diff options
Diffstat (limited to 'framework/src/suricata/scripts')
| -rwxr-xr-x | framework/src/suricata/scripts/setup-app-layer-detect.sh | 233 | ||||
| -rwxr-xr-x | framework/src/suricata/scripts/setup-app-layer-logger.sh | 154 | ||||
| -rwxr-xr-x | framework/src/suricata/scripts/setup-app-layer.sh | 166 |
3 files changed, 553 insertions, 0 deletions
diff --git a/framework/src/suricata/scripts/setup-app-layer-detect.sh b/framework/src/suricata/scripts/setup-app-layer-detect.sh new file mode 100755 index 00000000..ef3b741e --- /dev/null +++ b/framework/src/suricata/scripts/setup-app-layer-detect.sh @@ -0,0 +1,233 @@ +#! /bin/sh +# +# Script to provision a new application layer detector and parser. + +set -e + +function usage() { + cat <<EOF + +usage: $0 <protocol name> + +This script will provision content inspection for app-layer decoded +buffers. + +Examples: + + $0 DNP3 + $0 Gopher + +EOF +} + +fail_if_exists() { + path="$1" + if test -e "${path}"; then + echo "error: ${path} already exists." + exit 1 + fi +} + +function copy_template_file() { + src="$1" + dst="$2" + + echo "Creating ${dst}." + + sed -e "s/TEMPLATE/${protoname_upper}/g" \ + -e "s/template/${protoname_lower}/g" \ + -e "s/Template/${protoname}/g" > ${dst} < ${src} +} + +function copy_templates() { + detect_h_dst="src/detect-${protoname_lower}-buffer.h" + detect_c_dst="src/detect-${protoname_lower}-buffer.c" + detect_engine_h_dst="src/detect-engine-${protoname_lower}.h" + detect_engine_c_dst="src/detect-engine-${protoname_lower}.c" + + fail_if_exists ${detect_h_dst} + fail_if_exists ${detect_c_dst} + fail_if_exists ${detect_engine_h_dst} + fail_if_exists ${detect_engine_c_dst} + + copy_template_file "src/detect-template-buffer.h" ${detect_h_dst} + copy_template_file "src/detect-template-buffer.c" ${detect_c_dst} + copy_template_file "src/detect-engine-template.h" ${detect_engine_h_dst} + copy_template_file "src/detect-engine-template.c" ${detect_engine_c_dst} +} + +function patch_makefile_am() { + filename="src/Makefile.am" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/^detect-engine-template.c +t- +s/template/${protoname_lower}/g +/^detect-template-buffer.c +t- +s/template/${protoname_lower}/g +w +EOF +} + +function patch_detect_engine_content_inspection_h() { + filename="src/detect-engine-content-inspection.h" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/DETECT_ENGINE_CONTENT_INSPECTION_MODE_TEMPLATE_BUFFER +t- +s/TEMPLATE/${protoname_upper}/ +w +EOF +} + +function patch_detect_engine_state_h() { + filename="src/detect-engine-state.h" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT +t- +s/TEMPLATE/${protoname_upper}/ +w +EOF +} + +function patch_detect_engine_c() { + filename="src/detect-engine.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/#include "detect-engine-template.h" +t- +s/template/${protoname_lower}/ +w +/ALPROTO_TEMPLATE +-2 +.,+6t- +-6 +.,+6s/Template/${protoname}/g +-6 +.,+6s/TEMPLATE/${protoname_upper}/g ++6 +/ALPROTO_TEMPLATE +-2 +.,+6t- +-6 +.,+6s/Template/${protoname}/g +-6 +.,+6s/TEMPLATE/${protoname_upper}/g +w +EOF + + ed -s ${filename} > /dev/null <<EOF +/case DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH +.,+1t- +- +s/TEMPLATE/${protoname_upper}/g ++ +s/template/${protoname_lower}/g +w +EOF +} + +function patch_detect_parse_c() { + filename="src/detect-parse.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/\/\* Template\. \*\/ +.,+4t- +-4s/Template/${protoname}/g ++1s/TEMPLATE/${protoname_upper}/g +w +EOF +} + +function patch_detect_c() { + filename="src/detect.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/#include "detect-template-buffer.h" +t- +s/template/${protoname_lower}/ +/case ALPROTO_TEMPLATE +.,+3t- +-3 +s/ALPROTO_TEMPLATE/ALPROTO_${protoname_upper}/g ++ +s/template/${protoname_lower}/g ++ +s/TEMPLATE/${protoname_upper}/g ++2 +/ALPROTO_TEMPLATE +.,+3t- +-3 +.,+s/TEMPLATE/${protoname_upper}/g ++ +s/template/${protoname_lower}/g ++3 +/SIG_MASK_REQUIRE_TEMPLATE_STATE +.t- +s/TEMPLATE/${protoname_upper}/g +/DetectTemplateBufferRegister +t- +s/Template/${protoname}/ +w +EOF +} + +function patch_detect_h() { + filename="src/detect.h" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH +t- +s/TEMPLATE/${protoname_upper}/ +/SIG_MASK_REQUIRE_TEMPLATE_STATE +t- +s/TEMPLATE/${protoname_upper}/ +/DETECT_AL_TEMPLATE_BUFFER +t- +s/TEMPLATE/${protoname_upper}/ +w +EOF +} + +protoname="$1" + +if [ "${protoname}" = "" ]; then + usage + exit 1 +fi + +protoname_lower=$(printf ${protoname} | tr '[:upper:]' '[:lower:]') +protoname_upper=$(printf ${protoname} | tr '[:lower:]' '[:upper:]') + +copy_templates +patch_makefile_am +patch_detect_engine_content_inspection_h +patch_detect_engine_state_h +patch_detect_engine_c +patch_detect_parse_c +patch_detect_c +patch_detect_h + +cat <<EOF + +The following files have been created and linked into the build: + + detect-${protoname_lower}-buffer.h detect-${protoname_lower}-buffer.c + + The setup for the content inspection modifier keyword. + + detect-engine-${protoname_lower}.h detect-engine-${protoname_lower}.c + + The content inspection engine. + +Please fix in src/detect-engine-state.h the values for: + DE_STATE_FLAG_${protoname_upper}_BUFFER_INSPECT + DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT + +Please fix in src/detect.h the values for: + SIG_MASK_REQUIRE_${protoname_upper}_STATE + SIG_MASK_REQUIRE_TEMPLATE_STATE + +EOF diff --git a/framework/src/suricata/scripts/setup-app-layer-logger.sh b/framework/src/suricata/scripts/setup-app-layer-logger.sh new file mode 100755 index 00000000..be32c393 --- /dev/null +++ b/framework/src/suricata/scripts/setup-app-layer-logger.sh @@ -0,0 +1,154 @@ +#! /bin/sh + +set -e + +function usage() { + cat <<EOF + +usage: $0 <protocol name> + +This script will provision a new JSON application layer transaction +logger for the protocol name specified on the command line. This is +done by copying and patching src/output-json-template.h and +src/output-json-template.c then link the new files into the build +system. + +It is required that the application layer parser has already been +provisioned by the setup-app-layer.sh script. + +Examples: + + $0 DNP3 + $0 Gopher + +EOF +} + +fail_if_exists() { + path="$1" + if test -e "${path}"; then + echo "error: ${path} already exists." + exit 1 + fi +} + +function copy_template_file() { + src="$1" + dst="$2" + + echo "Creating ${dst}." + + sed -e "s/TEMPLATE/${protoname_upper}/g" \ + -e "s/template/${protoname_lower}/g" \ + -e "s/Template/${protoname}/g" > ${dst} < ${src} +} + +function copy_templates() { + src_h="src/output-json-template.h" + dst_h="src/output-json-${protoname_lower}.h" + src_c="src/output-json-template.c" + dst_c="src/output-json-${protoname_lower}.c" + + fail_if_exists ${dst_h} + fail_if_exists ${dst_c} + + copy_template_file ${src_h} ${dst_h} + copy_template_file ${src_c} ${dst_c} +} + +function patch_makefile_am() { + filename="src/Makefile.am" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/output-json-template.c +t- +s/template/${protoname_lower}/ +w +EOF +} + +function patch_suricata_c() { + filename="src/suricata.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/#include "output-json-template.h" +t- +s/template/${protoname_lower}/ +/TmModuleJsonTemplateLogRegister +- +.,+t- +- +.,+s/Template/${protoname}/ +w +EOF +} + +patch_tm_modules_c() { + filename="src/tm-modules.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/TMM_JSONTEMPLATELOG +t- +s/TEMPLATE/${protoname_upper} +w +EOF +} + +patch_tm_threads_common_h() { + filename="src/tm-threads-common.h" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/TMM_JSONTEMPLATELOG +t- +s/TEMPLATE/${protoname_upper} +w +EOF +} + +patch_suricata_yaml_in() { + filename="suricata.yaml.in" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/eve-log: +/types: +a + - ${protoname_lower} +. +w +EOF +} + +protoname="$1" + +if [ "${protoname}" = "" ]; then + usage + exit 1 +fi + +protoname_lower=$(printf ${protoname} | tr '[:upper:]' '[:lower:]') +protoname_upper=$(printf ${protoname} | tr '[:lower:]' '[:upper:]') + +# Requires that the protocol has already been setup. +if ! grep -q "ALPROTO_${protoname_upper}" src/app-layer-protos.h; then + echo "error: no app-layer parser exists for ALPROTO_${protoname_upper}." + exit 1 +fi + +copy_templates +patch_makefile_am +patch_suricata_c +patch_tm_modules_c +patch_tm_threads_common_h +patch_suricata_yaml_in + +cat <<EOF + +A JSON application layer transaction logger for the protocol +${protoname} has now been set in the files: + + src/output-json-${protoname_lower}.h + src/output-json-${protoname_lower}.c + +and should now build cleanly. Try running 'make'. + +EOF diff --git a/framework/src/suricata/scripts/setup-app-layer.sh b/framework/src/suricata/scripts/setup-app-layer.sh new file mode 100755 index 00000000..b24b5e61 --- /dev/null +++ b/framework/src/suricata/scripts/setup-app-layer.sh @@ -0,0 +1,166 @@ +#! /bin/sh +# +# Script to provision a new application layer detector and parser. + +set -e +#set -x + +function usage() { + cat <<EOF + +usage: $0 <protocol name> + +This script will provision a new app-layer parser for the protocol +name specified on the command line. This is done by copying and +patching src/app-layer-template.[ch] then linking the new files into +the build system. + +Examples: + + $0 DNP3 + $0 Gopher + +EOF +} + +fail_if_exists() { + path="$1" + if test -e "${path}"; then + echo "error: ${path} already exists." + exit 1 + fi +} + +function copy_template_file() { + src="$1" + dst="$2" + + echo "Creating ${dst}." + + sed -e "s/TEMPLATE/${protoname_upper}/g" \ + -e "s/template/${protoname_lower}/g" \ + -e "s/Template/${protoname}/g" > ${dst} < ${src} +} + +function copy_app_layer_templates { + src_h="src/app-layer-template.h" + dst_h="src/app-layer-${protoname_lower}.h" + src_c="src/app-layer-template.c" + dst_c="src/app-layer-${protoname_lower}.c" + + fail_if_exists ${dst_h} + fail_if_exists ${dst_c} + + copy_template_file ${src_h} ${dst_h} + copy_template_file ${src_c} ${dst_c} +} + +function patch_makefile_am { + filename="src/Makefile.am" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/app-layer-template +t- +s/template/${protoname_lower}/g +w +EOF +} + +function patch_app_layer_protos_h { + filename="src/app-layer-protos.h" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/ALPROTO_TEMPLATE +t- +s/TEMPLATE/${protoname_upper}/ +w +EOF +} + +function patch_app_layer_protos_c { + filename="src/app-layer-protos.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/case ALPROTO_TEMPLATE +.,+2t- +-2 +s/TEMPLATE/${protoname_upper}/ ++ +s/template/${protoname_lower}/ +w +EOF +} + +function patch_app_layer_detect_proto_c() { + filename="src/app-layer-detect-proto.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/== ALPROTO_TEMPLATE +.,+t- +-,.s/TEMPLATE/${protoname_upper}/ ++3 +/== ALPROTO_TEMPLATE +.,+t- +-,.s/TEMPLATE/${protoname_upper}/ ++3 +w +EOF +} + +function patch_app_layer_parser_c() { + filename="src/app-layer-parser.c" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/#include "app-layer-template.h" +t- +s/template/${protoname_lower}/ +/RegisterTemplateParsers +t- +s/Template/${protoname}/ +w +EOF +} + +function patch_suricata_yaml_in() { + filename="suricata.yaml.in" + echo "Patching ${filename}." + ed -s ${filename} > /dev/null <<EOF +/^app-layer: +/protocols: +a + ${protoname_lower}: + enabled: yes +. +w +EOF +} + +protoname="$1" + +if [ "${protoname}" = "" ]; then + usage + exit 1 +fi + +protoname_lower=$(printf ${protoname} | tr '[:upper:]' '[:lower:]') +protoname_upper=$(printf ${protoname} | tr '[:lower:]' '[:upper:]') + +copy_app_layer_templates +patch_makefile_am +patch_app_layer_protos_h +patch_app_layer_protos_c +patch_app_layer_detect_proto_c +patch_app_layer_parser_c +patch_suricata_yaml_in + +cat <<EOF + +An application detector and parser for the protocol ${protoname} has +now been setup in the files: + + src/app-layer-${protoname_lower}.h + src/app-layer-${protoname_lower}.c + +and should now build cleanly. Try running 'make'. + +EOF |