1 /* Copyright (C) 2020 Open Information Security Foundation
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * \author Frank Honza <frank.honza@dcso.de>
23 #include "suricata-common.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-prefilter.h"
33 #include "detect-urilen.h"
37 #include "flow-util.h"
39 #include "util-debug.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
44 #include "app-layer.h"
45 #include "app-layer-parser.h"
47 #include "detect-ike-nonce-payload.h"
48 #include "stream-tcp.h"
51 #include "app-layer-ike.h"
52 #include "rust-bindings.h"
54 #define KEYWORD_NAME_NONCE "ike.nonce_payload"
55 #define KEYWORD_DOC_NONCE "ike-keywords.html#ike-nonce_payload";
56 #define BUFFER_NAME_NONCE "ike.nonce_payload"
57 #define BUFFER_DESC_NONCE "ike nonce payload"
59 static int g_buffer_nonce_id
= 0;
61 static int DetectNonceSetup(DetectEngineCtx
*de_ctx
, Signature
*s
, const char *str
)
63 if (DetectBufferSetActiveList(s
, g_buffer_nonce_id
) < 0)
66 if (DetectSignatureSetAppProto(s
, ALPROTO_IKE
) < 0)
72 static InspectionBuffer
*GetNonceData(DetectEngineThreadCtx
*det_ctx
,
73 const DetectEngineTransforms
*transforms
, Flow
*_f
, const uint8_t _flow_flags
, void *txv
,
76 InspectionBuffer
*buffer
= InspectionBufferGet(det_ctx
, list_id
);
77 if (buffer
->inspect
== NULL
) {
78 const uint8_t *b
= NULL
;
81 if (rs_ike_state_get_nonce(txv
, &b
, &b_len
) != 1)
83 if (b
== NULL
|| b_len
== 0)
86 InspectionBufferSetup(det_ctx
, list_id
, buffer
, b
, b_len
);
87 InspectionBufferApplyTransforms(buffer
, transforms
);
93 void DetectIkeNonceRegister(void)
96 sigmatch_table
[DETECT_AL_IKE_NONCE
].name
= KEYWORD_NAME_NONCE
;
97 sigmatch_table
[DETECT_AL_IKE_NONCE
].url
=
98 "/rules/" KEYWORD_DOC_NONCE sigmatch_table
[DETECT_AL_IKE_NONCE
].desc
=
99 "sticky buffer to match on the IKE nonce_payload";
100 sigmatch_table
[DETECT_AL_IKE_NONCE
].Setup
= DetectNonceSetup
;
101 sigmatch_table
[DETECT_AL_IKE_NONCE
].flags
|= SIGMATCH_NOOPT
| SIGMATCH_INFO_STICKY_BUFFER
;
103 DetectAppLayerInspectEngineRegister2(BUFFER_NAME_NONCE
, ALPROTO_IKE
, SIG_FLAG_TOSERVER
, 1,
104 DetectEngineInspectBufferGeneric
, GetNonceData
);
106 DetectAppLayerMpmRegister2(BUFFER_NAME_NONCE
, SIG_FLAG_TOSERVER
, 1, PrefilterGenericMpmRegister
,
107 GetNonceData
, ALPROTO_IKE
, 1);
109 DetectAppLayerInspectEngineRegister2(BUFFER_NAME_NONCE
, ALPROTO_IKE
, SIG_FLAG_TOCLIENT
, 1,
110 DetectEngineInspectBufferGeneric
, GetNonceData
);
112 DetectAppLayerMpmRegister2(BUFFER_NAME_NONCE
, SIG_FLAG_TOCLIENT
, 1, PrefilterGenericMpmRegister
,
113 GetNonceData
, ALPROTO_IKE
, 1);
115 DetectBufferTypeSetDescriptionByName(BUFFER_NAME_NONCE
, BUFFER_DESC_NONCE
);
117 g_buffer_nonce_id
= DetectBufferTypeGetByName(BUFFER_NAME_NONCE
);
118 SCLogDebug("registering " BUFFER_NAME_NONCE
" rule option");