mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
898 lines
29 KiB
C
898 lines
29 KiB
C
/*
|
|
* Copyright (C) 2014 ANSSI
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. The name of the author may not be used to endorse or promote products
|
|
* derived from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
* THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* \author David DIALLO <diallo@et.esiea.fr>
|
|
*
|
|
* Implements the Modbus function and access keywords
|
|
* You can specify a:
|
|
* - concrete function like Modbus:
|
|
* function 8, subfunction 4 (diagnostic: Force Listen Only Mode)
|
|
* - data (in primary table) register access (r/w) like Modbus:
|
|
* access read coils, address 1000 (.i.e Read coils: at address 1000)
|
|
* - write data value at specific address Modbus:
|
|
* access write, address 1500<>2000, value >2000 (Write multiple coils/register:
|
|
* at address between 1500 and 2000 value greater than 2000)
|
|
*/
|
|
|
|
#include "suricata-common.h"
|
|
|
|
#include "detect.h"
|
|
#include "detect-parse.h"
|
|
|
|
#include "detect-modbus.h"
|
|
|
|
#include "util-debug.h"
|
|
|
|
#include "app-layer-modbus.h"
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
/**
|
|
* \brief Regex for parsing the Modbus function string
|
|
*/
|
|
#define PARSE_REGEX_FUNCTION "^\\s*\"?\\s*function\\s*(!?[A-z0-9]+)(,\\s*subfunction\\s+(\\d+))?\\s*\"?\\s*$"
|
|
static pcre *function_parse_regex;
|
|
static pcre_extra *function_parse_regex_study;
|
|
|
|
/**
|
|
* \brief Regex for parsing the Modbus access string
|
|
*/
|
|
#define PARSE_REGEX_ACCESS "^\\s*\"?\\s*access\\s*(read|write)\\s*(discretes|coils|input|holding)?(,\\s*address\\s+([<>]?\\d+)(<>\\d+)?(,\\s*value\\s+([<>]?\\d+)(<>\\d+)?)?)?\\s*\"?\\s*$"
|
|
static pcre *access_parse_regex;
|
|
static pcre_extra *access_parse_regex_study;
|
|
|
|
#define MAX_SUBSTRINGS 30
|
|
|
|
void DetectModbusRegisterTests(void);
|
|
|
|
/** \internal
|
|
*
|
|
* \brief this function will free memory associated with DetectModbus
|
|
*
|
|
* \param ptr pointer to DetectModbus
|
|
*/
|
|
static void DetectModbusFree(void *ptr) {
|
|
SCEnter();
|
|
DetectModbus *modbus = (DetectModbus *) ptr;
|
|
|
|
if(modbus) {
|
|
if (modbus->subfunction)
|
|
SCFree(modbus->subfunction);
|
|
|
|
if (modbus->address)
|
|
SCFree(modbus->address);
|
|
|
|
if (modbus->data)
|
|
SCFree(modbus->data);
|
|
|
|
SCFree(modbus);
|
|
}
|
|
}
|
|
|
|
/** \internal
|
|
*
|
|
* \brief This function is used to parse Modbus parameters in access mode
|
|
*
|
|
* \param str Pointer to the user provided id option
|
|
*
|
|
* \retval Pointer to DetectModbusData on success or NULL on failure
|
|
*/
|
|
static DetectModbus *DetectModbusAccessParse(char *str)
|
|
{
|
|
SCEnter();
|
|
DetectModbus *modbus = NULL;
|
|
|
|
char arg[MAX_SUBSTRINGS];
|
|
int ov[MAX_SUBSTRINGS], ret, res;
|
|
|
|
ret = pcre_exec(access_parse_regex, access_parse_regex_study, str, strlen(str), 0, 0, ov, MAX_SUBSTRINGS);
|
|
|
|
if (ret < 1)
|
|
goto error;
|
|
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 1, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
/* We have a correct Modbus option */
|
|
modbus = (DetectModbus *) SCCalloc(1, sizeof(DetectModbus));
|
|
if (unlikely(modbus == NULL))
|
|
goto error;
|
|
|
|
if (strcmp(arg, "read") == 0)
|
|
modbus->type = MODBUS_TYP_READ;
|
|
else if (strcmp(arg, "write") == 0)
|
|
modbus->type = MODBUS_TYP_WRITE;
|
|
else
|
|
goto error;
|
|
|
|
if (ret > 2) {
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 2, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
if (*arg != '\0') {
|
|
if (strcmp(arg, "discretes") == 0) {
|
|
if (modbus->type == MODBUS_TYP_WRITE)
|
|
/* Discrete access is only read access. */
|
|
goto error;
|
|
|
|
modbus->type |= MODBUS_TYP_DISCRETES;
|
|
}
|
|
else if (strcmp(arg, "coils") == 0) {
|
|
modbus->type |= MODBUS_TYP_COILS;
|
|
}
|
|
else if (strcmp(arg, "input") == 0) {
|
|
if (modbus->type == MODBUS_TYP_WRITE) {
|
|
/* Input access is only read access. */
|
|
goto error;
|
|
}
|
|
|
|
modbus->type |= MODBUS_TYP_INPUT;
|
|
}
|
|
else if (strcmp(arg, "holding") == 0) {
|
|
modbus->type |= MODBUS_TYP_HOLDING;
|
|
}
|
|
else
|
|
goto error;
|
|
}
|
|
|
|
if (ret > 4) {
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 4, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
/* We have a correct address option */
|
|
modbus->address = (DetectModbusValue *) SCCalloc(1, sizeof(DetectModbusValue));
|
|
if (unlikely(modbus->address == NULL))
|
|
goto error;
|
|
|
|
if (arg[0] == '>') {
|
|
modbus->address->min = atoi((const char*) (arg+1));
|
|
modbus->address->mode = DETECT_MODBUS_GT;
|
|
} else if (arg[0] == '<') {
|
|
modbus->address->min = atoi((const char*) (arg+1));
|
|
modbus->address->mode = DETECT_MODBUS_LT;
|
|
} else {
|
|
modbus->address->min = atoi((const char*) arg);
|
|
}
|
|
SCLogDebug("and min/equal address %d", modbus->address->min);
|
|
|
|
if (ret > 5) {
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 5, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
if (*arg != '\0') {
|
|
modbus->address->max = atoi((const char*) (arg+2));
|
|
modbus->address->mode = DETECT_MODBUS_RA;
|
|
SCLogDebug("and max address %d", modbus->address->max);
|
|
}
|
|
|
|
if (ret > 7) {
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 7, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
if (modbus->address->mode != DETECT_MODBUS_EQ) {
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords (address range and value).");
|
|
goto error;
|
|
}
|
|
|
|
/* We have a correct address option */
|
|
modbus->data = (DetectModbusValue *) SCCalloc(1, sizeof(DetectModbusValue));
|
|
if (unlikely(modbus->data == NULL))
|
|
goto error;
|
|
|
|
if (arg[0] == '>') {
|
|
modbus->data->min = atoi((const char*) (arg+1));
|
|
modbus->data->mode = DETECT_MODBUS_GT;
|
|
} else if (arg[0] == '<') {
|
|
modbus->data->min = atoi((const char*) (arg+1));
|
|
modbus->data->mode = DETECT_MODBUS_LT;
|
|
} else {
|
|
modbus->data->min = atoi((const char*) arg);
|
|
}
|
|
SCLogDebug("and min/equal value %d", modbus->data->min);
|
|
|
|
if (ret > 8) {
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 8, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
if (*arg != '\0') {
|
|
modbus->data->max = atoi((const char*) (arg+2));
|
|
modbus->data->mode = DETECT_MODBUS_RA;
|
|
SCLogDebug("and max value %d", modbus->data->max);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
SCReturnPtr(modbus, "DetectModbusAccess");
|
|
|
|
error:
|
|
if (modbus != NULL)
|
|
DetectModbusFree(modbus);
|
|
|
|
SCReturnPtr(NULL, "DetectModbus");
|
|
}
|
|
|
|
/** \internal
|
|
*
|
|
* \brief This function is used to parse Modbus parameters in function mode
|
|
*
|
|
* \param str Pointer to the user provided id option
|
|
*
|
|
* \retval id_d pointer to DetectModbusData on success
|
|
* \retval NULL on failure
|
|
*/
|
|
static DetectModbus *DetectModbusFunctionParse(char *str)
|
|
{
|
|
SCEnter();
|
|
DetectModbus *modbus = NULL;
|
|
|
|
char arg[MAX_SUBSTRINGS], *ptr = arg;
|
|
int ov[MAX_SUBSTRINGS], res, ret;
|
|
|
|
ret = pcre_exec(function_parse_regex, function_parse_regex_study, str, strlen(str), 0, 0, ov, MAX_SUBSTRINGS);
|
|
|
|
if (ret < 1)
|
|
goto error;
|
|
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 1, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
/* We have a correct Modbus function option */
|
|
modbus = (DetectModbus *) SCCalloc(1, sizeof(DetectModbus));
|
|
if (unlikely(modbus == NULL))
|
|
goto error;
|
|
|
|
if (isdigit(ptr[0])) {
|
|
modbus->function = atoi((const char*) ptr);
|
|
SCLogDebug("will look for modbus function %d", modbus->function);
|
|
|
|
if (ret > 2) {
|
|
res = pcre_copy_substring(str, ov, MAX_SUBSTRINGS, 3, arg, MAX_SUBSTRINGS);
|
|
if (res < 0) {
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
goto error;
|
|
}
|
|
|
|
/* We have a correct address option */
|
|
modbus->subfunction =(uint16_t *) SCCalloc(1, sizeof(uint16_t));
|
|
if (modbus->subfunction == NULL)
|
|
goto error;
|
|
|
|
*(modbus->subfunction) = atoi((const char*) arg);
|
|
SCLogDebug("and subfunction %d", *(modbus->subfunction));
|
|
}
|
|
} else {
|
|
uint8_t neg = 0;
|
|
|
|
if (ptr[0] == '!') {
|
|
neg = 1;
|
|
ptr++;
|
|
}
|
|
|
|
if (strcmp("assigned", ptr) == 0)
|
|
modbus->category = MODBUS_CAT_PUBLIC_ASSIGNED;
|
|
else if (strcmp("unassigned", ptr) == 0)
|
|
modbus->category = MODBUS_CAT_PUBLIC_UNASSIGNED;
|
|
else if (strcmp("public", ptr) == 0)
|
|
modbus->category = MODBUS_CAT_PUBLIC_ASSIGNED | MODBUS_CAT_PUBLIC_UNASSIGNED;
|
|
else if (strcmp("user", ptr) == 0)
|
|
modbus->category = MODBUS_CAT_USER_DEFINED;
|
|
else if (strcmp("reserved", ptr) == 0)
|
|
modbus->category = MODBUS_CAT_RESERVED;
|
|
else if (strcmp("all", ptr) == 0)
|
|
modbus->category = MODBUS_CAT_ALL;
|
|
|
|
if (neg)
|
|
modbus->category = ~modbus->category;
|
|
SCLogDebug("will look for modbus category function %d", modbus->category);
|
|
}
|
|
|
|
SCReturnPtr(modbus, "DetectModbusFunction");
|
|
|
|
error:
|
|
if (modbus != NULL)
|
|
DetectModbusFree(modbus);
|
|
|
|
SCReturnPtr(NULL, "DetectModbus");
|
|
}
|
|
|
|
/** \internal
|
|
*
|
|
* \brief this function is used to add the parsed "id" option into the current signature
|
|
*
|
|
* \param de_ctx Pointer to the Detection Engine Context
|
|
* \param s Pointer to the Current Signature
|
|
* \param str Pointer to the user provided "id" option
|
|
*
|
|
* \retval 0 on Success or -1 on Failure
|
|
*/
|
|
static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
|
|
{
|
|
SCEnter();
|
|
DetectModbus *modbus = NULL;
|
|
SigMatch *sm = NULL;
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_MODBUS) {
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
goto error;
|
|
}
|
|
|
|
if ((modbus = DetectModbusFunctionParse(str)) == NULL) {
|
|
if ((modbus = DetectModbusAccessParse(str)) == NULL) {
|
|
SCLogError(SC_ERR_PCRE_MATCH, "invalid modbus option");
|
|
goto error;
|
|
}
|
|
}
|
|
|
|
/* Okay so far so good, lets get this into a SigMatch and put it in the Signature. */
|
|
sm = SigMatchAlloc();
|
|
if (sm == NULL)
|
|
goto error;
|
|
|
|
sm->type = DETECT_AL_MODBUS;
|
|
sm->ctx = (void *) modbus;
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MODBUS_MATCH);
|
|
s->alproto = ALPROTO_MODBUS;
|
|
|
|
SCReturnInt(0);
|
|
|
|
error:
|
|
if (modbus != NULL)
|
|
DetectModbusFree(modbus);
|
|
if (sm != NULL)
|
|
SCFree(sm);
|
|
SCReturnInt(-1);
|
|
}
|
|
|
|
/**
|
|
* \brief Registration function for Modbus keyword
|
|
*/
|
|
void DetectModbusRegister(void)
|
|
{
|
|
SCEnter();
|
|
sigmatch_table[DETECT_AL_MODBUS].name = "modbus";
|
|
sigmatch_table[DETECT_AL_MODBUS].Match = NULL;
|
|
sigmatch_table[DETECT_AL_MODBUS].AppLayerMatch = NULL;
|
|
sigmatch_table[DETECT_AL_MODBUS].alproto = ALPROTO_MODBUS;
|
|
sigmatch_table[DETECT_AL_MODBUS].Setup = DetectModbusSetup;
|
|
sigmatch_table[DETECT_AL_MODBUS].Free = DetectModbusFree;
|
|
sigmatch_table[DETECT_AL_MODBUS].RegisterTests = DetectModbusRegisterTests;
|
|
|
|
const char *eb;
|
|
int eo, opts = 0;
|
|
|
|
SCLogDebug("registering modbus rule option");
|
|
|
|
/* Function PARSE_REGEX */
|
|
function_parse_regex = pcre_compile(PARSE_REGEX_FUNCTION, opts, &eb, &eo, NULL);
|
|
if (function_parse_regex == NULL) {
|
|
SCLogError(SC_ERR_PCRE_COMPILE, "Compile of \"%s\" failed at offset %" PRId32 ": %s",
|
|
PARSE_REGEX_FUNCTION, eo, eb);
|
|
goto error;
|
|
}
|
|
|
|
function_parse_regex_study = pcre_study(function_parse_regex, 0, &eb);
|
|
if (eb != NULL) {
|
|
SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
|
|
goto error;
|
|
}
|
|
|
|
/* Access PARSE_REGEX */
|
|
access_parse_regex = pcre_compile(PARSE_REGEX_ACCESS, opts, &eb, &eo, NULL);
|
|
if (access_parse_regex == NULL) {
|
|
SCLogError(SC_ERR_PCRE_COMPILE, "Compile of \"%s\" failed at offset %" PRId32 ": %s",
|
|
PARSE_REGEX_ACCESS, eo, eb);
|
|
goto error;
|
|
}
|
|
|
|
access_parse_regex_study = pcre_study(access_parse_regex, 0, &eb);
|
|
if (eb != NULL) {
|
|
SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
|
|
goto error;
|
|
}
|
|
|
|
error:
|
|
SCReturn;
|
|
}
|
|
|
|
#ifdef UNITTESTS /* UNITTESTS */
|
|
#include "detect-engine.h"
|
|
|
|
#include "util-unittest.h"
|
|
|
|
/** \test Signature containing a function. */
|
|
static int DetectModbusTest01(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus function\"; "
|
|
"modbus: function 1; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if (modbus->function != 1) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", 1, modbus->function);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a function and a subfunction. */
|
|
static int DetectModbusTest02(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus function and subfunction\"; "
|
|
"modbus: function 8, subfunction 4; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if ((modbus->function != 8) || (*modbus->subfunction != 4)) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", 1, modbus->function);
|
|
printf("expected subfunction %" PRIu8 ", got %" PRIu16 ": ", 4, *modbus->subfunction);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a function category. */
|
|
static int DetectModbusTest03(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus.function\"; "
|
|
"modbus: function reserved; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if (modbus->category != MODBUS_CAT_RESERVED) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", MODBUS_CAT_RESERVED, modbus->category);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a negative function category. */
|
|
static int DetectModbusTest04(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
|
|
uint8_t category = ~MODBUS_CAT_PUBLIC_ASSIGNED;
|
|
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus function\"; "
|
|
"modbus: function !assigned; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if (modbus->category != category) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", ~MODBUS_CAT_PUBLIC_ASSIGNED, modbus->category);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a access type. */
|
|
static int DetectModbusTest05(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus.access\"; "
|
|
"modbus: access read; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if (modbus->type != MODBUS_TYP_READ) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", MODBUS_TYP_READ, modbus->type);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a access function. */
|
|
static int DetectModbusTest06(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
|
|
uint8_t type = (MODBUS_TYP_READ | MODBUS_TYP_DISCRETES);
|
|
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus.access\"; "
|
|
"modbus: access read discretes; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if (modbus->type != type) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", type, modbus->type);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a read access at an address. */
|
|
static int DetectModbusTest07(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
DetectModbusMode mode = DETECT_MODBUS_EQ;
|
|
|
|
uint8_t type = MODBUS_TYP_READ;
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus.access\"; "
|
|
"modbus: access read, address 1000; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if ((modbus->type != type) ||
|
|
((*modbus->address).mode != mode) ||
|
|
((*modbus->address).min != 1000)) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", type, modbus->type);
|
|
printf("expected mode %" PRIu8 ", got %" PRIu16 ": ", mode, (*modbus->address).mode);
|
|
printf("expected address %" PRIu8 ", got %" PRIu16 ": ", 1000, (*modbus->address).min);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a write access at a range of address. */
|
|
static int DetectModbusTest08(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
DetectModbusMode mode = DETECT_MODBUS_GT;
|
|
|
|
uint8_t type = (MODBUS_TYP_WRITE | MODBUS_TYP_COILS);
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus.access\"; "
|
|
"modbus: access write coils, address >500; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if ((modbus->type != type) ||
|
|
((*modbus->address).mode != mode) ||
|
|
((*modbus->address).min != 500)) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", type, modbus->type);
|
|
printf("expected mode %" PRIu8 ", got %" PRIu16 ": ", mode, (*modbus->address).mode);
|
|
printf("expected address %" PRIu8 ", got %" PRIu16 ": ", 500, (*modbus->address).min);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
|
|
/** \test Signature containing a write access at a address a range of value. */
|
|
static int DetectModbusTest09(void)
|
|
{
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
DetectModbus *modbus = NULL;
|
|
DetectModbusMode addressMode = DETECT_MODBUS_EQ;
|
|
DetectModbusMode valueMode = DETECT_MODBUS_RA;
|
|
|
|
uint8_t type = (MODBUS_TYP_WRITE | MODBUS_TYP_HOLDING);
|
|
int result = 0;
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
if (de_ctx == NULL)
|
|
goto end;
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert modbus any any -> any any "
|
|
"(msg:\"Testing modbus.access\"; "
|
|
"modbus: access write holding, address 100, value 500<>1000; sid:1;)");
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
goto end;
|
|
|
|
if ((de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH] == NULL) ||
|
|
(de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx == NULL)) {
|
|
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
|
|
goto end;
|
|
}
|
|
|
|
modbus = (DetectModbus *) de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_MODBUS_MATCH]->ctx;
|
|
|
|
if ((modbus->type != type) ||
|
|
((*modbus->address).mode != addressMode) ||
|
|
((*modbus->address).min != 100) ||
|
|
((*modbus->data).mode != valueMode) ||
|
|
((*modbus->data).min != 500) ||
|
|
((*modbus->data).max != 1000)) {
|
|
printf("expected function %" PRIu8 ", got %" PRIu8 ": ", type, modbus->type);
|
|
printf("expected address mode %" PRIu8 ", got %" PRIu16 ": ", addressMode, (*modbus->address).mode);
|
|
printf("expected address %" PRIu8 ", got %" PRIu16 ": ", 500, (*modbus->address).min);
|
|
printf("expected value mode %" PRIu8 ", got %" PRIu16 ": ", valueMode, (*modbus->data).mode);
|
|
printf("expected min value %" PRIu8 ", got %" PRIu16 ": ", 500, (*modbus->data).min);
|
|
printf("expected max value %" PRIu8 ", got %" PRIu16 ": ", 1000, (*modbus->data).max);
|
|
goto end;
|
|
}
|
|
|
|
result = 1;
|
|
|
|
end:
|
|
SigGroupCleanup(de_ctx);
|
|
SigCleanSignatures(de_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
return result;
|
|
}
|
|
#endif /* UNITTESTS */
|
|
|
|
/**
|
|
* \brief this function registers unit tests for DetectModbus
|
|
*/
|
|
void DetectModbusRegisterTests(void)
|
|
{
|
|
#ifdef UNITTESTS /* UNITTESTS */
|
|
UtRegisterTest("DetectModbusTest01 - Testing function", DetectModbusTest01, 1);
|
|
UtRegisterTest("DetectModbusTest02 - Testing function and subfunction", DetectModbusTest02, 1);
|
|
UtRegisterTest("DetectModbusTest03 - Testing category function", DetectModbusTest03, 1);
|
|
UtRegisterTest("DetectModbusTest04 - Testing category function in negative", DetectModbusTest04, 1);
|
|
UtRegisterTest("DetectModbusTest05 - Testing access type", DetectModbusTest05, 1);
|
|
UtRegisterTest("DetectModbusTest06 - Testing access function", DetectModbusTest06, 1);
|
|
UtRegisterTest("DetectModbusTest07 - Testing access at address", DetectModbusTest07, 1);
|
|
UtRegisterTest("DetectModbusTest08 - Testing a range of address", DetectModbusTest08, 1);
|
|
UtRegisterTest("DetectModbusTest09 - Testing write a range of value", DetectModbusTest09, 1);
|
|
#endif /* UNITTESTS */
|
|
}
|