From: Philippe Antoine Date: Wed, 17 Jul 2024 12:50:51 +0000 (+0200) Subject: rfb: move app-layer registration code to rust X-Git-Tag: suricata-8.0.0-beta1~954 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ede77bc4dbf0406c76668c50a762f9d2ff3ec354;p=thirdparty%2Fsuricata.git rfb: move app-layer registration code to rust Ticket: 7178 --- diff --git a/rust/src/applayer.rs b/rust/src/applayer.rs index fb45b9af41..5a29be257b 100644 --- a/rust/src/applayer.rs +++ b/rust/src/applayer.rs @@ -479,6 +479,9 @@ extern { alproto_name: *const c_char, alproto: AppProto, min_depth: u16, max_depth: u16, pparser_ts: ProbeFn, pparser_tc: ProbeFn) -> i32; + pub fn AppLayerProtoDetectPMRegisterPatternCI(ipproto: u8, alproto: AppProto, + pattern: *const c_char, depth: u16, + offset: u16, direction: u8) -> c_int; pub fn AppLayerProtoDetectPMRegisterPatternCS(ipproto: u8, alproto: AppProto, pattern: *const c_char, depth: u16, offset: u16, direction: u8) -> c_int; diff --git a/rust/src/rfb/rfb.rs b/rust/src/rfb/rfb.rs index ec3bdbd962..810ed1d85d 100644 --- a/rust/src/rfb/rfb.rs +++ b/rust/src/rfb/rfb.rs @@ -26,6 +26,7 @@ use crate::frames::*; use nom7::Err; use std; use std::ffi::CString; +use std::os::raw::c_char; pub(super) static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN; @@ -831,7 +832,7 @@ export_tx_data_get!(rs_rfb_get_tx_data, RFBTransaction); export_state_data_get!(rs_rfb_get_state_data, RFBState); #[no_mangle] -pub unsafe extern "C" fn rs_rfb_register_parser() { +pub unsafe extern "C" fn SCRfbRegisterParser() { let parser = RustParser { name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char, default_port: std::ptr::null(), @@ -874,6 +875,28 @@ pub unsafe extern "C" fn rs_rfb_register_parser() { } SCLogDebug!("Rust rfb parser registered."); AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB); + if AppLayerProtoDetectPMRegisterPatternCI( + IPPROTO_TCP, + ALPROTO_RFB, + b"RFB \0".as_ptr() as *const c_char, + b"RFB ".len() as u16, + 0, + crate::core::Direction::ToServer.into(), + ) < 0 + { + SCLogDebug!("Failed to register protocol detection pattern for direction TOSERVER"); + }; + if AppLayerProtoDetectPMRegisterPatternCI( + IPPROTO_TCP, + ALPROTO_RFB, + b"RFB \0".as_ptr() as *const c_char, + b"RFB ".len() as u16, + 0, + crate::core::Direction::ToClient.into(), + ) < 0 + { + SCLogDebug!("Failed to register protocol detection pattern for direction TOCLIENT"); + } } else { SCLogDebug!("Protocol detector and parser disabled for RFB."); } diff --git a/src/Makefile.am b/src/Makefile.am index a882c6fcd4..148821ea2b 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -37,7 +37,6 @@ noinst_HEADERS = \ app-layer-parser.h \ app-layer-protos.h \ app-layer-register.h \ - app-layer-rfb.h \ app-layer-smb.h \ app-layer-smtp.h \ app-layer-ssh.h \ @@ -619,7 +618,6 @@ libsuricata_c_a_SOURCES = \ app-layer-parser.c \ app-layer-protos.c \ app-layer-register.c \ - app-layer-rfb.c \ app-layer-smb.c \ app-layer-smtp.c \ app-layer-ssh.c \ diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 1317b51488..b9eecd89b9 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -52,7 +52,6 @@ #include "app-layer-nfs-udp.h" #include "app-layer-tftp.h" #include "app-layer-ike.h" -#include "app-layer-rfb.h" #include "app-layer-http2.h" #include "app-layer-imap.h" @@ -1725,7 +1724,7 @@ void AppLayerParserRegisterProtocolParsers(void) rs_websocket_register_parser(); rs_ldap_register_parser(); rs_template_register_parser(); - RegisterRFBParsers(); + SCRfbRegisterParser(); SCMqttRegisterParser(); rs_pgsql_register_parser(); rs_rdp_register_parser(); diff --git a/src/app-layer-rfb.c b/src/app-layer-rfb.c deleted file mode 100644 index 829e918adc..0000000000 --- a/src/app-layer-rfb.c +++ /dev/null @@ -1,155 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Sascha Steinbiss - * - * RFB (VNC) application layer detector and parser. - * - */ - -#include "suricata-common.h" - -#include "util-unittest.h" - -#include "app-layer-detect-proto.h" -#include "app-layer-parser.h" -#include "app-layer-rfb.h" - -#include "rust.h" - -static int RFBRegisterPatternsForProtocolDetection(void) -{ - if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_RFB, - "RFB ", 4, 0, STREAM_TOCLIENT) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_RFB, - "RFB ", 4, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - return 0; -} - -void RFBParserRegisterTests(void); - -void RegisterRFBParsers(void) -{ - rs_rfb_register_parser(); - if (RFBRegisterPatternsForProtocolDetection() < 0 ) - return; -#ifdef UNITTESTS - AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_RFB, - RFBParserRegisterTests); -#endif -} - - -#ifdef UNITTESTS - -#include "stream-tcp.h" -#include "util-unittest-helper.h" - -static int RFBParserTest(void) -{ - uint64_t ret[4]; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - FAIL_IF_NULL(alp_tctx); - - StreamTcpInitConfig(true); - TcpSession ssn; - memset(&ssn, 0, sizeof(ssn)); - - Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 59001, 5900); - FAIL_IF_NULL(f); - f->protoctx = &ssn; - f->proto = IPPROTO_TCP; - f->alproto = ALPROTO_RFB; - - static const unsigned char rfb_version_str[12] = { - 0x52, 0x46, 0x42, 0x20, 0x30, 0x30, 0x33, 0x2e, 0x30, 0x30, 0x37, 0x0a - }; - - // the RFB server sending the first handshake message - int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT | STREAM_START, - (uint8_t *)rfb_version_str, sizeof(rfb_version_str)); - FAIL_IF_NOT(r == 0); - - r = AppLayerParserParse( - NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)rfb_version_str, sizeof(rfb_version_str)); - FAIL_IF_NOT(r == 0); - - static const unsigned char security_types[3] = { - 0x02, 0x01, 0x02 - }; - r = AppLayerParserParse( - NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)security_types, sizeof(security_types)); - FAIL_IF_NOT(r == 0); - - static const unsigned char type_selection[1] = { - 0x01 - }; - r = AppLayerParserParse( - NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)type_selection, sizeof(type_selection)); - FAIL_IF_NOT(r == 0); - - static const unsigned char client_init[1] = { - 0x01 - }; - r = AppLayerParserParse( - NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOSERVER, (uint8_t *)client_init, sizeof(client_init)); - FAIL_IF_NOT(r == 0); - - static const unsigned char server_init[] = { - 0x05, 0x00, 0x03, 0x20, 0x20, 0x18, 0x00, 0x01, - 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x10, 0x08, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, - 0x61, 0x6e, 0x65, 0x61, 0x67, 0x6c, 0x65, 0x73, - 0x40, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, - 0x73, 0x74, 0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, - 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e - }; - - r = AppLayerParserParse( - NULL, alp_tctx, f, ALPROTO_RFB, STREAM_TOCLIENT, (uint8_t *)server_init, sizeof(server_init)); - FAIL_IF_NOT(r == 0); - - AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT); - UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]); - FAIL_IF_NOT(ret[0] == 1); // inspect_id[0] - FAIL_IF_NOT(ret[1] == 1); // inspect_id[1] - FAIL_IF_NOT(ret[2] == 1); // log_id - FAIL_IF_NOT(ret[3] == 1); // min_id - - AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT); - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - UTHFreeFlow(f); - - PASS; -} - -void RFBParserRegisterTests(void) -{ - UtRegisterTest("RFBParserTest", RFBParserTest); -} - -#endif diff --git a/src/app-layer-rfb.h b/src/app-layer-rfb.h deleted file mode 100644 index 0a19ad4199..0000000000 --- a/src/app-layer-rfb.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Sascha Steinbiss - */ - -#ifndef SURICATA_APP_LAYER_RFB_H -#define SURICATA_APP_LAYER_RFB_H - -void RegisterRFBParsers(void); - -#endif /* SURICATA_APP_LAYER_RFB_H */