aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dce: dynamic lists

Browse Source
pull/2559/head
Victor Julien 8 years ago
parent 84ba9cf9df
commit f018ae94b0
2 changed files with 104 additions and 113 deletions
Show Stats Download Patch File Download Diff File

159
src/detect-dce-iface.c
Unescape Escape View File

@ -52,11 +52,19 @@
static pcre *parse_regex = NULL;
static pcre_extra *parse_regex_study = NULL;
static int DetectDceIfaceMatch(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t,
void *, const Signature *, const SigMatchData *);
static int DetectDceIfaceMatch(ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, void *, void *,
const Signature *, const SigMatchCtx *);
static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, char *);
static void DetectDceIfaceFree(void *);
static void DetectDceIfaceRegisterTests(void);
static int g_dce_generic_list_id = 0;
static int InspectDceGeneric(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
Flow *f, uint8_t flags, void *alstate,
void *txv, uint64_t tx_id);
/**
* \brief Registers the keyword handlers for the "dce_iface" keyword.
@ -65,7 +73,7 @@ void DetectDceIfaceRegister(void)
{
sigmatch_table[DETECT_DCE_IFACE].name = "dce_iface";
sigmatch_table[DETECT_DCE_IFACE].Match = NULL;
sigmatch_table[DETECT_DCE_IFACE].AppLayerMatch = DetectDceIfaceMatch;
sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatch;
sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
@ -73,8 +81,31 @@ void DetectDceIfaceRegister(void)
sigmatch_table[DETECT_DCE_IFACE].flags |= SIGMATCH_PAYLOAD;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
DetectAppLayerInspectEngineRegister("dce_generic",
ALPROTO_DCERPC, SIG_FLAG_TOSERVER, InspectDceGeneric);
DetectAppLayerInspectEngineRegister("dce_generic",
ALPROTO_SMB, SIG_FLAG_TOSERVER, InspectDceGeneric);
DetectAppLayerInspectEngineRegister("dce_generic",
ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, InspectDceGeneric);
DetectAppLayerInspectEngineRegister("dce_generic",
ALPROTO_SMB, SIG_FLAG_TOCLIENT, InspectDceGeneric);
}
static int InspectDceGeneric(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
Flow *f, uint8_t flags, void *alstate,
void *txv, uint64_t tx_id)
{
return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
f, flags, alstate, txv, tx_id);
}
/**
* \internal
* \brief Parses the argument sent along with the "dce_iface" keyword.
@ -262,15 +293,15 @@ DCERPCState *DetectDceGetState(AppProto alproto, void *alstate)
* \retval 0 On no match.
*/
static int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
const Signature *s, const SigMatchData *m)
Flow *f, uint8_t flags, void *state, void *txv,
const Signature *s, const SigMatchCtx *m)
{
SCEnter();
int ret = 0;
DCERPCUuidEntry *item = NULL;
int i = 0;
DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m->ctx;
DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow");
@ -341,11 +372,16 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
DetectDceIfaceData *did = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
return -1;
}
did = DetectDceIfaceArgParse(arg);
if (did == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dec_iface option in "
"signature");
goto error;
return -1;
}
sm = SigMatchAlloc();
@ -355,12 +391,7 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
sm->type = DETECT_DCE_IFACE;
sm->ctx = (void *)did;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
s->alproto = ALPROTO_DCERPC;
/* Flagged the signature as to inspect the app layer data */
@ -402,11 +433,11 @@ static int DetectDceIfaceTestParse01(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -445,11 +476,11 @@ static int DetectDceIfaceTestParse02(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -488,11 +519,11 @@ static int DetectDceIfaceTestParse03(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<10") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
result &= 1;
for (i = 0; i < 16; i++) {
@ -527,11 +558,11 @@ static int DetectDceIfaceTestParse04(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!10") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -567,11 +598,11 @@ static int DetectDceIfaceTestParse05(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=10") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -610,11 +641,11 @@ static int DetectDceIfaceTestParse06(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,any_frag") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -653,11 +684,11 @@ static int DetectDceIfaceTestParse07(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,any_frag") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -694,11 +725,11 @@ static int DetectDceIfaceTestParse08(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<1,any_frag") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -737,7 +768,7 @@ static int DetectDceIfaceTestParse09(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=1,any_frag") == 0);
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -776,11 +807,11 @@ static int DetectDceIfaceTestParse10(void)
result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!1,any_frag") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
if (s->sm_lists[g_dce_generic_list_id] == NULL) {
SCReturnInt(0);
}
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
temp = s->sm_lists[g_dce_generic_list_id];
did = (DetectDceIfaceData *)temp->ctx;
if (did == NULL) {
SCReturnInt(0);
@ -831,7 +862,6 @@ static int DetectDceIfaceTestParse11(void)
*/
static int DetectDceIfaceTestParse12(void)
{
int result = 0;
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
@ -897,103 +927,60 @@ static int DetectDceIfaceTestParse12(void)
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
FAIL_IF(de_ctx == NULL);
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0,any_frag; "
"sid:1;)");
if (s == NULL)
goto end;
FAIL_IF(s == NULL);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SCLogDebug("handling to_server chunk");
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOSERVER | STREAM_START, dcerpc_bind,
dcerpc_bind_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
SCLogDebug("no dcerpc state: ");
goto end;
}
FAIL_IF(dcerpc_state == NULL);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 didn't match (1): ");
goto end;
}
FAIL_IF(PacketAlertCheck(p, 1));
SCLogDebug("handling to_client chunk");
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOCLIENT, dcerpc_bindack,
dcerpc_bindack_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
if (PacketAlertCheck(p, 1)) {
printf("sid 1 matched, but shouldn't have: ");
goto end;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOCLIENT, dcerpc_request,
dcerpc_request_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sid 1 matched, but shouldn't have: ");
goto end;
}
result = 1;
end:
FAIL_IF(!PacketAlertCheck(p, 1));
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
PASS;
}
/* Disabled because of bug_753. Would be enabled, once we rewrite

58
src/detect-dce-opnum.c
Unescape Escape View File

@ -53,11 +53,13 @@
static pcre *parse_regex = NULL;
static pcre_extra *parse_regex_study = NULL;
static int DetectDceOpnumMatch(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t,
void *, const Signature *, const SigMatchData *);
static int DetectDceOpnumMatch(ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, void *, void *,
const Signature *, const SigMatchCtx *);
static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, char *);
static void DetectDceOpnumFree(void *);
static void DetectDceOpnumRegisterTests(void);
static int g_dce_generic_list_id = 0;
/**
* \brief Registers the keyword handlers for the "dce_opnum" keyword.
@ -66,7 +68,7 @@ void DetectDceOpnumRegister(void)
{
sigmatch_table[DETECT_DCE_OPNUM].name = "dce_opnum";
sigmatch_table[DETECT_DCE_OPNUM].Match = NULL;
sigmatch_table[DETECT_DCE_OPNUM].AppLayerMatch = DetectDceOpnumMatch;
sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatch;
sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
@ -74,6 +76,8 @@ void DetectDceOpnumRegister(void)
sigmatch_table[DETECT_DCE_OPNUM].flags |= SIGMATCH_PAYLOAD;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
}
/**
@ -240,12 +244,12 @@ static DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
* \retval 0 On no match.
*/
static int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
const Signature *s, const SigMatchData *m)
Flow *f, uint8_t flags, void *state, void *txv,
const Signature *s, const SigMatchCtx *m)
{
SCEnter();
DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m->ctx;
DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
DetectDceOpnumRange *dor = dce_data->range;
DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
@ -291,14 +295,19 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
if (arg == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
"signature, option needs a value");
goto error;
return -1;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
return -1;
}
dod = DetectDceOpnumArgParse(arg);
if (dod == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
"signature");
goto error;
return -1;
}
sm = SigMatchAlloc();
@ -308,12 +317,7 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
sm->type = DETECT_DCE_OPNUM;
sm->ctx = (void *)dod;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
s->alproto = ALPROTO_DCERPC;
/* Flagged the signature as to inspect the app layer data */
@ -363,7 +367,7 @@ static int DetectDceOpnumTestParse01(void)
result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513--") == -1);
result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-8") == -1);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
SigFree(s);
result &= 1;
}
@ -381,8 +385,8 @@ static int DetectDceOpnumTestParse02(void)
result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
@ -408,8 +412,8 @@ static int DetectDceOpnumTestParse03(void)
result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
@ -435,8 +439,8 @@ static int DetectDceOpnumTestParse04(void)
result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
@ -499,8 +503,8 @@ static int DetectDceOpnumTestParse05(void)
result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
@ -563,8 +567,8 @@ static int DetectDceOpnumTestParse06(void)
result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
@ -609,8 +613,8 @@ static int DetectDceOpnumTestParse07(void)
result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
temp = s->sm_lists[DETECT_SM_LIST_AMATCH];
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;

Write Preview
Loading…
Cancel
Save