1 /* Copyright (C) 2007-2020 Open Information Security Foundation
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21 * \author Victor Julien <victor@inliniac.net>
23 * Implements the xbits keyword
26 #include "suricata-common.h"
31 #include "flow-util.h"
32 #include "detect-xbits.h"
33 #include "detect-hostbits.h"
35 #include "util-byte.h"
37 #include "detect-engine-sigorder.h"
39 #include "app-layer-parser.h"
41 #include "detect-parse.h"
42 #include "detect-engine.h"
43 #include "detect-engine-mpm.h"
44 #include "detect-engine-state.h"
48 #include "ippair-bit.h"
49 #include "util-var-name.h"
50 #include "util-unittest.h"
51 #include "util-debug.h"
54 xbits:set,bitname,track ip_pair,expire 60
57 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
58 static DetectParseRegex parse_regex
;
60 static int DetectXbitMatch (DetectEngineThreadCtx
*, Packet
*, const Signature
*, const SigMatchCtx
*);
61 static int DetectXbitSetup (DetectEngineCtx
*, Signature
*, const char *);
63 static void XBitsRegisterTests(void);
65 static void DetectXbitFree (DetectEngineCtx
*, void *);
67 void DetectXbitsRegister (void)
69 sigmatch_table
[DETECT_XBITS
].name
= "xbits";
70 sigmatch_table
[DETECT_XBITS
].desc
= "operate on bits";
71 sigmatch_table
[DETECT_XBITS
].url
= "/rules/xbits.html";
72 sigmatch_table
[DETECT_XBITS
].Match
= DetectXbitMatch
;
73 sigmatch_table
[DETECT_XBITS
].Setup
= DetectXbitSetup
;
74 sigmatch_table
[DETECT_XBITS
].Free
= DetectXbitFree
;
76 sigmatch_table
[DETECT_XBITS
].RegisterTests
= XBitsRegisterTests
;
78 /* this is compatible to ip-only signatures */
79 sigmatch_table
[DETECT_XBITS
].flags
|= SIGMATCH_IPONLY_COMPAT
;
81 DetectSetupParseRegexes(PARSE_REGEX
, &parse_regex
);
84 static int DetectIPPairbitMatchToggle (Packet
*p
, const DetectXbitsData
*fd
)
86 IPPair
*pair
= IPPairGetIPPairFromHash(&p
->src
, &p
->dst
);
90 IPPairBitToggle(pair
,fd
->idx
,p
->ts
.tv_sec
+ fd
->expire
);
95 /* return true even if bit not found */
96 static int DetectIPPairbitMatchUnset (Packet
*p
, const DetectXbitsData
*fd
)
98 IPPair
*pair
= IPPairLookupIPPairFromHash(&p
->src
, &p
->dst
);
102 IPPairBitUnset(pair
,fd
->idx
);
107 static int DetectIPPairbitMatchSet (Packet
*p
, const DetectXbitsData
*fd
)
109 IPPair
*pair
= IPPairGetIPPairFromHash(&p
->src
, &p
->dst
);
113 IPPairBitSet(pair
, fd
->idx
, p
->ts
.tv_sec
+ fd
->expire
);
118 static int DetectIPPairbitMatchIsset (Packet
*p
, const DetectXbitsData
*fd
)
121 IPPair
*pair
= IPPairLookupIPPairFromHash(&p
->src
, &p
->dst
);
125 r
= IPPairBitIsset(pair
,fd
->idx
,p
->ts
.tv_sec
);
130 static int DetectIPPairbitMatchIsnotset (Packet
*p
, const DetectXbitsData
*fd
)
133 IPPair
*pair
= IPPairLookupIPPairFromHash(&p
->src
, &p
->dst
);
137 r
= IPPairBitIsnotset(pair
,fd
->idx
,p
->ts
.tv_sec
);
142 static int DetectXbitMatchIPPair(Packet
*p
, const DetectXbitsData
*xd
)
145 case DETECT_XBITS_CMD_ISSET
:
146 return DetectIPPairbitMatchIsset(p
,xd
);
147 case DETECT_XBITS_CMD_ISNOTSET
:
148 return DetectIPPairbitMatchIsnotset(p
,xd
);
149 case DETECT_XBITS_CMD_SET
:
150 return DetectIPPairbitMatchSet(p
,xd
);
151 case DETECT_XBITS_CMD_UNSET
:
152 return DetectIPPairbitMatchUnset(p
,xd
);
153 case DETECT_XBITS_CMD_TOGGLE
:
154 return DetectIPPairbitMatchToggle(p
,xd
);
156 SCLogError(SC_ERR_UNKNOWN_VALUE
, "unknown cmd %" PRIu32
"", xd
->cmd
);
163 * returns 0: no match
168 static int DetectXbitMatch (DetectEngineThreadCtx
*det_ctx
, Packet
*p
, const Signature
*s
, const SigMatchCtx
*ctx
)
170 const DetectXbitsData
*fd
= (const DetectXbitsData
*)ctx
;
175 case VAR_TYPE_HOST_BIT
:
176 return DetectXbitMatchHost(p
, (const DetectXbitsData
*)fd
);
178 case VAR_TYPE_IPPAIR_BIT
:
179 return DetectXbitMatchIPPair(p
, (const DetectXbitsData
*)fd
);
188 * \brief parse xbits rule options
191 * \param[out] cdout return DetectXbitsData structure or NULL if noalert
193 static int DetectXbitParse(DetectEngineCtx
*de_ctx
,
194 const char *rawstr
, DetectXbitsData
**cdout
)
196 DetectXbitsData
*cd
= NULL
;
199 int ret
= 0, res
= 0;
201 char fb_cmd_str
[16] = "", fb_name
[256] = "";
202 char hb_dir_str
[16] = "";
203 enum VarTypes var_type
= VAR_TYPE_NOT_SET
;
204 uint32_t expire
= DETECT_XBITS_EXPIRE_DEFAULT
;
206 ret
= DetectParsePcreExec(&parse_regex
, rawstr
, 0, 0);
207 if (ret
!= 2 && ret
!= 3 && ret
!= 4 && ret
!= 5) {
208 SCLogError(SC_ERR_PCRE_MATCH
, "\"%s\" is not a valid setting for xbits.", rawstr
);
211 SCLogDebug("ret %d, %s", ret
, rawstr
);
212 pcre2len
= sizeof(fb_cmd_str
);
213 res
= pcre2_substring_copy_bynumber(
214 parse_regex
.match
, 1, (PCRE2_UCHAR8
*)fb_cmd_str
, &pcre2len
);
216 SCLogError(SC_ERR_PCRE_GET_SUBSTRING
, "pcre2_substring_copy_bynumber failed");
221 pcre2len
= sizeof(fb_name
);
222 res
= pcre2_substring_copy_bynumber(
223 parse_regex
.match
, 2, (PCRE2_UCHAR8
*)fb_name
, &pcre2len
);
225 SCLogError(SC_ERR_PCRE_GET_SUBSTRING
, "pcre2_substring_copy_bynumber failed");
229 pcre2len
= sizeof(hb_dir_str
);
230 res
= pcre2_substring_copy_bynumber(
231 parse_regex
.match
, 3, (PCRE2_UCHAR8
*)hb_dir_str
, &pcre2len
);
233 SCLogError(SC_ERR_PCRE_GET_SUBSTRING
, "pcre2_substring_copy_bynumber failed");
236 SCLogDebug("hb_dir_str %s", hb_dir_str
);
237 if (strlen(hb_dir_str
) > 0) {
238 if (strcmp(hb_dir_str
, "ip_src") == 0) {
239 hb_dir
= DETECT_XBITS_TRACK_IPSRC
;
240 var_type
= VAR_TYPE_HOST_BIT
;
241 } else if (strcmp(hb_dir_str
, "ip_dst") == 0) {
242 hb_dir
= DETECT_XBITS_TRACK_IPDST
;
243 var_type
= VAR_TYPE_HOST_BIT
;
244 } else if (strcmp(hb_dir_str
, "ip_pair") == 0) {
245 hb_dir
= DETECT_XBITS_TRACK_IPPAIR
;
246 var_type
= VAR_TYPE_IPPAIR_BIT
;
254 char expire_str
[16] = "";
255 pcre2len
= sizeof(expire_str
);
256 res
= pcre2_substring_copy_bynumber(
257 parse_regex
.match
, 4, (PCRE2_UCHAR8
*)expire_str
, &pcre2len
);
259 SCLogError(SC_ERR_PCRE_GET_SUBSTRING
, "pcre2_substring_copy_bynumber failed");
262 SCLogDebug("expire_str %s", expire_str
);
263 if (StringParseUint32(&expire
, 10, 0, (const char *)expire_str
) < 0) {
264 SCLogError(SC_ERR_INVALID_VALUE
, "Invalid value for "
265 "expire: \"%s\"", expire_str
);
269 SCLogError(SC_ERR_INVALID_VALUE
, "expire must be bigger than 0");
272 SCLogDebug("expire %d", expire
);
277 if (strcmp(fb_cmd_str
,"noalert") == 0) {
278 fb_cmd
= DETECT_XBITS_CMD_NOALERT
;
279 } else if (strcmp(fb_cmd_str
,"isset") == 0) {
280 fb_cmd
= DETECT_XBITS_CMD_ISSET
;
281 } else if (strcmp(fb_cmd_str
,"isnotset") == 0) {
282 fb_cmd
= DETECT_XBITS_CMD_ISNOTSET
;
283 } else if (strcmp(fb_cmd_str
,"set") == 0) {
284 fb_cmd
= DETECT_XBITS_CMD_SET
;
285 } else if (strcmp(fb_cmd_str
,"unset") == 0) {
286 fb_cmd
= DETECT_XBITS_CMD_UNSET
;
287 } else if (strcmp(fb_cmd_str
,"toggle") == 0) {
288 fb_cmd
= DETECT_XBITS_CMD_TOGGLE
;
290 SCLogError(SC_ERR_UNKNOWN_VALUE
, "xbits action \"%s\" is not supported.", fb_cmd_str
);
295 case DETECT_XBITS_CMD_NOALERT
: {
296 if (strlen(fb_name
) != 0)
298 /* return ok, cd is NULL. Flag sig. */
302 case DETECT_XBITS_CMD_ISNOTSET
:
303 case DETECT_XBITS_CMD_ISSET
:
304 case DETECT_XBITS_CMD_SET
:
305 case DETECT_XBITS_CMD_UNSET
:
306 case DETECT_XBITS_CMD_TOGGLE
:
308 if (strlen(fb_name
) == 0)
313 cd
= SCMalloc(sizeof(DetectXbitsData
));
314 if (unlikely(cd
== NULL
))
317 cd
->idx
= VarNameStoreSetupAdd(fb_name
, var_type
);
319 cd
->tracker
= hb_dir
;
323 SCLogDebug("idx %" PRIu32
", cmd %s, name %s",
324 cd
->idx
, fb_cmd_str
, strlen(fb_name
) ? fb_name
: "(none)");
330 int DetectXbitSetup (DetectEngineCtx
*de_ctx
, Signature
*s
, const char *rawstr
)
333 DetectXbitsData
*cd
= NULL
;
335 int result
= DetectXbitParse(de_ctx
, rawstr
, &cd
);
338 /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
339 } else if (result
== 0 && cd
== NULL
) {
340 s
->flags
|= SIG_FLAG_NOALERT
;
344 /* Okay so far so good, lets get this into a SigMatch
345 * and put it in the Signature. */
346 sm
= SigMatchAlloc();
350 sm
->type
= DETECT_XBITS
;
351 sm
->ctx
= (void *)cd
;
354 /* case DETECT_XBITS_CMD_NOALERT can't happen here */
356 case DETECT_XBITS_CMD_ISNOTSET
:
357 case DETECT_XBITS_CMD_ISSET
:
358 /* checks, so packet list */
359 SigMatchAppendSMToList(s
, sm
, DETECT_SM_LIST_MATCH
);
362 case DETECT_XBITS_CMD_SET
:
363 case DETECT_XBITS_CMD_UNSET
:
364 case DETECT_XBITS_CMD_TOGGLE
:
365 /* modifiers, only run when entire sig has matched */
366 SigMatchAppendSMToList(s
, sm
, DETECT_SM_LIST_POSTMATCH
);
378 static void DetectXbitFree (DetectEngineCtx
*de_ctx
, void *ptr
)
380 DetectXbitsData
*fd
= (DetectXbitsData
*)ptr
;
390 static void XBitsTestSetup(void)
396 HostInitConfig(true);
397 IPPairInitConfig(true);
400 static void XBitsTestShutdown(void)
408 static int XBitsTestParse01(void)
410 DetectEngineCtx
*de_ctx
= NULL
;
411 de_ctx
= DetectEngineCtxInit();
412 FAIL_IF_NULL(de_ctx
);
413 de_ctx
->flags
|= DE_QUIET
;
414 DetectXbitsData
*cd
= NULL
;
416 #define BAD_INPUT(str) \
417 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
420 BAD_INPUT("n0alert");
421 BAD_INPUT("nOalert");
422 BAD_INPUT("set,abc,track nonsense, expire 3600");
423 BAD_INPUT("set,abc,track ip_source, expire 3600");
424 BAD_INPUT("set,abc,track ip_src, expire -1");
425 BAD_INPUT("set,abc,track ip_src, expire 0");
429 #define GOOD_INPUT(str, command, trk, typ, exp) \
430 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
432 FAIL_IF_NOT(cd->cmd == (command)); \
433 FAIL_IF_NOT(cd->tracker == (trk)); \
434 FAIL_IF_NOT(cd->type == (typ)); \
435 FAIL_IF_NOT(cd->expire == (exp)); \
436 DetectXbitFree(NULL, cd); \
439 GOOD_INPUT("set,abc,track ip_pair",
440 DETECT_XBITS_CMD_SET
,
441 DETECT_XBITS_TRACK_IPPAIR
, VAR_TYPE_IPPAIR_BIT
,
442 DETECT_XBITS_EXPIRE_DEFAULT
);
443 GOOD_INPUT("set,abc,track ip_pair, expire 3600",
444 DETECT_XBITS_CMD_SET
,
445 DETECT_XBITS_TRACK_IPPAIR
, VAR_TYPE_IPPAIR_BIT
,
447 GOOD_INPUT("set,abc,track ip_src, expire 1234",
448 DETECT_XBITS_CMD_SET
,
449 DETECT_XBITS_TRACK_IPSRC
, VAR_TYPE_HOST_BIT
,
454 DetectEngineCtxFree(de_ctx
);
462 static int XBitsTestSig01(void)
464 uint8_t *buf
= (uint8_t *)
465 "GET /one/ HTTP/1.1\r\n"
466 "Host: one.example.org\r\n"
468 uint16_t buflen
= strlen((char *)buf
);
469 Packet
*p
= SCMalloc(SIZE_OF_PACKET
);
473 DetectEngineThreadCtx
*det_ctx
= NULL
;
474 DetectEngineCtx
*de_ctx
= NULL
;
476 memset(&th_v
, 0, sizeof(th_v
));
477 memset(p
, 0, SIZE_OF_PACKET
);
478 p
->src
.family
= AF_INET
;
479 p
->dst
.family
= AF_INET
;
481 p
->payload_len
= buflen
;
482 p
->proto
= IPPROTO_TCP
;
486 de_ctx
= DetectEngineCtxInit();
487 FAIL_IF_NULL(de_ctx
);
488 de_ctx
->flags
|= DE_QUIET
;
490 s
= DetectEngineAppendSig(de_ctx
,
491 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
494 SigGroupBuild(de_ctx
);
495 DetectEngineThreadCtxInit(&th_v
, (void *)de_ctx
, (void *)&det_ctx
);
496 SigMatchSignatures(&th_v
, de_ctx
, det_ctx
, p
);
497 DetectEngineThreadCtxDeinit(&th_v
, (void *)det_ctx
);
498 DetectEngineCtxFree(de_ctx
);
501 StatsThreadCleanup(&th_v
);
502 StatsReleaseResources();
507 * \test various options
509 * \retval 1 on succces
510 * \retval 0 on failure
513 static int XBitsTestSig02(void)
516 DetectEngineCtx
*de_ctx
= NULL
;
517 de_ctx
= DetectEngineCtxInit();
518 FAIL_IF_NULL(de_ctx
);
519 de_ctx
->flags
|= DE_QUIET
;
521 s
= DetectEngineAppendSig(de_ctx
,
522 "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
525 s
= DetectEngineAppendSig(de_ctx
,
526 "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
529 s
= DetectEngineAppendSig(de_ctx
,
530 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
533 s
= DetectEngineAppendSig(de_ctx
,
534 "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
537 s
= DetectEngineAppendSig(de_ctx
,
538 "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
541 s
= DetectEngineAppendSig(de_ctx
,
542 "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
545 DetectEngineCtxFree(de_ctx
);
550 * \brief this function registers unit tests for XBits
552 static void XBitsRegisterTests(void)
554 UtRegisterTest("XBitsTestParse01", XBitsTestParse01
);
555 UtRegisterTest("XBitsTestSig01", XBitsTestSig01
);
556 UtRegisterTest("XBitsTestSig02", XBitsTestSig02
);
558 #endif /* UNITTESTS */