[people/ms/suricata.git] / src / detect-bypass.c

/* Copyright (C) 2016 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Giuseppe Longo <glongo@stamus-networks.com>
 *
 */

#include "suricata-common.h"
#include "threads.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "debug.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"

#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-sigorder.h"
#include "detect-bypass.h"

#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"

#include "stream-tcp.h"

#include "util-debug.h"
#include "util-spm-bm.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-device.h"

static int DetectBypassMatch(DetectEngineThreadCtx *, Packet *,
        const Signature *, const SigMatchCtx *);
static int DetectBypassSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectBypassRegisterTests(void);
#endif

/**
 * \brief Registration function for keyword: bypass
 */
void DetectBypassRegister(void)
{
    sigmatch_table[DETECT_BYPASS].name = "bypass";
    sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
    sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
    sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
    sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
    sigmatch_table[DETECT_BYPASS].Free  = NULL;
#ifdef UNITTESTS
    sigmatch_table[DETECT_BYPASS].RegisterTests = DetectBypassRegisterTests;
#endif
    sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT;
}

static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    SigMatch *sm = NULL;

    if (s->flags & SIG_FLAG_FILESTORE) {
        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
                   "bypass can't work with filestore keyword");
        return -1;
    }
    s->flags |= SIG_FLAG_BYPASS;

    sm = SigMatchAlloc();
    if (sm == NULL)
        return -1;

    sm->type = DETECT_BYPASS;
    sm->ctx = NULL;
    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);

    return 0;
}

static int DetectBypassMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
        const Signature *s, const SigMatchCtx *ctx)
{
    PacketBypassCallback(p);

    return 1;
}

#ifdef UNITTESTS
#include "app-layer-htp.h"

static int callback_var = 0;

static int BypassCallback(Packet *p)
{
    callback_var = 1;
    return 1;
}

static void ResetCallbackVar(void)
{
    callback_var = 0;
}

static int DetectBypassTestSig01(void)
{
    TcpSession ssn;
    Packet *p1 = NULL;
    Packet *p2 = NULL;
    ThreadVars th_v;
    DetectEngineCtx *de_ctx = NULL;
    DetectEngineThreadCtx *det_ctx = NULL;
    HtpState *http_state = NULL;
    Flow f;
    uint8_t http_buf1[] =
        "GET /index.html HTTP/1.0\r\n"
        "Host: This is dummy message body\r\n"
        "User-Agent: www.openinfosecfoundation.org\r\n"
        "Content-Type: text/html\r\n"
        "\r\n";
    uint32_t http_len1 = sizeof(http_buf1) - 1;
    uint8_t http_buf2[] =
        "HTTP/1.0 200 ok\r\n"
        "Content-Type: text/html\r\n"
        "Content-Length: 7\r\n"
        "\r\n"
        "message";
    uint32_t http_len2 = sizeof(http_buf2) - 1;
    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
    LiveDevice *livedev = SCMalloc(sizeof(LiveDevice));
    FAIL_IF(livedev == NULL);

    memset(&th_v, 0, sizeof(th_v));
    memset(&f, 0, sizeof(f));
    memset(&ssn, 0, sizeof(ssn));

    p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
    FAIL_IF(p1 == NULL);
    p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
    FAIL_IF(p2 == NULL);

    p1->BypassPacketsFlow = BypassCallback;
    p2->BypassPacketsFlow = BypassCallback;

    FLOW_INITIALIZE(&f);
    f.protoctx = (void *)&ssn;
    f.proto = IPPROTO_TCP;
    f.flags |= FLOW_IPV4;

    p1->flow = &f;
    p1->flowflags |= FLOW_PKT_TOSERVER;
    p1->flowflags |= FLOW_PKT_ESTABLISHED;
    p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
    p1->livedev = livedev;
    p2->flow = &f;
    p2->flowflags |= FLOW_PKT_TOCLIENT;
    p2->flowflags |= FLOW_PKT_ESTABLISHED;
    p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
    p2->livedev = livedev;
    f.alproto = ALPROTO_HTTP1;

    StreamTcpInitConfig(true);

    de_ctx = DetectEngineCtxInit();
    FAIL_IF(de_ctx == NULL);

    de_ctx->flags |= DE_QUIET;

    const char *sigs[3];
    sigs[0] = "alert tcp any any -> any any (bypass; content:\"GET \"; sid:1;)";
    sigs[1] = "alert http any any -> any any "
              "(bypass; content:\"message\"; http_server_body; "
              "sid:2;)";
    sigs[2] = "alert http any any -> any any "
              "(bypass; content:\"message\"; http_host; "
              "sid:3;)";
    FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0);

    SCSigRegisterSignatureOrderingFuncs(de_ctx);
    SCSigOrderSignatures(de_ctx);
    SCSigSignatureOrderingModuleCleanup(de_ctx);

    SigGroupBuild(de_ctx);
    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);

    FLOWLOCK_WRLOCK(&f);
    int r = AppLayerParserParse(
            NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
    FAIL_IF(r != 0);
    FLOWLOCK_UNLOCK(&f);

    http_state = f.alstate;
    FAIL_IF(http_state == NULL);

    /* do detect */
    SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);

    FAIL_IF(PacketAlertCheck(p1, 1));

    FLOWLOCK_WRLOCK(&f);
    r = AppLayerParserParse(
            NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
    FAIL_IF(r != 0);
    FLOWLOCK_UNLOCK(&f);
    /* do detect */
    SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);

    FAIL_IF(!(PacketAlertCheck(p2, 2)));
    FAIL_IF(!(PacketAlertCheck(p1, 3)));

    FAIL_IF(callback_var == 0);

    StreamTcpFreeConfig(true);
    FLOW_DESTROY(&f);
    UTHFreePacket(p1);
    UTHFreePacket(p2);
    ResetCallbackVar();
    SCFree(livedev);
    PASS;
}

static void DetectBypassRegisterTests(void)
{
    UtRegisterTest("DetectBypassTestSig01", DetectBypassTestSig01);
}
#endif /* UNITTESTS */
Commit	Line	Data
07564c4e GL	1	/* Copyright (C) 2016 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
	21	* \author Giuseppe Longo <glongo@stamus-networks.com>
	22	*
	23	*/
	24
	25	#include "suricata-common.h"
	26	#include "threads.h"
	27	#include "app-layer.h"
	28	#include "app-layer-parser.h"
	29	#include "debug.h"
	30	#include "decode.h"
	31
	32	#include "detect.h"
	33	#include "detect-parse.h"
	34
	35	#include "detect-engine.h"
	36	#include "detect-engine-mpm.h"
	37	#include "detect-engine-state.h"
	38	#include "detect-engine-sigorder.h"
ab1200fb	39	#include "detect-bypass.h"
07564c4e GL	40
	41	#include "flow.h"
	42	#include "flow-var.h"
	43	#include "flow-util.h"
	44
	45	#include "stream-tcp.h"
	46
	47	#include "util-debug.h"
	48	#include "util-spm-bm.h"
	49	#include "util-unittest.h"
	50	#include "util-unittest-helper.h"
	51	#include "util-device.h"
	52
14896365	53	static int DetectBypassMatch(DetectEngineThreadCtx , Packet ,
bfd4bc82	54	const Signature , const SigMatchCtx );
ab1200fb	55	static int DetectBypassSetup(DetectEngineCtx , Signature , const char *);
6ab323d3	56	#ifdef UNITTESTS
07564c4e	57	static void DetectBypassRegisterTests(void);
6ab323d3	58	#endif
07564c4e GL	59
	60	/**
	61	* \brief Registration function for keyword: bypass
	62	*/
	63	void DetectBypassRegister(void)
	64	{
	65	sigmatch_table[DETECT_BYPASS].name = "bypass";
	66	sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
26bcc975	67	sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
07564c4e	68	sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
07564c4e GL	69	sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
07564c4e GL	70	sigmatch_table[DETECT_BYPASS].Free = NULL;
6ab323d3	71	#ifdef UNITTESTS
07564c4e	72	sigmatch_table[DETECT_BYPASS].RegisterTests = DetectBypassRegisterTests;
6ab323d3	73	#endif
07564c4e GL	74	sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT;
	75	}
	76
ab1200fb	77	static int DetectBypassSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
07564c4e GL	78	{
	79	SigMatch *sm = NULL;
	80
	81	if (s->flags & SIG_FLAG_FILESTORE) {
	82	SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
	83	"bypass can't work with filestore keyword");
	84	return -1;
	85	}
	86	s->flags \|= SIG_FLAG_BYPASS;
	87
	88	sm = SigMatchAlloc();
	89	if (sm == NULL)
	90	return -1;
	91
	92	sm->type = DETECT_BYPASS;
	93	sm->ctx = NULL;
	94	SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
	95
	96	return 0;
	97	}
	98
14896365	99	static int DetectBypassMatch(DetectEngineThreadCtx det_ctx, Packet p,
bfd4bc82	100	const Signature s, const SigMatchCtx ctx)
07564c4e GL	101	{
	102	PacketBypassCallback(p);
	103
	104	return 1;
	105	}
	106
	107	#ifdef UNITTESTS
9c2c258f VJ	108	#include "app-layer-htp.h"
9c2c258f VJ	109
07564c4e GL	110	static int callback_var = 0;
07564c4e GL	111
ab1200fb	112	static int BypassCallback(Packet *p)
07564c4e GL	113	{
	114	callback_var = 1;
	115	return 1;
	116	}
	117
ab1200fb	118	static void ResetCallbackVar(void)
07564c4e GL	119	{
	120	callback_var = 0;
	121	}
	122
	123	static int DetectBypassTestSig01(void)
	124	{
	125	TcpSession ssn;
	126	Packet *p1 = NULL;
	127	Packet *p2 = NULL;
	128	ThreadVars th_v;
	129	DetectEngineCtx *de_ctx = NULL;
	130	DetectEngineThreadCtx *det_ctx = NULL;
	131	HtpState *http_state = NULL;
	132	Flow f;
	133	uint8_t http_buf1[] =
	134	"GET /index.html HTTP/1.0\r\n"
	135	"Host: This is dummy message body\r\n"
	136	"User-Agent: www.openinfosecfoundation.org\r\n"
	137	"Content-Type: text/html\r\n"
	138	"\r\n";
	139	uint32_t http_len1 = sizeof(http_buf1) - 1;
	140	uint8_t http_buf2[] =
	141	"HTTP/1.0 200 ok\r\n"
	142	"Content-Type: text/html\r\n"
	143	"Content-Length: 7\r\n"
	144	"\r\n"
	145	"message";
	146	uint32_t http_len2 = sizeof(http_buf2) - 1;
	147	AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
	148	LiveDevice *livedev = SCMalloc(sizeof(LiveDevice));
	149	FAIL_IF(livedev == NULL);
	150
	151	memset(&th_v, 0, sizeof(th_v));
	152	memset(&f, 0, sizeof(f));
	153	memset(&ssn, 0, sizeof(ssn));
	154
	155	p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
	156	FAIL_IF(p1 == NULL);
	157	p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
	158	FAIL_IF(p2 == NULL);
	159
	160	p1->BypassPacketsFlow = BypassCallback;
	161	p2->BypassPacketsFlow = BypassCallback;
	162
	163	FLOW_INITIALIZE(&f);
	164	f.protoctx = (void *)&ssn;
	165	f.proto = IPPROTO_TCP;
	166	f.flags \|= FLOW_IPV4;
	167
	168	p1->flow = &f;
	169	p1->flowflags \|= FLOW_PKT_TOSERVER;
	170	p1->flowflags \|= FLOW_PKT_ESTABLISHED;
	171	p1->flags \|= PKT_HAS_FLOW\|PKT_STREAM_EST;
	172	p1->livedev = livedev;
	173	p2->flow = &f;
	174	p2->flowflags \|= FLOW_PKT_TOCLIENT;
	175	p2->flowflags \|= FLOW_PKT_ESTABLISHED;
	176	p2->flags \|= PKT_HAS_FLOW\|PKT_STREAM_EST;
	177	p2->livedev = livedev;
707f0272	178	f.alproto = ALPROTO_HTTP1;
07564c4e	179
1eeb9669	180	StreamTcpInitConfig(true);
07564c4e GL	181
	182	de_ctx = DetectEngineCtxInit();
	183	FAIL_IF(de_ctx == NULL);
	184
	185	de_ctx->flags \|= DE_QUIET;
	186
ab1200fb	187	const char *sigs[3];
07564c4e GL	188	sigs[0] = "alert tcp any any -> any any (bypass; content:\"GET \"; sid:1;)";
	189	sigs[1] = "alert http any any -> any any "
	190	"(bypass; content:\"message\"; http_server_body; "
	191	"sid:2;)";
	192	sigs[2] = "alert http any any -> any any "
	193	"(bypass; content:\"message\"; http_host; "
	194	"sid:3;)";
	195	FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0);
	196
	197	SCSigRegisterSignatureOrderingFuncs(de_ctx);
	198	SCSigOrderSignatures(de_ctx);
	199	SCSigSignatureOrderingModuleCleanup(de_ctx);
	200
	201	SigGroupBuild(de_ctx);
	202	DetectEngineThreadCtxInit(&th_v, (void )de_ctx, (void )&det_ctx);
	203
	204	FLOWLOCK_WRLOCK(&f);
707f0272 PA	205	int r = AppLayerParserParse(
707f0272 PA	206	NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
07564c4e GL	207	FAIL_IF(r != 0);
	208	FLOWLOCK_UNLOCK(&f);
	209
	210	http_state = f.alstate;
	211	FAIL_IF(http_state == NULL);
	212
	213	/* do detect */
	214	SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
	215
	216	FAIL_IF(PacketAlertCheck(p1, 1));
	217
	218	FLOWLOCK_WRLOCK(&f);
707f0272 PA	219	r = AppLayerParserParse(
707f0272 PA	220	NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
07564c4e GL	221	FAIL_IF(r != 0);
	222	FLOWLOCK_UNLOCK(&f);
	223	/* do detect */
	224	SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
	225
	226	FAIL_IF(!(PacketAlertCheck(p2, 2)));
	227	FAIL_IF(!(PacketAlertCheck(p1, 3)));
	228
	229	FAIL_IF(callback_var == 0);
	230
1eeb9669	231	StreamTcpFreeConfig(true);
07564c4e GL	232	FLOW_DESTROY(&f);
	233	UTHFreePacket(p1);
	234	UTHFreePacket(p2);
	235	ResetCallbackVar();
	236	SCFree(livedev);
	237	PASS;
	238	}
07564c4e	239
39613778	240	static void DetectBypassRegisterTests(void)
07564c4e	241	{
07564c4e	242	UtRegisterTest("DetectBypassTestSig01", DetectBypassTestSig01);
07564c4e	243	}
6ab323d3	244	#endif /* UNITTESTS */