diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
commit | a0aa2307322cd47bbf416810ac0292925e03be87 (patch) | |
tree | 37076262a026c4b48c8a0e84f44ff9187556ca35 /src/detect-tcpmss.c | |
parent | Initial commit. (diff) | |
download | suricata-a0aa2307322cd47bbf416810ac0292925e03be87.tar.xz suricata-a0aa2307322cd47bbf416810ac0292925e03be87.zip |
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/detect-tcpmss.c')
-rw-r--r-- | src/detect-tcpmss.c | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/src/detect-tcpmss.c b/src/detect-tcpmss.c new file mode 100644 index 0000000..1ed04d3 --- /dev/null +++ b/src/detect-tcpmss.c @@ -0,0 +1,180 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien <victor@inliniac.net> + * + */ + +#include "suricata-common.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine-prefilter-common.h" +#include "detect-engine-uint.h" +#include "util-byte.h" + +#include "detect-tcpmss.h" + + +/* prototypes */ +static int DetectTcpmssMatch (DetectEngineThreadCtx *, Packet *, + const Signature *, const SigMatchCtx *); +static int DetectTcpmssSetup (DetectEngineCtx *, Signature *, const char *); +void DetectTcpmssFree (DetectEngineCtx *, void *); +#ifdef UNITTESTS +void DetectTcpmssRegisterTests (void); +#endif +static int PrefilterSetupTcpmss(DetectEngineCtx *de_ctx, SigGroupHead *sgh); +static bool PrefilterTcpmssIsPrefilterable(const Signature *s); + +/** + * \brief Registration function for tcpmss: keyword + */ + +void DetectTcpmssRegister(void) +{ + sigmatch_table[DETECT_TCPMSS].name = "tcp.mss"; + sigmatch_table[DETECT_TCPMSS].desc = "match on TCP MSS option field"; + sigmatch_table[DETECT_TCPMSS].url = "/rules/header-keywords.html#tcpmss"; + sigmatch_table[DETECT_TCPMSS].Match = DetectTcpmssMatch; + sigmatch_table[DETECT_TCPMSS].Setup = DetectTcpmssSetup; + sigmatch_table[DETECT_TCPMSS].Free = DetectTcpmssFree; + sigmatch_table[DETECT_TCPMSS].SupportsPrefilter = PrefilterTcpmssIsPrefilterable; + sigmatch_table[DETECT_TCPMSS].SetupPrefilter = PrefilterSetupTcpmss; + + return; +} + +/** + * \brief This function is used to match TCPMSS rule option on a packet with those passed via + * tcpmss: + * + * \param det_ctx pointer to the pattern matcher thread + * \param p pointer to the current packet + * \param ctx pointer to the sigmatch that we will cast into DetectU16Data + * + * \retval 0 no match + * \retval 1 match + */ +static int DetectTcpmssMatch (DetectEngineThreadCtx *det_ctx, Packet *p, + const Signature *s, const SigMatchCtx *ctx) +{ + + if (!(PKT_IS_TCP(p)) || PKT_IS_PSEUDOPKT(p)) + return 0; + + if (!(TCP_HAS_MSS(p))) + return 0; + + uint16_t ptcpmss = TCP_GET_MSS(p); + + const DetectU16Data *tcpmssd = (const DetectU16Data *)ctx; + return DetectU16Match(ptcpmss, tcpmssd); +} + +/** + * \brief this function is used to attach the parsed tcpmss data into the current signature + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param tcpmssstr pointer to the user provided tcpmss options + * + * \retval 0 on Success + * \retval -1 on Failure + */ +static int DetectTcpmssSetup (DetectEngineCtx *de_ctx, Signature *s, const char *tcpmssstr) +{ + DetectU16Data *tcpmssd = DetectU16Parse(tcpmssstr); + if (tcpmssd == NULL) + return -1; + + SigMatch *sm = SigMatchAlloc(); + if (sm == NULL) { + DetectTcpmssFree(de_ctx, tcpmssd); + return -1; + } + + sm->type = DETECT_TCPMSS; + sm->ctx = (SigMatchCtx *)tcpmssd; + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); + s->flags |= SIG_FLAG_REQUIRE_PACKET; + + return 0; +} + +/** + * \brief this function will free memory associated with DetectU16Data + * + * \param ptr pointer to DetectU16Data + */ +void DetectTcpmssFree(DetectEngineCtx *de_ctx, void *ptr) +{ + rs_detect_u16_free(ptr); +} + +/* prefilter code */ + +static void +PrefilterPacketTcpmssMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx) +{ + if (!(PKT_IS_TCP(p)) || PKT_IS_PSEUDOPKT(p)) + return; + + if (!(TCP_HAS_MSS(p))) + return; + + uint16_t ptcpmss = TCP_GET_MSS(p); + + /* during setup Suricata will automatically see if there is another + * check that can be added: alproto, sport or dport */ + const PrefilterPacketHeaderCtx *ctx = pectx; + if (!PrefilterPacketHeaderExtraMatch(ctx, p)) + return; + + DetectU16Data du16; + du16.mode = ctx->v1.u8[0]; + du16.arg1 = ctx->v1.u16[1]; + du16.arg2 = ctx->v1.u16[2]; + /* if we match, add all the sigs that use this prefilter. This means + * that these will be inspected further */ + if (DetectU16Match(ptcpmss, &du16)) { + SCLogDebug("packet matches tcpmss/hl %u", ptcpmss); + PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt); + } +} + +static int PrefilterSetupTcpmss(DetectEngineCtx *de_ctx, SigGroupHead *sgh) +{ + return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TCPMSS, PrefilterPacketU16Set, + PrefilterPacketU16Compare, PrefilterPacketTcpmssMatch); +} + +static bool PrefilterTcpmssIsPrefilterable(const Signature *s) +{ + const SigMatch *sm; + for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) { + switch (sm->type) { + case DETECT_TCPMSS: + return true; + } + } + return false; +} |