diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
commit | a0aa2307322cd47bbf416810ac0292925e03be87 (patch) | |
tree | 37076262a026c4b48c8a0e84f44ff9187556ca35 /src/detect-base64-data.c | |
parent | Initial commit. (diff) | |
download | suricata-a0aa2307322cd47bbf416810ac0292925e03be87.tar.xz suricata-a0aa2307322cd47bbf416810ac0292925e03be87.zip |
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/detect-base64-data.c')
-rw-r--r-- | src/detect-base64-data.c | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/src/detect-base64-data.c b/src/detect-base64-data.c new file mode 100644 index 0000000..4c892a9 --- /dev/null +++ b/src/detect-base64-data.c @@ -0,0 +1,165 @@ +/* Copyright (C) 2015 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#include "suricata-common.h" +#include "detect.h" +#include "detect-engine.h" +#include "detect-engine-content-inspection.h" +#include "detect-parse.h" +#include "detect-base64-data.h" +#include "detect-engine-build.h" + +#include "util-unittest.h" + +static int DetectBase64DataSetup(DetectEngineCtx *, Signature *, const char *); +#ifdef UNITTESTS +static void DetectBase64DataRegisterTests(void); +#endif + +void DetectBase64DataRegister(void) +{ + sigmatch_table[DETECT_BASE64_DATA].name = "base64_data"; + sigmatch_table[DETECT_BASE64_DATA].desc = + "Content match base64 decoded data."; + sigmatch_table[DETECT_BASE64_DATA].url = + "/rules/base64-keywords.html#base64-data"; + sigmatch_table[DETECT_BASE64_DATA].Setup = DetectBase64DataSetup; +#ifdef UNITTESTS + sigmatch_table[DETECT_BASE64_DATA].RegisterTests = + DetectBase64DataRegisterTests; +#endif + sigmatch_table[DETECT_BASE64_DATA].flags |= SIGMATCH_NOOPT; +} + +static int DetectBase64DataSetup(DetectEngineCtx *de_ctx, Signature *s, + const char *str) +{ + SigMatch *pm = NULL; + + /* Check for a preceding base64_decode. */ + pm = DetectGetLastSMFromLists(s, DETECT_BASE64_DECODE, -1); + if (pm == NULL) { + SCLogError("\"base64_data\" keyword seen without preceding base64_decode."); + return -1; + } + + s->init_data->list = DETECT_SM_LIST_BASE64_DATA; + return 0; +} + +int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f) +{ + if (det_ctx->base64_decoded_len) { + return DetectEngineContentInspection(de_ctx, det_ctx, s, + s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded, + det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + } + + return 0; +} + +#ifdef UNITTESTS + +static int g_file_data_buffer_id = 0; + +static int DetectBase64DataSetupTest01(void) +{ + DetectEngineCtx *de_ctx = NULL; + SigMatch *sm; + int retval = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert smtp any any -> any any (msg:\"DetectBase64DataSetupTest\"; " + "base64_decode; base64_data; content:\"content\"; sid:1; rev:1;)"); + if (de_ctx->sig_list == NULL) { + printf("SigInit failed: "); + goto end; + } + + sm = de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH]; + if (sm == NULL) { + printf("DETECT_SM_LIST_PMATCH should not be NULL: "); + goto end; + } + if (sm->type != DETECT_BASE64_DECODE) { + printf("sm->type should be DETECT_BASE64_DECODE: "); + goto end; + } + + if (de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_BASE64_DATA] == NULL) { + printf("DETECT_SM_LIST_BASE64_DATA should not be NULL: "); + goto end; + } + + retval = 1; +end: + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } + return retval; +} + +/** + * \test Test that the list can be changed to post-detection lists + * after the base64 keyword. + */ +static int DetectBase64DataSetupTest04(void) +{ + DetectEngineCtx *de_ctx = NULL; + int retval = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any (msg:\"some b64thing\"; flow:established,from_server; file_data; content:\"sometext\"; fast_pattern; base64_decode:relative; base64_data; content:\"foobar\"; nocase; tag:session,120,seconds; sid:1111111; rev:1;)"); + if (de_ctx->sig_list == NULL) { + printf("SigInit failed: "); + goto end; + } + + retval = 1; +end: + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } + return retval; +} + +static void DetectBase64DataRegisterTests(void) +{ + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + + UtRegisterTest("DetectBase64DataSetupTest01", DetectBase64DataSetupTest01); + UtRegisterTest("DetectBase64DataSetupTest04", DetectBase64DataSetupTest04); +} +#endif /* UNITTESTS */ |