Adding upstream version 1:7.0.3.upstream/1%7.0.3

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 401 insertions, 0 deletions

diff --git a/src/detect-engine-event.c b/src/detect-engine-event.c
new file mode 100644
index 0000000..82f8384
--- /dev/null
+++ b/src/detect-engine-event.c
@@ -0,0 +1,401 @@
+/* Copyright (C) 2007-2021 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Breno Silva <breno.silva@gmail.com>
+ *
+ * Implements the decode-event keyword
+ */
+
+#include "suricata-common.h"
+#include "suricata.h"
+#include "decode.h"
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "flow-var.h"
+#include "decode-events.h"
+
+#include "util-debug.h"
+
+#include "stream-tcp.h"
+
+
+/* Need to get the DEvents[] array */
+
+#include "detect-engine-event.h"
+#include "util-unittest.h"
+
+#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
+
+static DetectParseRegex parse_regex;
+
+static int DetectEngineEventMatch (DetectEngineThreadCtx *,
+        Packet *, const Signature *, const SigMatchCtx *);
+static int DetectEngineEventSetup (DetectEngineCtx *, Signature *, const char *);
+static int DetectDecodeEventSetup (DetectEngineCtx *, Signature *, const char *);
+static int DetectStreamEventSetup (DetectEngineCtx *, Signature *, const char *);
+static void DetectEngineEventFree (DetectEngineCtx *, void *);
+#ifdef UNITTESTS
+void EngineEventRegisterTests(void);
+#endif
+
+/**
+ * \brief Registration function for decode-event: keyword
+ */
+void DetectEngineEventRegister (void)
+{
+    sigmatch_table[DETECT_ENGINE_EVENT].name = "engine-event";
+    sigmatch_table[DETECT_ENGINE_EVENT].Match = DetectEngineEventMatch;
+    sigmatch_table[DETECT_ENGINE_EVENT].Setup = DetectEngineEventSetup;
+    sigmatch_table[DETECT_ENGINE_EVENT].Free  = DetectEngineEventFree;
+#ifdef UNITTESTS
+    sigmatch_table[DETECT_ENGINE_EVENT].RegisterTests = EngineEventRegisterTests;
+#endif
+
+    sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event";
+    sigmatch_table[DETECT_DECODE_EVENT].Match = DetectEngineEventMatch;
+    sigmatch_table[DETECT_DECODE_EVENT].Setup = DetectDecodeEventSetup;
+    sigmatch_table[DETECT_DECODE_EVENT].Free  = DetectEngineEventFree;
+    sigmatch_table[DETECT_DECODE_EVENT].flags |= SIGMATCH_DEONLY_COMPAT;
+
+    sigmatch_table[DETECT_STREAM_EVENT].name = "stream-event";
+    sigmatch_table[DETECT_STREAM_EVENT].Match = DetectEngineEventMatch;
+    sigmatch_table[DETECT_STREAM_EVENT].Setup = DetectStreamEventSetup;
+    sigmatch_table[DETECT_STREAM_EVENT].Free  = DetectEngineEventFree;
+
+    DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
+}
+
+/**
+ * \brief This function is used to match decoder event flags set on a packet with those passed via decode-event:
+ *
+ * \param t pointer to thread vars
+ * \param det_ctx pointer to the pattern matcher thread
+ * \param p pointer to the current packet
+ * \param s pointer to the Signature
+ * \param m pointer to the sigmatch
+ *
+ * \retval 0 no match
+ * \retval 1 match
+ */
+static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
+        Packet *p, const Signature *s, const SigMatchCtx *ctx)
+{
+    SCEnter();
+
+    const DetectEngineEventData *de = (const DetectEngineEventData *)ctx;
+
+    if (ENGINE_ISSET_EVENT(p, de->event)) {
+        SCLogDebug("de->event matched %u", de->event);
+        SCReturnInt(1);
+    }
+
+    SCReturnInt(0);
+}
+
+static bool OutdatedEvent(const char *raw)
+{
+    if (strcmp(raw, "decoder.udp.hlen_invalid") == 0) {
+        return true;
+    }
+    return false;
+}
+
+/**
+ * \brief This function is used to parse decoder events options passed via decode-event: keyword
+ *
+ * \param rawstr Pointer to the user provided decode-event options
+ *
+ * \retval de pointer to DetectFlowData on success
+ * \retval NULL on failure
+ */
+static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
+{
+    int i;
+    DetectEngineEventData *de = NULL;
+    int res = 0, found = 0;
+    size_t pcre2len;
+    pcre2_match_data *match = NULL;
+
+    int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
+    if (ret < 1) {
+        SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
+        goto error;
+    }
+
+    char copy_str[128] = "";
+    pcre2len = sizeof(copy_str);
+    res = pcre2_substring_copy_bynumber(match, 0, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
+
+    if (res < 0) {
+        SCLogError("pcre2_substring_copy_bynumber failed");
+        goto error;
+    }
+
+    for (i = 0; DEvents[i].event_name != NULL; i++) {
+        if (strcasecmp(DEvents[i].event_name,copy_str) == 0) {
+            found = 1;
+            break;
+        }
+    }
+
+    if (found == 0) {
+        SCLogError("unknown decode event \"%s\"", copy_str);
+        goto error;
+    }
+
+    de = SCMalloc(sizeof(DetectEngineEventData));
+    if (unlikely(de == NULL))
+        goto error;
+
+    de->event = DEvents[i].code;
+
+    if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {
+        StreamTcpReassembleConfigEnableOverlapCheck();
+    }
+
+    if (OutdatedEvent(rawstr)) {
+        if (SigMatchStrictEnabled(DETECT_DECODE_EVENT)) {
+            SCLogError("decode-event keyword no longer supports event \"%s\"", rawstr);
+            goto error;
+        } else {
+            SCLogWarning("decode-event keyword no longer supports event \"%s\"", rawstr);
+        }
+    }
+
+    pcre2_match_data_free(match);
+    return de;
+
+error:
+    if (de)
+        SCFree(de);
+    if (match) {
+        pcre2_match_data_free(match);
+    }
+    return NULL;
+}
+
+/**
+ * \brief this function is used to add the parsed decode-event into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param rawstr pointer to the user provided decode-event options
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+static int DetectEngineEventSetupDo(
+        DetectEngineCtx *de_ctx, Signature *s, const char *rawstr, uint16_t smtype)
+{
+    DetectEngineEventData *de = DetectEngineEventParse(rawstr);
+    if (de == NULL)
+        return -1;
+
+    SCLogDebug("rawstr %s %u", rawstr, de->event);
+
+    SigMatch *sm = SigMatchAlloc();
+    if (sm == NULL) {
+        SCFree(de);
+        return -1;
+    }
+
+    sm->type = smtype;
+    sm->ctx = (SigMatchCtx *)de;
+
+    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
+    return 0;
+}
+
+
+static int DetectEngineEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
+{
+    return DetectEngineEventSetupDo (de_ctx, s, rawstr, DETECT_ENGINE_EVENT);
+}
+
+/**
+ * \brief this function will free memory associated with DetectEngineEventData
+ *
+ * \param de pointer to DetectEngineEventData
+ */
+static void DetectEngineEventFree(DetectEngineCtx *de_ctx, void *ptr)
+{
+    DetectEngineEventData *de = (DetectEngineEventData *)ptr;
+    if (de)
+        SCFree(de);
+}
+
+
+/**
+ * \brief this function Setup the 'decode-event' keyword by setting the correct
+ * signature type
+*/
+static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
+{
+    char drawstr[64] = "decoder.";
+
+    /* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */
+    strlcat(drawstr, rawstr, sizeof(drawstr));
+
+    return DetectEngineEventSetupDo(de_ctx, s, drawstr, DETECT_DECODE_EVENT);
+}
+
+/**
+ * \brief this function Setup the 'stream-event' keyword by resolving the alias
+*/
+static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
+{
+    char srawstr[64] = "stream.";
+
+    if (strcmp(rawstr, "est_synack_resend_with_different_ack") == 0) {
+        rawstr = "est_synack_resend_with_diff_ack";
+    } else if (strcmp(rawstr, "3whs_synack_resend_with_different_ack") == 0) {
+        rawstr = "3whs_synack_resend_with_diff_ack";
+    }
+
+    /* stream:$EVENT alias command develop as decode-event:stream.$EVENT */
+    strlcat(srawstr, rawstr, sizeof(srawstr));
+
+    return DetectEngineEventSetup(de_ctx, s, srawstr);
+}
+
+/*
+ * ONLY TESTS BELOW THIS COMMENT
+ */
+#ifdef UNITTESTS
+
+/**
+ * \test EngineEventTestParse01 is a test for a  valid decode-event value
+ */
+static int EngineEventTestParse01 (void)
+{
+    DetectEngineEventData *de = DetectEngineEventParse("decoder.ipv4.pkt_too_small");
+
+    FAIL_IF_NULL(de);
+
+    DetectEngineEventFree(NULL, de);
+
+    PASS;
+}
+
+
+/**
+ * \test EngineEventTestParse02 is a test for a  valid upper + lower case decode-event value
+ */
+static int EngineEventTestParse02 (void)
+{
+    DetectEngineEventData *de = DetectEngineEventParse("decoder.PPP.pkt_too_small");
+
+    FAIL_IF_NULL(de);
+
+    DetectEngineEventFree(NULL, de);
+
+    PASS;
+}
+
+/**
+ * \test EngineEventTestParse03 is a test for a  valid upper case decode-event value
+ */
+static int EngineEventTestParse03 (void)
+{
+    DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL");
+
+    FAIL_IF_NULL(de);
+
+    DetectEngineEventFree(NULL, de);
+
+    PASS;
+}
+
+/**
+ * \test EngineEventTestParse04 is a test for an  invalid upper case decode-event value
+ */
+static int EngineEventTestParse04 (void)
+{
+    DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT");
+
+    FAIL_IF_NOT_NULL(de);
+
+    DetectEngineEventFree(NULL, de);
+
+    PASS;
+}
+
+/**
+ * \test EngineEventTestParse05 is a test for an  invalid char into the decode-event value
+ */
+static int EngineEventTestParse05 (void)
+{
+    DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR");
+
+    FAIL_IF_NOT_NULL(de);
+
+    DetectEngineEventFree(NULL, de);
+
+    PASS;
+}
+
+/**
+ * \test EngineEventTestParse06 is a test for match function with valid decode-event value
+ */
+static int EngineEventTestParse06 (void)
+{
+    Packet *p = PacketGetFromAlloc();
+    FAIL_IF_NULL(p);
+
+    ThreadVars tv;
+
+    memset(&tv, 0, sizeof(ThreadVars));
+
+    ENGINE_SET_EVENT(p,PPP_PKT_TOO_SMALL);
+
+    DetectEngineEventData *de = DetectEngineEventParse("decoder.ppp.pkt_too_small");
+    FAIL_IF_NULL(de);
+
+    de->event = PPP_PKT_TOO_SMALL;
+
+    SigMatch *sm = SigMatchAlloc();
+    FAIL_IF_NULL(sm);
+
+    sm->type = DETECT_DECODE_EVENT;
+    sm->ctx = (SigMatchCtx *)de;
+
+    FAIL_IF_NOT(DetectEngineEventMatch(NULL, p, NULL, sm->ctx));
+
+    SCFree(p);
+    SCFree(de);
+    SCFree(sm);
+
+    PASS;
+}
+
+/**
+ * \brief this function registers unit tests for EngineEvent
+ */
+void EngineEventRegisterTests(void)
+{
+    UtRegisterTest("EngineEventTestParse01", EngineEventTestParse01);
+    UtRegisterTest("EngineEventTestParse02", EngineEventTestParse02);
+    UtRegisterTest("EngineEventTestParse03", EngineEventTestParse03);
+    UtRegisterTest("EngineEventTestParse04", EngineEventTestParse04);
+    UtRegisterTest("EngineEventTestParse05", EngineEventTestParse05);
+    UtRegisterTest("EngineEventTestParse06", EngineEventTestParse06);
+}
+#endif /* UNITTESTS */