mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
187 lines
6.2 KiB
C
187 lines
6.2 KiB
C
/* Copyright (C) 2020 Open Information Security Foundation
|
|
*
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
* the GNU General Public License version 2 as published by the Free
|
|
* Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* \author Jeff Lucovsky <jeff@lucovsky.org>
|
|
*
|
|
* Implements the dotprefix transformation
|
|
*/
|
|
|
|
#include "suricata-common.h"
|
|
|
|
#include "detect.h"
|
|
#include "detect-engine.h"
|
|
#include "detect-engine-prefilter.h"
|
|
#include "detect-parse.h"
|
|
#include "detect-transform-dotprefix.h"
|
|
#include "detect-engine-build.h"
|
|
|
|
#include "util-unittest.h"
|
|
#include "util-print.h"
|
|
#include "util-memrchr.h"
|
|
#include "util-memcpy.h"
|
|
|
|
static int DetectTransformDotPrefixSetup (DetectEngineCtx *, Signature *, const char *);
|
|
#ifdef UNITTESTS
|
|
static void DetectTransformDotPrefixRegisterTests(void);
|
|
#endif
|
|
static void TransformDotPrefix(InspectionBuffer *buffer, void *options);
|
|
|
|
void DetectTransformDotPrefixRegister(void)
|
|
{
|
|
sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].name = "dotprefix";
|
|
sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].desc =
|
|
"modify buffer to extract the dotprefix";
|
|
sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].url =
|
|
"/rules/transforms.html#dotprefix";
|
|
sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].Transform = TransformDotPrefix;
|
|
sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].Setup = DetectTransformDotPrefixSetup;
|
|
#ifdef UNITTESTS
|
|
sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].RegisterTests =
|
|
DetectTransformDotPrefixRegisterTests;
|
|
#endif
|
|
sigmatch_table[DETECT_TRANSFORM_DOTPREFIX].flags |= SIGMATCH_NOOPT;
|
|
}
|
|
|
|
/**
|
|
* \internal
|
|
* \brief Extract the dotprefix, if any, the last pattern match, either content or uricontent
|
|
* \param det_ctx detection engine ctx
|
|
* \param s signature
|
|
* \param nullstr should be null
|
|
* \retval 0 ok
|
|
* \retval -1 failure
|
|
*/
|
|
static int DetectTransformDotPrefixSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
|
|
{
|
|
SCEnter();
|
|
int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_DOTPREFIX, NULL);
|
|
SCReturnInt(r);
|
|
}
|
|
|
|
/**
|
|
* \brief Return the dotprefix, if any, in the last pattern match.
|
|
*
|
|
* Input values are modified by prefixing with a ".".
|
|
*
|
|
* Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; sid:1;)"
|
|
* 1. hello.google.com --> match
|
|
* 2. hey.agoogle.com --> no match
|
|
* 3. agoogle.com --> no match
|
|
* 4. something.google.com.au --> match
|
|
* 5. google.com --> match
|
|
*
|
|
* To match on the dotprefix only:
|
|
* Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".google.com"; endswith; sid:1;)"
|
|
*
|
|
* 1. hello.google.com --> match
|
|
* 2. hey.agoogle.com --> no match
|
|
* 3. agoogle.com --> no match
|
|
* 4. something.google.com.au --> no match
|
|
* 5. google.com --> match
|
|
*
|
|
* To match on a TLD:
|
|
* Rule: "alert dns any any -> any any (dns_query; dotprefix; content:".co.uk"; endswith; sid:1;)"
|
|
*
|
|
* 1. hello.google.com --> no match
|
|
* 2. hey.agoogle.com --> no match
|
|
* 3. agoogle.com --> no match
|
|
* 4. something.google.co.uk --> match
|
|
* 5. google.com --> no match
|
|
*/
|
|
static void TransformDotPrefix(InspectionBuffer *buffer, void *options)
|
|
{
|
|
const size_t input_len = buffer->inspect_len;
|
|
|
|
if (input_len) {
|
|
uint8_t output[input_len + 1]; // For the leading '.'
|
|
|
|
output[0] = '.';
|
|
memcpy(&output[1], buffer->inspect, input_len);
|
|
InspectionBufferCopy(buffer, output, input_len + 1);
|
|
}
|
|
}
|
|
|
|
#ifdef UNITTESTS
|
|
static int DetectTransformDotPrefixTest01(void)
|
|
{
|
|
const uint8_t *input = (const uint8_t *)"example.com";
|
|
uint32_t input_len = strlen((char *)input);
|
|
|
|
const char *result = ".example.com";
|
|
uint32_t result_len = strlen((char *)result);
|
|
|
|
InspectionBuffer buffer;
|
|
InspectionBufferInit(&buffer, input_len);
|
|
InspectionBufferSetup(NULL, -1, &buffer, input, input_len);
|
|
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
|
|
TransformDotPrefix(&buffer, NULL);
|
|
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
|
|
FAIL_IF_NOT(buffer.inspect_len == result_len);
|
|
FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
|
|
InspectionBufferFree(&buffer);
|
|
PASS;
|
|
}
|
|
|
|
static int DetectTransformDotPrefixTest02(void)
|
|
{
|
|
const uint8_t *input = (const uint8_t *)"hello.example.com";
|
|
uint32_t input_len = strlen((char *)input);
|
|
|
|
const char *result = ".hello.example.com";
|
|
uint32_t result_len = strlen((char *)result);
|
|
|
|
InspectionBuffer buffer;
|
|
InspectionBufferInit(&buffer, input_len);
|
|
InspectionBufferSetup(NULL, -1, &buffer, input, input_len);
|
|
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
|
|
TransformDotPrefix(&buffer, NULL);
|
|
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
|
|
FAIL_IF_NOT(buffer.inspect_len == result_len);
|
|
FAIL_IF_NOT(strncmp(result, (const char *)buffer.inspect, result_len) == 0);
|
|
InspectionBufferFree(&buffer);
|
|
PASS;
|
|
}
|
|
|
|
static int DetectTransformDotPrefixTest03(void)
|
|
{
|
|
const char rule[] = "alert dns any any -> any any (dns.query; dotprefix; content:\".google.com\"; sid:1;)";
|
|
ThreadVars th_v;
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
|
|
FAIL_IF_NULL(de_ctx);
|
|
Signature *s = DetectEngineAppendSig(de_ctx, rule);
|
|
FAIL_IF_NULL(s);
|
|
SigGroupBuild(de_ctx);
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
|
|
DetectEngineCtxFree(de_ctx);
|
|
PASS;
|
|
}
|
|
|
|
static void DetectTransformDotPrefixRegisterTests(void)
|
|
{
|
|
UtRegisterTest("DetectTransformDotPrefixTest01", DetectTransformDotPrefixTest01);
|
|
UtRegisterTest("DetectTransformDotPrefixTest02", DetectTransformDotPrefixTest02);
|
|
UtRegisterTest("DetectTransformDotPrefixTest03", DetectTransformDotPrefixTest03);
|
|
}
|
|
#endif
|