diff options
author | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
---|---|---|
committer | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
commit | 8879b125d26e8db1a5633de5a9c692eb2d1c4f83 (patch) | |
tree | c7259d85a991b83dfa85ab2e339360669fc1f58e /framework/src/suricata/src/detect-l3proto.c | |
parent | 13d05bc8458758ee39cb829098241e89616717ee (diff) |
suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a
Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f
Diffstat (limited to 'framework/src/suricata/src/detect-l3proto.c')
-rw-r--r-- | framework/src/suricata/src/detect-l3proto.c | 391 |
1 files changed, 391 insertions, 0 deletions
diff --git a/framework/src/suricata/src/detect-l3proto.c b/framework/src/suricata/src/detect-l3proto.c new file mode 100644 index 00000000..c67b47c8 --- /dev/null +++ b/framework/src/suricata/src/detect-l3proto.c @@ -0,0 +1,391 @@ +/* Copyright (C) 2012-2013 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Eric Leblond <eric@regit.org> + * + * + * Implements the l3_proto keyword + */ + +#include "suricata-common.h" +#include "debug.h" +#include "decode.h" +#include "detect.h" + +#include "detect-ipproto.h" + +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" + +#include "detect-engine-siggroup.h" +#include "detect-engine-address.h" + +#include "util-byte.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "util-debug.h" + +static int DetectL3ProtoSetup(DetectEngineCtx *, Signature *, char *); + +void DetectL3protoRegisterTests(void); + +void DetectL3ProtoRegister(void) +{ + sigmatch_table[DETECT_L3PROTO].name = "l3_proto"; + sigmatch_table[DETECT_L3PROTO].Match = NULL; + sigmatch_table[DETECT_L3PROTO].Setup = DetectL3ProtoSetup; + sigmatch_table[DETECT_L3PROTO].Free = NULL; + sigmatch_table[DETECT_L3PROTO].RegisterTests = DetectL3protoRegisterTests; + + return; +} +/** + * \internal + * \brief Setup l3_proto keyword. + * + * \param de_ctx Detection engine context + * \param s Signature + * \param optstr Options string + * + * \return Non-zero on error + */ +static int DetectL3ProtoSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) +{ + char *str = optstr; + char dubbed = 0; + + /* strip "'s */ + if (optstr[0] == '\"' && optstr[strlen(optstr) - 1] == '\"') { + str = SCStrdup(optstr + 1); + if (unlikely(str == NULL)) + goto error; + str[strlen(optstr) - 2] = '\0'; + dubbed = 1; + } + + /* reset possible any value */ + if (s->proto.flags & DETECT_PROTO_ANY) { + s->proto.flags &= ~DETECT_PROTO_ANY; + } + + /* authorized value, ip, any, ip4, ipv4, ip6, ipv6 */ + if (strcasecmp(str,"ipv4") == 0 || + strcasecmp(str,"ip4") == 0 ) { + if (s->proto.flags & DETECT_PROTO_IPV6) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Conflicting l3 proto specified"); + goto error; + } + s->proto.flags |= DETECT_PROTO_IPV4; + SCLogDebug("IPv4 protocol detected"); + } else if (strcasecmp(str,"ipv6") == 0 || + strcasecmp(str,"ip6") == 0 ) { + if (s->proto.flags & DETECT_PROTO_IPV6) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Conflicting l3 proto specified"); + goto error; + } + s->proto.flags |= DETECT_PROTO_IPV6; + SCLogDebug("IPv6 protocol detected"); + } else { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid l3 proto: \"%s\"", str); + goto error; + } + + if (dubbed) + SCFree(str); + return 0; +error: + if (dubbed) + SCFree(str); + return -1; +} + +#ifdef UNITTESTS + +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" + +/** + * \test DetectL3protoTestSig01 is a test for checking the working of ttl keyword + * by setting up the signature and later testing its working by matching + * the received packet against the sig. + */ + +static int DetectL3protoTestSig1(void) +{ + + Packet *p = PacketGetFromAlloc(); + if (unlikely(p == NULL)) + return 0; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + IPV4Hdr ip4h; + + memset(&th_v, 0, sizeof(th_v)); + + p->src.family = AF_INET; + p->dst.family = AF_INET; + p->proto = IPPROTO_TCP; + p->ip4h = &ip4h; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:2;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + if (PacketAlertCheck(p, 1) == 0) { + printf("sid 1 did not alert, but should have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 2)) { + printf("sid 2 alerted, but should not have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 3) == 0) { + printf("sid 3 did not alert, but should have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 4)) { + printf("sid 4 alerted, but should not have: "); + goto cleanup; + } + + result = 1; + +cleanup: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + +end: + SCFree(p); + return result; +} + +/** + * \test DetectL3protoTestSig02 is a test for checking the working of l3proto keyword + * by setting up the signature and later testing its working by matching + * the received IPv6 packet against the sig. + */ + +static int DetectL3protoTestSig2(void) +{ + + Packet *p = PacketGetFromAlloc(); + if (unlikely(p == NULL)) + return 0; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + IPV6Hdr ip6h; + + memset(&th_v, 0, sizeof(th_v)); + + p->src.family = AF_INET6; + p->dst.family = AF_INET6; + p->proto = IPPROTO_TCP; + p->ip6h = &ip6h; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:4;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + if (PacketAlertCheck(p, 1)) { + printf("sid 1 alerted, but should not have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 2) == 0) { + printf("sid 2 did not alert, but should have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 3)) { + printf("sid 3 alerted, but should not have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 4) == 0) { + printf("sid 4 did not alert, but should have: "); + goto cleanup; + } + + result = 1; + +cleanup: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + +end: + SCFree(p); + return result; +} + +/** + * \test DetectL3protoTestSig03 is a test for checking the working of l3proto keyword + * in conjonction with ip_proto keyword. + */ + +static int DetectL3protoTestSig3(void) +{ + + Packet *p = PacketGetFromAlloc(); + if (unlikely(p == NULL)) + return 0; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + IPV6Hdr ip6h; + + memset(&th_v, 0, sizeof(th_v)); + + p->src.family = AF_INET6; + p->dst.family = AF_INET6; + p->proto = IPPROTO_TCP; + p->ip6h = &ip6h; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4 and ip_proto udp\"; l3_proto:ipv4; ip_proto:17; sid:1;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6 and ip_proto udp\"; l3_proto:ipv6; ip_proto:17; sid:2;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4 and ip_proto tcp\"; l3_proto:ipv4; ip_proto:6; sid:3;)"); + if (s == NULL) { + goto end; + } + + s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6 and ip_proto tcp\"; l3_proto:ipv6; ip_proto:6; sid:4;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + if (PacketAlertCheck(p, 1)) { + printf("sid 1 alerted, but should not have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 2)) { + printf("sid 2 alerted, but should not have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 3)) { + printf("sid 3 alerted, but should not have: "); + goto cleanup; + } else if (PacketAlertCheck(p, 4) == 0) { + printf("sid 4 did not alert, but should have: "); + goto cleanup; + } + + result = 1; + +cleanup: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + +end: + SCFree(p); + return result; +} + + +#endif /* UNITTESTS */ + +/** + * \brief this function registers unit tests for DetectL3proto + */ +void DetectL3protoRegisterTests(void) +{ +#ifdef UNITTESTS + UtRegisterTest("DetectL3protoTestSig1", DetectL3protoTestSig1, 1); + UtRegisterTest("DetectL3protoTestSig2", DetectL3protoTestSig2, 1); + UtRegisterTest("DetectL3protoTestSig3", DetectL3protoTestSig3, 1); +#endif /* UNITTESTS */ +} |