--- /dev/null
+/* Copyright (C) 2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <p.antoine@catenacyber.fr>
+ *
+ */
+
+#include "suricata-common.h"
+
+#include "util-byte.h"
+#include "detect-parse.h"
+#include "detect-engine-uint.h"
+
+/**
+ * \brief Regex for parsing our options
+ */
+#define PARSE_REGEX "^\\s*([0-9]*)?\\s*([<>=-]+)?\\s*([0-9]+)?\\s*$"
+
+static pcre *parse_regex;
+static pcre_extra *parse_regex_study;
+
+
+int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
+{
+ switch (du32->mode) {
+ case DETECT_UINT_EQ:
+ if (parg == du32->arg1) {
+ return 1;
+ }
+ return 0;
+ case DETECT_UINT_LT:
+ if (parg < du32->arg1) {
+ return 1;
+ }
+ return 0;
+ case DETECT_UINT_GT:
+ if (parg > du32->arg1) {
+ return 1;
+ }
+ return 0;
+ case DETECT_UINT_RA:
+ if (parg > du32->arg1 && parg < du32->arg2) {
+ return 1;
+ }
+ return 0;
+ default:
+ BUG_ON("unknown mode");
+ }
+ return 0;
+}
+
+
+/**
+ * \brief This function is used to parse u32 options passed via some u32 keyword
+ *
+ * \param u32str Pointer to the user provided u32 options
+ *
+ * \retval DetectU32Data pointer to DetectU32Data on success
+ * \retval NULL on failure
+ */
+
+DetectU32Data *DetectU32Parse (const char *u32str)
+{
+ DetectU32Data u32da;
+ DetectU32Data *u32d = NULL;
+ char arg1[16] = "";
+ char arg2[16] = "";
+ char arg3[16] = "";
+
+#define MAX_SUBSTRINGS 30
+ int ret = 0, res = 0;
+ int ov[MAX_SUBSTRINGS];
+
+ ret = pcre_exec(parse_regex, parse_regex_study, u32str, strlen(u32str), 0, 0, ov, MAX_SUBSTRINGS);
+ if (ret < 2 || ret > 4) {
+ SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
+ return NULL;
+ }
+
+ res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 1, arg1, sizeof(arg1));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
+ return NULL;
+ }
+ SCLogDebug("Arg1 \"%s\"", arg1);
+
+ if (ret >= 3) {
+ res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 2, arg2, sizeof(arg2));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
+ return NULL;
+ }
+ SCLogDebug("Arg2 \"%s\"", arg2);
+
+ if (ret >= 4) {
+ res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 3, arg3, sizeof(arg3));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
+ return NULL;
+ }
+ SCLogDebug("Arg3 \"%s\"", arg3);
+ }
+ }
+
+ if (strlen(arg2) > 0) {
+ /*set the values*/
+ switch(arg2[0]) {
+ case '<':
+ case '>':
+ if (strlen(arg3) == 0)
+ return NULL;
+
+ if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg3), arg3) < 0) {
+ SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+ return NULL;
+ }
+
+ SCLogDebug("u32 is %"PRIu32"",u32da.arg1);
+ if (strlen(arg1) > 0)
+ return NULL;
+
+ if (arg2[0] == '<') {
+ u32da.mode = DETECT_UINT_LT;
+ } else { // arg2[0] == '>'
+ u32da.mode = DETECT_UINT_GT;
+ }
+ break;
+ case '-':
+ if (strlen(arg1)== 0)
+ return NULL;
+ if (strlen(arg3)== 0)
+ return NULL;
+
+ u32da.mode = DETECT_UINT_RA;
+ if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
+ SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+ return NULL;
+ }
+ if (ByteExtractStringUint32(&u32da.arg2, 10, strlen(arg3), arg3) < 0) {
+ SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+ return NULL;
+ }
+
+ SCLogDebug("u32 is %"PRIu32" to %"PRIu32"", u32da.arg1, u32da.arg2);
+ if (u32da.arg1 >= u32da.arg2) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid u32 range. ");
+ return NULL;
+ }
+ break;
+ default:
+ u32da.mode = DETECT_UINT_EQ;
+
+ if (strlen(arg2) > 0 ||
+ strlen(arg3) > 0 ||
+ strlen(arg1) == 0)
+ return NULL;
+
+ if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
+ SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+ return NULL;
+ }
+ }
+ } else {
+ u32da.mode = DETECT_UINT_EQ;
+
+ if (strlen(arg3) > 0 ||
+ strlen(arg1) == 0)
+ return NULL;
+
+ if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
+ SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+ return NULL;
+ }
+ }
+ u32d = SCCalloc(1, sizeof (DetectU32Data));
+ if (unlikely(u32d == NULL))
+ return NULL;
+ u32d->arg1 = u32da.arg1;
+ u32d->arg2 = u32da.arg2;
+ u32d->mode = u32da.mode;
+
+ return u32d;
+}
+
+void
+PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx)
+{
+ const DetectU32Data *a = smctx;
+ v->u8[0] = a->mode;
+ v->u32[1] = a->arg1;
+ v->u32[2] = a->arg2;
+}
+
+bool
+PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx)
+{
+ const DetectU32Data *a = smctx;
+ if (v.u8[0] == a->mode &&
+ v.u32[1] == a->arg1 &&
+ v.u32[2] == a->arg2)
+ return true;
+ return false;
+}
+
+static bool g_detect_u32_registered = false;
+
+void DetectU32Register(void)
+{
+ if (g_detect_u32_registered == false) {
+ // register only once
+ DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
+ g_detect_u32_registered = true;
+ }
+}
--- /dev/null
+/* Copyright (C) 2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <p.antoine@catenacyber.fr>
+ */
+
+#ifndef __DETECT_ENGINE_UINT_H
+#define __DETECT_ENGINE_UINT_H
+
+#include "detect-engine-prefilter-common.h"
+
+typedef enum {
+ DETECT_UINT_LT,
+ DETECT_UINT_EQ,
+ DETECT_UINT_GT,
+ DETECT_UINT_RA,
+} DetectUintMode;
+
+typedef struct DetectU32Data_ {
+ uint32_t arg1; /**< first arg value in the signature*/
+ uint32_t arg2; /**< second arg value in the signature, in case of range
+ operator*/
+ DetectUintMode mode; /**< operator used in the signature */
+} DetectU32Data;
+
+int DetectU32Match(const uint32_t parg, const DetectU32Data *du32);
+DetectU32Data *DetectU32Parse (const char *u32str);
+void PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx);
+bool PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx);
+void DetectU32Register(void);
+
+#endif /* __DETECT_UTIL_UINT_H */
projects / thirdparty / suricata.git / commitdiff
