From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 5 Mar 2020 14:39:37 +0000 (+0100)
Subject: detect: adds utility file for uint keywords
X-Git-Tag: suricata-6.0.0-beta1~629
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75ec528384a5b75c99de110dd41863992b550f1b;p=thirdparty%2Fsuricata.git

detect: adds utility file for uint keywords
---

diff --git a/src/Makefile.am b/src/Makefile.am
index 6ac999b9dd..82e59aa776 100755
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -148,6 +148,7 @@ detect-engine-sigorder.c detect-engine-sigorder.h \
 detect-engine-state.c detect-engine-state.h \
 detect-engine-tag.c detect-engine-tag.h \
 detect-engine-threshold.c detect-engine-threshold.h \
+detect-engine-uint.c detect-engine-uint.h \
 detect-fast-pattern.c detect-fast-pattern.h \
 detect-file-data.c detect-file-data.h \
 detect-file-hash-common.c detect-file-hash-common.h \
diff --git a/src/detect-engine-uint.c b/src/detect-engine-uint.c
new file mode 100644
index 0000000000..f377211e2e
--- /dev/null
+++ b/src/detect-engine-uint.c
@@ -0,0 +1,231 @@
+/* Copyright (C) 2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <p.antoine@catenacyber.fr>
+ *
+ */
+
+#include "suricata-common.h"
+
+#include "util-byte.h"
+#include "detect-parse.h"
+#include "detect-engine-uint.h"
+
+/**
+ * \brief Regex for parsing our options
+ */
+#define PARSE_REGEX  "^\\s*([0-9]*)?\\s*([<>=-]+)?\\s*([0-9]+)?\\s*$"
+
+static pcre *parse_regex;
+static pcre_extra *parse_regex_study;
+
+
+int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
+{
+    switch (du32->mode) {
+        case DETECT_UINT_EQ:
+            if (parg == du32->arg1) {
+                return 1;
+            }
+            return 0;
+        case DETECT_UINT_LT:
+            if (parg < du32->arg1) {
+                return 1;
+            }
+            return 0;
+        case DETECT_UINT_GT:
+            if (parg > du32->arg1) {
+                return 1;
+            }
+            return 0;
+        case DETECT_UINT_RA:
+            if (parg > du32->arg1 && parg < du32->arg2) {
+                return 1;
+            }
+            return 0;
+        default:
+            BUG_ON("unknown mode");
+    }
+    return 0;
+}
+
+
+/**
+ * \brief This function is used to parse u32 options passed via some u32 keyword
+ *
+ * \param u32str Pointer to the user provided u32 options
+ *
+ * \retval DetectU32Data pointer to DetectU32Data on success
+ * \retval NULL on failure
+ */
+
+DetectU32Data *DetectU32Parse (const char *u32str)
+{
+    DetectU32Data u32da;
+    DetectU32Data *u32d = NULL;
+    char arg1[16] = "";
+    char arg2[16] = "";
+    char arg3[16] = "";
+
+#define MAX_SUBSTRINGS 30
+    int ret = 0, res = 0;
+    int ov[MAX_SUBSTRINGS];
+
+    ret = pcre_exec(parse_regex, parse_regex_study, u32str, strlen(u32str), 0, 0, ov, MAX_SUBSTRINGS);
+    if (ret < 2 || ret > 4) {
+        SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
+        return NULL;
+    }
+
+    res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 1, arg1, sizeof(arg1));
+    if (res < 0) {
+        SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
+        return NULL;
+    }
+    SCLogDebug("Arg1 \"%s\"", arg1);
+
+    if (ret >= 3) {
+        res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 2, arg2, sizeof(arg2));
+        if (res < 0) {
+            SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
+            return NULL;
+        }
+        SCLogDebug("Arg2 \"%s\"", arg2);
+
+        if (ret >= 4) {
+            res = pcre_copy_substring((char *) u32str, ov, MAX_SUBSTRINGS, 3, arg3, sizeof(arg3));
+            if (res < 0) {
+                SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
+                return NULL;
+            }
+            SCLogDebug("Arg3 \"%s\"", arg3);
+        }
+    }
+
+    if (strlen(arg2) > 0) {
+        /*set the values*/
+        switch(arg2[0]) {
+            case '<':
+            case '>':
+                if (strlen(arg3) == 0)
+                    return NULL;
+
+                if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg3), arg3) < 0) {
+                    SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+                    return NULL;
+                }
+
+                SCLogDebug("u32 is %"PRIu32"",u32da.arg1);
+                if (strlen(arg1) > 0)
+                    return NULL;
+
+                if (arg2[0] == '<') {
+                    u32da.mode = DETECT_UINT_LT;
+                } else { // arg2[0] == '>'
+                    u32da.mode = DETECT_UINT_GT;
+                }
+                break;
+            case '-':
+                if (strlen(arg1)== 0)
+                    return NULL;
+                if (strlen(arg3)== 0)
+                    return NULL;
+
+                u32da.mode = DETECT_UINT_RA;
+                if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
+                    SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+                    return NULL;
+                }
+                if (ByteExtractStringUint32(&u32da.arg2, 10, strlen(arg3), arg3) < 0) {
+                    SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+                    return NULL;
+                }
+
+                SCLogDebug("u32 is %"PRIu32" to %"PRIu32"", u32da.arg1, u32da.arg2);
+                if (u32da.arg1 >= u32da.arg2) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid u32 range. ");
+                    return NULL;
+                }
+                break;
+            default:
+                u32da.mode = DETECT_UINT_EQ;
+
+                if (strlen(arg2) > 0 ||
+                    strlen(arg3) > 0 ||
+                    strlen(arg1) == 0)
+                    return NULL;
+
+                if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
+                    SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+                    return NULL;
+                }
+        }
+    } else {
+        u32da.mode = DETECT_UINT_EQ;
+
+        if (strlen(arg3) > 0 ||
+            strlen(arg1) == 0)
+            return NULL;
+
+        if (ByteExtractStringUint32(&u32da.arg1, 10, strlen(arg1), arg1) < 0) {
+            SCLogError(SC_ERR_BYTE_EXTRACT_FAILED, "ByteExtractStringUint32 failed");
+            return NULL;
+        }
+    }
+    u32d = SCCalloc(1, sizeof (DetectU32Data));
+    if (unlikely(u32d == NULL))
+        return NULL;
+    u32d->arg1 = u32da.arg1;
+    u32d->arg2 = u32da.arg2;
+    u32d->mode = u32da.mode;
+
+    return u32d;
+}
+
+void
+PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx)
+{
+    const DetectU32Data *a = smctx;
+    v->u8[0] = a->mode;
+    v->u32[1] = a->arg1;
+    v->u32[2] = a->arg2;
+}
+
+bool
+PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx)
+{
+    const DetectU32Data *a = smctx;
+    if (v.u8[0] == a->mode &&
+        v.u32[1] == a->arg1 &&
+        v.u32[2] == a->arg2)
+        return true;
+    return false;
+}
+
+static bool g_detect_u32_registered = false;
+
+void DetectU32Register(void)
+{
+    if (g_detect_u32_registered == false) {
+        // register only once
+        DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
+        g_detect_u32_registered = true;
+    }
+}
diff --git a/src/detect-engine-uint.h b/src/detect-engine-uint.h
new file mode 100644
index 0000000000..76ec1630a7
--- /dev/null
+++ b/src/detect-engine-uint.h
@@ -0,0 +1,49 @@
+/* Copyright (C) 2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <p.antoine@catenacyber.fr>
+ */
+
+#ifndef __DETECT_ENGINE_UINT_H
+#define __DETECT_ENGINE_UINT_H
+
+#include "detect-engine-prefilter-common.h"
+
+typedef enum {
+    DETECT_UINT_LT,
+    DETECT_UINT_EQ,
+    DETECT_UINT_GT,
+    DETECT_UINT_RA,
+} DetectUintMode;
+
+typedef struct DetectU32Data_ {
+    uint32_t arg1;   /**< first arg value in the signature*/
+    uint32_t arg2;   /**< second arg value in the signature, in case of range
+                          operator*/
+    DetectUintMode mode;    /**< operator used in the signature */
+} DetectU32Data;
+
+int DetectU32Match(const uint32_t parg, const DetectU32Data *du32);
+DetectU32Data *DetectU32Parse (const char *u32str);
+void PrefilterPacketU32Set(PrefilterPacketHeaderValue *v, void *smctx);
+bool PrefilterPacketU32Compare(PrefilterPacketHeaderValue v, void *smctx);
+void DetectU32Register(void);
+
+#endif /* __DETECT_UTIL_UINT_H */