bendy = { version = "~0.3.3", default-features = false }
asn1-rs = { version = "~0.6.1" }
ldap-parser = { version = "~0.4.0" }
+hex = "~0.4.3"
time = "~0.3.36"
[dev-dependencies]
test-case = "~3.3.1"
-hex = "~0.4.3"
}
pub(crate) const SIGMATCH_NOOPT: u16 = 1; // BIT_U16(0) in detect.h
+pub(crate) const SIGMATCH_QUOTES_MANDATORY: u16 = 0x40; // BIT_U16(6) in detect.h
pub(crate) const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; // BIT_U16(9)
/// cbindgen:ignore
pub mod hash;
pub mod http_headers;
pub mod strip_whitespace;
+pub mod xor;
#[repr(C)]
#[allow(non_snake_case)]
--- /dev/null
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+use super::{
+ DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
+ InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
+};
+use crate::detect::SIGMATCH_QUOTES_MANDATORY;
+
+use std::ffi::CStr;
+use std::os::raw::{c_int, c_void};
+
+static mut G_TRANSFORM_XOR_ID: c_int = 0;
+
+#[derive(Debug, PartialEq)]
+struct DetectTransformXorData {
+ key: Vec<u8>,
+}
+
+fn xor_parse_do(i: &str) -> Option<DetectTransformXorData> {
+ if i.len() % 2 != 0 {
+ SCLogError!("XOR transform key's length must be an even number");
+ return None;
+ }
+ if i.len() / 2 > u8::MAX.into() {
+ SCLogError!("Key length too big for XOR transform");
+ return None;
+ }
+ if let Ok(key) = hex::decode(i) {
+ return Some(DetectTransformXorData { key });
+ }
+ SCLogError!("XOR transform key must be hexadecimal characters only");
+ return None;
+}
+
+unsafe fn xor_parse(raw: *const std::os::raw::c_char) -> *mut c_void {
+ let raw: &CStr = CStr::from_ptr(raw); //unsafe
+ if let Ok(s) = raw.to_str() {
+ if let Some(ctx) = xor_parse_do(s) {
+ let boxed = Box::new(ctx);
+ return Box::into_raw(boxed) as *mut _;
+ }
+ }
+ return std::ptr::null_mut();
+}
+
+#[no_mangle]
+unsafe extern "C" fn xor_setup(
+ _de: *mut c_void, s: *mut c_void, opt_str: *const std::os::raw::c_char,
+) -> c_int {
+ let ctx = xor_parse(opt_str);
+ if ctx.is_null() {
+ return -1;
+ }
+ return DetectSignatureAddTransform(s, G_TRANSFORM_XOR_ID, ctx);
+}
+
+fn xor_transform_do(input: &[u8], output: &mut [u8], ctx: &DetectTransformXorData) {
+ let mut ki = 0;
+ for (i, o) in input.iter().zip(output.iter_mut()) {
+ *o = (*i) ^ ctx.key[ki];
+ ki = (ki + 1) % ctx.key.len();
+ }
+}
+
+#[no_mangle]
+unsafe extern "C" fn xor_transform(buffer: *mut c_void, ctx: *mut c_void) {
+ let input = InspectionBufferPtr(buffer);
+ let input_len = InspectionBufferLength(buffer);
+ if input.is_null() || input_len == 0 {
+ return;
+ }
+ let input = build_slice!(input, input_len as usize);
+
+ let output = InspectionBufferCheckAndExpand(buffer, input_len);
+ if output.is_null() {
+ // allocation failure
+ return;
+ }
+ let output = std::slice::from_raw_parts_mut(output, input_len as usize);
+
+ let ctx = cast_pointer!(ctx, DetectTransformXorData);
+ xor_transform_do(input, output, ctx);
+
+ InspectionBufferTruncate(buffer, input_len);
+}
+
+unsafe extern "C" fn xor_free(_de: *mut c_void, ctx: *mut c_void) {
+ std::mem::drop(Box::from_raw(ctx as *mut DetectTransformXorData));
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn DetectTransformXorRegister() {
+ let kw = SCTransformTableElmt {
+ name: b"xor\0".as_ptr() as *const libc::c_char,
+ desc: b"modify buffer via XOR decoding before inspection\0".as_ptr() as *const libc::c_char,
+ url: b"/rules/transforms.html#xor\0".as_ptr() as *const libc::c_char,
+ Setup: xor_setup,
+ flags: SIGMATCH_QUOTES_MANDATORY,
+ Transform: xor_transform,
+ Free: Some(xor_free),
+ TransformValidate: None,
+ };
+ unsafe {
+ G_TRANSFORM_XOR_ID = DetectHelperTransformRegister(&kw);
+ if G_TRANSFORM_XOR_ID < 0 {
+ SCLogWarning!("Failed registering transform dot_prefix");
+ }
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn test_xor_parse() {
+ assert!(xor_parse_do("nohexa").is_none());
+ let key = b"\x0a\x0d\xc8\xff";
+ assert_eq!(
+ xor_parse_do("0a0DC8ff"),
+ Some(DetectTransformXorData { key: key.to_vec() })
+ );
+ }
+
+ #[test]
+ fn test_xor_transform() {
+ let buf = b"example.com";
+ let mut out = vec![0; buf.len()];
+ let ctx = xor_parse_do("0a0DC8ff").unwrap();
+ xor_transform_do(buf, &mut out, &ctx);
+ assert_eq!(out, b"ou\xa9\x92za\xad\xd1ib\xa5");
+ }
+}
detect-transform-base64.h \
detect-transform-pcrexform.h \
detect-transform-urldecode.h \
- detect-transform-xor.h \
detect-ttl.h \
detect-udphdr.h \
detect-uricontent.h \
detect-transform-base64.c \
detect-transform-pcrexform.c \
detect-transform-urldecode.c \
- detect-transform-xor.c \
detect-ttl.c \
detect-udphdr.c \
detect-uricontent.c \
tests/detect-icmpv6hdr.c \
tests/detect-template.c \
tests/detect-transform-pcrexform.c \
- tests/detect-transform-xor.c \
tests/detect-ttl.c \
tests/source-pcap.c \
tests/app-layer-htp-file.c \
#include "detect-transform-pcrexform.h"
#include "detect-transform-urldecode.h"
-#include "detect-transform-xor.h"
#include "detect-transform-base64.h"
#include "util-rule-vars.h"
+++ /dev/null
-/* Copyright (C) 2021 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Philippe Antoine <contact@catenacyber.fr>
- *
- * Implements the xor transform keyword with option support
- */
-
-#include "suricata-common.h"
-#include "detect.h"
-#include "detect-engine.h"
-#include "detect-parse.h"
-#include "detect-transform-xor.h"
-
-typedef struct DetectTransformXorData {
- uint8_t *key;
- // limit the key length
- uint8_t length;
-} DetectTransformXorData;
-
-static int DetectTransformXorSetup(DetectEngineCtx *, Signature *, const char *);
-static void DetectTransformXorFree(DetectEngineCtx *, void *);
-static void DetectTransformXor(InspectionBuffer *buffer, void *options);
-#ifdef UNITTESTS
-void DetectTransformXorRegisterTests(void);
-#endif
-
-void DetectTransformXorRegister(void)
-{
- sigmatch_table[DETECT_TRANSFORM_XOR].name = "xor";
- sigmatch_table[DETECT_TRANSFORM_XOR].desc = "modify buffer via XOR decoding before inspection";
- sigmatch_table[DETECT_TRANSFORM_XOR].url = "/rules/transforms.html#xor";
- sigmatch_table[DETECT_TRANSFORM_XOR].Transform = DetectTransformXor;
- sigmatch_table[DETECT_TRANSFORM_XOR].Free = DetectTransformXorFree;
- sigmatch_table[DETECT_TRANSFORM_XOR].Setup = DetectTransformXorSetup;
-#ifdef UNITTESTS
- sigmatch_table[DETECT_TRANSFORM_XOR].RegisterTests = DetectTransformXorRegisterTests;
-#endif
- sigmatch_table[DETECT_TRANSFORM_XOR].flags |= SIGMATCH_QUOTES_MANDATORY;
-}
-
-static void DetectTransformXorFree(DetectEngineCtx *de_ctx, void *ptr)
-{
- if (ptr != NULL) {
- DetectTransformXorData *pxd = (DetectTransformXorData *)ptr;
- SCFree(pxd->key);
- SCFree(pxd);
- }
-}
-
-/**
- * \internal
- * \brief Apply the xor keyword to the last pattern match
- * \param det_ctx detection engine ctx
- * \param s signature
- * \param optstr options string
- * \retval 0 ok
- * \retval -1 failure
- */
-static int DetectTransformXorSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
-{
- SCEnter();
-
- // Create pxd from optstr
- DetectTransformXorData *pxd = SCCalloc(1, sizeof(*pxd));
- if (pxd == NULL) {
- SCLogError("memory allocation failed");
- SCReturnInt(-1);
- }
-
- size_t keylen = strlen(optstr);
- if (keylen % 2 == 1) {
- SCLogError("XOR transform key's length must be an even number");
- DetectTransformXorFree(de_ctx, pxd);
- SCReturnInt(-1);
- }
- if (keylen / 2 > UINT8_MAX) {
- SCLogError("Key length too big for XOR transform");
- DetectTransformXorFree(de_ctx, pxd);
- SCReturnInt(-1);
- }
- pxd->length = (uint8_t)(keylen / 2);
- pxd->key = SCMalloc(keylen / 2);
- if (pxd->key == NULL) {
- SCLogError("memory allocation failed");
- DetectTransformXorFree(de_ctx, pxd);
- SCReturnInt(-1);
- }
- for (size_t i = 0; i < keylen / 2; i++) {
- if ((isxdigit(optstr[2 * i])) && (isxdigit(optstr[2 * i + 1]))) {
- pxd->key[i] = (uint8_t)((optstr[2 * i] >= 'A' ? ((optstr[2 * i] & 0xdf) - 'A') + 10
- : (optstr[2 * i] - '0'))
- << 4);
- pxd->key[i] |= (optstr[2 * i + 1] >= 'A' ? ((optstr[2 * i + 1] & 0xdf) - 'A') + 10
- : (optstr[2 * i + 1] - '0'));
- } else {
- SCLogError("XOR transform key must be hexadecimal characters only");
- DetectTransformXorFree(de_ctx, pxd);
- SCReturnInt(-1);
- }
- }
-
- int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_XOR, pxd);
- if (r != 0) {
- DetectTransformXorFree(de_ctx, pxd);
- }
-
- SCReturnInt(r);
-}
-
-static void DetectTransformXor(InspectionBuffer *buffer, void *options)
-{
- const uint8_t *input = buffer->inspect;
- const uint32_t input_len = buffer->inspect_len;
- DetectTransformXorData *pxd = options;
- if (input_len == 0) {
- return;
- }
- uint8_t output[input_len];
-
- for (uint32_t i = 0; i < input_len; i++) {
- output[i] = input[i] ^ pxd->key[i % pxd->length];
- }
- InspectionBufferCopy(buffer, output, input_len);
-}
-
-#ifdef UNITTESTS
-#include "tests/detect-transform-xor.c"
-#endif
+++ /dev/null
-/* Copyright (C) 2021 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Philippe Antoine <contact@catenacyber.fr>
- */
-
-#ifndef SURICATA_DETECT_TRANSFORM_XOR_H
-#define SURICATA_DETECT_TRANSFORM_XOR_H
-
-/* prototypes */
-void DetectTransformXorRegister(void);
-
-#endif /* SURICATA_DETECT_TRANSFORM_XOR_H */
+++ /dev/null
-/* Copyright (C) 2021 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-#include "../suricata-common.h"
-
-#include "../detect-engine.h"
-
-#include "../detect-transform-xor.h"
-
-#include "../util-unittest.h"
-
-/**
- * \test signature with an invalid xor value.
- */
-
-static int DetectTransformXorParseTest01(void)
-{
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF_NULL(de_ctx);
-
- Signature *sig = DetectEngineAppendSig(de_ctx, "alert tcp any any <> any 1 xor:\"nohexa\";");
- FAIL_IF_NOT_NULL(sig);
-
- DetectEngineCtxFree(de_ctx);
- PASS;
-}
-
-/**
- * \test signature with a valid xor value.
- */
-
-static int DetectTransformXorParseTest02(void)
-{
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF_NULL(de_ctx);
-
- Signature *sig = DetectEngineAppendSig(de_ctx,
- "alert http any any -> any any (msg:\"HTTP with xor\"; http.request_line; "
- "xor:\"0a0DC8ff\"; content:\"/z4d4kWk.jpg\"; sid:1;)");
- FAIL_IF_NULL(sig);
-
- DetectEngineCtxFree(de_ctx);
- PASS;
-}
-
-/**
- * \brief this function registers unit tests for DetectTransformXor
- */
-void DetectTransformXorRegisterTests(void)
-{
- UtRegisterTest("DetectTransformXorParseTest01", DetectTransformXorParseTest01);
- UtRegisterTest("DetectTransformXorParseTest02", DetectTransformXorParseTest02);
-}