @@ static int DoInspectFlowRule(ThreadVars *tv,
void *alstate = FlowGetAppState(f); void *alstate = FlowGetAppState(f);
if (alstate != NULL) { if (alstate != NULL) {
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH); KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH);
if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
SMBState *smb_state = (SMBState *)alstate; flags, alstate) == 1)
if (smb_state->dcerpc_present && {
DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f, total_matches++;
flags, &smb_state->dcerpc) == 1) inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
{
total_matches++;
inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
}
} else {
if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
flags, alstate) == 1)
{
total_matches++;
inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
}
} }
} }
} }

Write Preview
Loading…
Cancel
Save