aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rfb: move app-layer registration code to rust

Browse Source 
Ticket: 7178
pull/11616/head
Philippe Antoine 1 year ago committed by Victor Julien
parent 62a186ceef
commit ede77bc4db
6 changed files with 28 additions and 189 deletions
Show Stats Download Patch File Download Diff File

3
rust/src/applayer.rs
Unescape Escape View File

@ -479,6 +479,9 @@ extern {
alproto_name: *const c_char, alproto: AppProto, alproto_name: *const c_char, alproto: AppProto,
min_depth: u16, max_depth: u16, min_depth: u16, max_depth: u16,
pparser_ts: ProbeFn, pparser_tc: ProbeFn) -> i32; pparser_ts: ProbeFn, pparser_tc: ProbeFn) -> i32;
pub fn AppLayerProtoDetectPMRegisterPatternCI(ipproto: u8, alproto: AppProto,
pattern: *const c_char, depth: u16,
offset: u16, direction: u8) -> c_int;
pub fn AppLayerProtoDetectPMRegisterPatternCS(ipproto: u8, alproto: AppProto, pub fn AppLayerProtoDetectPMRegisterPatternCS(ipproto: u8, alproto: AppProto,
pattern: *const c_char, depth: u16, pattern: *const c_char, depth: u16,
offset: u16, direction: u8) -> c_int; offset: u16, direction: u8) -> c_int;

25
rust/src/rfb/rfb.rs
Unescape Escape View File

@ -26,6 +26,7 @@ use crate::frames::*;
use nom7::Err; use nom7::Err;
use std; use std;
use std::ffi::CString; use std::ffi::CString;
use std::os::raw::c_char;
pub(super) static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN; pub(super) static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN;
@ -831,7 +832,7 @@ export_tx_data_get!(rs_rfb_get_tx_data, RFBTransaction);
export_state_data_get!(rs_rfb_get_state_data, RFBState); export_state_data_get!(rs_rfb_get_state_data, RFBState);
#[no_mangle] #[no_mangle]
pub unsafe extern "C" fn rs_rfb_register_parser() { pub unsafe extern "C" fn SCRfbRegisterParser() {
let parser = RustParser { let parser = RustParser {
name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char, name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
default_port: std::ptr::null(), default_port: std::ptr::null(),
@ -874,6 +875,28 @@ pub unsafe extern "C" fn rs_rfb_register_parser() {
} }
SCLogDebug!("Rust rfb parser registered."); SCLogDebug!("Rust rfb parser registered.");
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB); AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB);
if AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP,
ALPROTO_RFB,
b"RFB \0".as_ptr() as *const c_char,
b"RFB ".len() as u16,
0,
crate::core::Direction::ToServer.into(),
) < 0
{
SCLogDebug!("Failed to register protocol detection pattern for direction TOSERVER");
};
if AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP,
ALPROTO_RFB,
b"RFB \0".as_ptr() as *const c_char,
b"RFB ".len() as u16,
0,
crate::core::Direction::ToClient.into(),
) < 0
{
SCLogDebug!("Failed to register protocol detection pattern for direction TOCLIENT");
}
} else { } else {
SCLogDebug!("Protocol detector and parser disabled for RFB."); SCLogDebug!("Protocol detector and parser disabled for RFB.");
} }

2
src/Makefile.am
Unescape Escape View File

@ -37,7 +37,6 @@ noinst_HEADERS = \
app-layer-parser.h \ app-layer-parser.h \
app-layer-protos.h \ app-layer-protos.h \
app-layer-register.h \ app-layer-register.h \
app-layer-rfb.h \
app-layer-smb.h \ app-layer-smb.h \
app-layer-smtp.h \ app-layer-smtp.h \
app-layer-ssh.h \ app-layer-ssh.h \
@ -619,7 +618,6 @@ libsuricata_c_a_SOURCES = \
app-layer-parser.c \ app-layer-parser.c \
app-layer-protos.c \ app-layer-protos.c \
app-layer-register.c \ app-layer-register.c \
app-layer-rfb.c \
app-layer-smb.c \ app-layer-smb.c \
app-layer-smtp.c \ app-layer-smtp.c \
app-layer-ssh.c \ app-layer-ssh.c \

3
src/app-layer-parser.c
Unescape Escape View File

@ -52,7 +52,6 @@
#include "app-layer-nfs-udp.h" #include "app-layer-nfs-udp.h"
#include "app-layer-tftp.h" #include "app-layer-tftp.h"
#include "app-layer-ike.h" #include "app-layer-ike.h"
#include "app-layer-rfb.h"
#include "app-layer-http2.h" #include "app-layer-http2.h"
#include "app-layer-imap.h" #include "app-layer-imap.h"
@ -1725,7 +1724,7 @@ void AppLayerParserRegisterProtocolParsers(void)
rs_websocket_register_parser(); rs_websocket_register_parser();
rs_ldap_register_parser(); rs_ldap_register_parser();
rs_template_register_parser(); rs_template_register_parser();
RegisterRFBParsers(); SCRfbRegisterParser();
SCMqttRegisterParser(); SCMqttRegisterParser();
rs_pgsql_register_parser(); rs_pgsql_register_parser();
rs_rdp_register_parser(); rs_rdp_register_parser();

155
src/app-layer-rfb.c
Unescape Escape View File

@ -1,155 +0,0 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
*
* RFB (VNC) application layer detector and parser.
*
*/
#include "suricata-common.h"
#include "util-unittest.h"
#include "app-layer-detect-proto.h"
#include "app-layer-parser.h"
#include "app-layer-rfb.h"
#include "rust.h"
static int RFBRegisterPatternsForProtocolDetection(void)
{
if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_RFB,
"RFB ", 4, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_RFB,
"RFB ", 4, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
return 0;
}
void RFBParserRegisterTests(void);
void RegisterRFBParsers(void)
{
rs_rfb_register_parser();
if (RFBRegisterPatternsForProtocolDetection() < 0 )
return;
#ifdef UNITTESTS
AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_RFB,
RFBParserRegisterTests);
#endif
}
#ifdef UNITTESTS
#include "stream-tcp.h"
#include "util-unittest-helper.h"
static int RFBParserTest(void)
{
uint64_t ret[4];
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
FAIL_IF_NULL(alp_tctx);
StreamTcpInitConfig(true);
TcpSession ssn;
memset(&ssn, 0, sizeof(ssn));
Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 59001, 5900);
FAIL_IF_NULL(f);
f->protoctx = &ssn;
f->proto = IPPROTO_TCP;
f->alproto = ALPROTO_RFB;
static const unsigned char rfb_version_str[12] = {
0x52, 0x46, 0x42, 0x20, 0x30, 0x30, 0x33, 0x2e, 0x30, 0x30, 0x37, 0x0a
};
// the RFB server sending the first handshake message
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT | STREAM_START,
(uint8_t *)rfb_version_str, sizeof(rfb_version_str));
FAIL_IF_NOT(r == 0);
r = AppLayerParserParse(
NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)rfb_version_str, sizeof(rfb_version_str));
FAIL_IF_NOT(r == 0);
static const unsigned char security_types[3] = {
0x02, 0x01, 0x02
};
r = AppLayerParserParse(
NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)security_types, sizeof(security_types));
FAIL_IF_NOT(r == 0);
static const unsigned char type_selection[1] = {
0x01
};
r = AppLayerParserParse(
NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)type_selection, sizeof(type_selection));
FAIL_IF_NOT(r == 0);
static const unsigned char client_init[1] = {
0x01
};
r = AppLayerParserParse(
NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)client_init, sizeof(client_init));
FAIL_IF_NOT(r == 0);
static const unsigned char server_init[] = {
0x05, 0x00, 0x03, 0x20, 0x20, 0x18, 0x00, 0x01,
0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x10, 0x08,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e,
0x61, 0x6e, 0x65, 0x61, 0x67, 0x6c, 0x65, 0x73,
0x40, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f,
0x73, 0x74, 0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e
};
r = AppLayerParserParse(
NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)server_init, sizeof(server_init));
FAIL_IF_NOT(r == 0);
AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
FAIL_IF_NOT(ret[0] == 1); // inspect_id[0]
FAIL_IF_NOT(ret[1] == 1); // inspect_id[1]
FAIL_IF_NOT(ret[2] == 1); // log_id
FAIL_IF_NOT(ret[3] == 1); // min_id
AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
AppLayerParserThreadCtxFree(alp_tctx);
StreamTcpFreeConfig(true);
UTHFreeFlow(f);
PASS;
}
void RFBParserRegisterTests(void)
{
UtRegisterTest("RFBParserTest", RFBParserTest);
}
#endif

29
src/app-layer-rfb.h
Unescape Escape View File

@ -1,29 +0,0 @@
/* Copyright (C) 2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
*/
#ifndef SURICATA_APP_LAYER_RFB_H
#define SURICATA_APP_LAYER_RFB_H
void RegisterRFBParsers(void);
#endif /* SURICATA_APP_LAYER_RFB_H */
Write Preview
Loading…
Cancel
Save