From 16952d67e7ee951e73d7542bf55efe0fb7252a8a Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 May 2024 15:42:32 +0200 Subject: [PATCH] detect/dhcp: move keywords to rust Ticket: 4863 --- rust/src/detect/uint.rs | 4 +- rust/src/dhcp/detect.rs | 217 ++++++++++++++++++++++++++----- rust/src/dhcp/dhcp.rs | 2 +- src/Makefile.am | 6 - src/detect-dhcp-leasetime.c | 127 ------------------ src/detect-dhcp-leasetime.h | 23 ---- src/detect-dhcp-rebinding-time.c | 128 ------------------ src/detect-dhcp-rebinding-time.h | 23 ---- src/detect-dhcp-renewal-time.c | 127 ------------------ src/detect-dhcp-renewal-time.h | 23 ---- src/detect-engine-register.c | 7 +- src/detect-engine-register.h | 3 - 12 files changed, 191 insertions(+), 499 deletions(-) delete mode 100644 src/detect-dhcp-leasetime.c delete mode 100644 src/detect-dhcp-leasetime.h delete mode 100644 src/detect-dhcp-rebinding-time.c delete mode 100644 src/detect-dhcp-rebinding-time.h delete mode 100644 src/detect-dhcp-renewal-time.c delete mode 100644 src/detect-dhcp-renewal-time.h diff --git a/rust/src/detect/uint.rs b/rust/src/detect/uint.rs index 5b28830cea..fdfc4c30f8 100644 --- a/rust/src/detect/uint.rs +++ b/rust/src/detect/uint.rs @@ -398,9 +398,9 @@ pub unsafe extern "C" fn rs_detect_u64_match( } #[no_mangle] -pub unsafe extern "C" fn rs_detect_u64_free(ctx: *mut std::os::raw::c_void) { +pub unsafe extern "C" fn rs_detect_u64_free(ctx: &mut DetectUintData) { // Just unbox... - std::mem::drop(Box::from_raw(ctx as *mut DetectUintData)); + std::mem::drop(Box::from_raw(ctx)); } #[no_mangle] diff --git a/rust/src/dhcp/detect.rs b/rust/src/dhcp/detect.rs index 0215810ae8..73cf925386 100644 --- a/rust/src/dhcp/detect.rs +++ b/rust/src/dhcp/detect.rs @@ -16,51 +16,208 @@ */ use super::dhcp::{ - DHCPTransaction, DHCP_OPT_ADDRESS_TIME, DHCP_OPT_REBINDING_TIME, DHCP_OPT_RENEWAL_TIME, + DHCPTransaction, ALPROTO_DHCP, DHCP_OPT_ADDRESS_TIME, DHCP_OPT_REBINDING_TIME, + DHCP_OPT_RENEWAL_TIME, }; use super::parser::DHCPOptionWrapper; +use crate::detect::uint::{ + rs_detect_u64_free, rs_detect_u64_match, rs_detect_u64_parse, DetectUintData, +}; +use crate::detect::{ + DetectHelperBufferRegister, DetectHelperKeywordRegister, DetectSignatureSetAppProto, + SCSigTableElmt, SigMatchAppendSMToList, +}; +use std::os::raw::{c_int, c_void}; -#[no_mangle] -pub unsafe extern "C" fn rs_dhcp_tx_get_leasetime( - tx: &mut DHCPTransaction, leasetime: *mut u64, -) -> u8 { +fn rs_dhcp_tx_get_time(tx: &DHCPTransaction, code: u8) -> Option { for option in &tx.message.options { - if option.code == DHCP_OPT_ADDRESS_TIME { + if option.code == code { if let DHCPOptionWrapper::TimeValue(ref time_value) = option.option { - *leasetime = time_value.seconds as u64; - return 1; + return Some(time_value.seconds as u64); } } } + return None; +} + +static mut G_DHCP_LEASE_TIME_KW_ID: c_int = 0; +static mut G_DHCP_LEASE_TIME_BUFFER_ID: c_int = 0; +static mut G_DHCP_REBINDING_TIME_KW_ID: c_int = 0; +static mut G_DHCP_REBINDING_TIME_BUFFER_ID: c_int = 0; +static mut G_DHCP_RENEWAL_TIME_KW_ID: c_int = 0; +static mut G_DHCP_RENEWAL_TIME_BUFFER_ID: c_int = 0; + +unsafe extern "C" fn dhcp_detect_leasetime_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0 { + return -1; + } + let ctx = rs_detect_u64_parse(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList( + de, + s, + G_DHCP_LEASE_TIME_KW_ID, + ctx, + G_DHCP_LEASE_TIME_BUFFER_ID, + ) + .is_null() + { + dhcp_detect_time_free(std::ptr::null_mut(), ctx); + return -1; + } return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_dhcp_tx_get_rebinding_time( - tx: &mut DHCPTransaction, res: *mut u64, -) -> u8 { - for option in &tx.message.options { - if option.code == DHCP_OPT_REBINDING_TIME { - if let DHCPOptionWrapper::TimeValue(ref time_value) = option.option { - *res = time_value.seconds as u64; - return 1; - } - } +unsafe extern "C" fn dhcp_detect_leasetime_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, DHCPTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + if let Some(val) = rs_dhcp_tx_get_time(tx, DHCP_OPT_ADDRESS_TIME) { + return rs_detect_u64_match(val, ctx); } return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_dhcp_tx_get_renewal_time( - tx: &mut DHCPTransaction, res: *mut u64, -) -> u8 { - for option in &tx.message.options { - if option.code == DHCP_OPT_RENEWAL_TIME { - if let DHCPOptionWrapper::TimeValue(ref time_value) = option.option { - *res = time_value.seconds as u64; - return 1; - } - } +unsafe extern "C" fn dhcp_detect_time_free(_de: *mut c_void, ctx: *mut c_void) { + // Just unbox... + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u64_free(ctx); +} + +unsafe extern "C" fn dhcp_detect_rebindingtime_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0 { + return -1; + } + let ctx = rs_detect_u64_parse(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList( + de, + s, + G_DHCP_REBINDING_TIME_KW_ID, + ctx, + G_DHCP_REBINDING_TIME_BUFFER_ID, + ) + .is_null() + { + dhcp_detect_time_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; +} + +unsafe extern "C" fn dhcp_detect_rebindingtime_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, DHCPTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + if let Some(val) = rs_dhcp_tx_get_time(tx, DHCP_OPT_REBINDING_TIME) { + return rs_detect_u64_match(val, ctx); + } + return 0; +} + +unsafe extern "C" fn dhcp_detect_renewaltime_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0 { + return -1; + } + let ctx = rs_detect_u64_parse(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList( + de, + s, + G_DHCP_RENEWAL_TIME_KW_ID, + ctx, + G_DHCP_RENEWAL_TIME_BUFFER_ID, + ) + .is_null() + { + dhcp_detect_time_free(std::ptr::null_mut(), ctx); + return -1; } return 0; } + +unsafe extern "C" fn dhcp_detect_renewaltime_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, DHCPTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + if let Some(val) = rs_dhcp_tx_get_time(tx, DHCP_OPT_RENEWAL_TIME) { + return rs_detect_u64_match(val, ctx); + } + return 0; +} + +#[no_mangle] +pub unsafe extern "C" fn ScDetectDHCPRegister() { + let kw = SCSigTableElmt { + name: b"dhcp.leasetime\0".as_ptr() as *const libc::c_char, + desc: b"match DHCP leasetime\0".as_ptr() as *const libc::c_char, + url: b"/rules/dhcp-keywords.html#dhcp-leasetime\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(dhcp_detect_leasetime_match), + Setup: dhcp_detect_leasetime_setup, + Free: Some(dhcp_detect_time_free), + flags: 0, + }; + unsafe { + G_DHCP_LEASE_TIME_KW_ID = DetectHelperKeywordRegister(&kw); + G_DHCP_LEASE_TIME_BUFFER_ID = DetectHelperBufferRegister( + b"dhcp.leasetime\0".as_ptr() as *const libc::c_char, + ALPROTO_DHCP, + true, + true, + ); + } + let kw = SCSigTableElmt { + name: b"dhcp.rebinding_time\0".as_ptr() as *const libc::c_char, + desc: b"match DHCP rebinding time\0".as_ptr() as *const libc::c_char, + url: b"/rules/dhcp-keywords.html#dhcp-rebinding-time\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(dhcp_detect_rebindingtime_match), + Setup: dhcp_detect_rebindingtime_setup, + Free: Some(dhcp_detect_time_free), + flags: 0, + }; + unsafe { + G_DHCP_REBINDING_TIME_KW_ID = DetectHelperKeywordRegister(&kw); + G_DHCP_REBINDING_TIME_BUFFER_ID = DetectHelperBufferRegister( + b"dhcp.rebinding-time\0".as_ptr() as *const libc::c_char, + ALPROTO_DHCP, + true, + true, + ); + } + let kw = SCSigTableElmt { + name: b"dhcp.renewal_time\0".as_ptr() as *const libc::c_char, + desc: b"match DHCP renewal time\0".as_ptr() as *const libc::c_char, + url: b"/rules/dhcp-keywords.html#dhcp-renewal-time\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(dhcp_detect_renewaltime_match), + Setup: dhcp_detect_renewaltime_setup, + Free: Some(dhcp_detect_time_free), + flags: 0, + }; + unsafe { + G_DHCP_RENEWAL_TIME_KW_ID = DetectHelperKeywordRegister(&kw); + G_DHCP_RENEWAL_TIME_BUFFER_ID = DetectHelperBufferRegister( + b"dhcp.renewal-time\0".as_ptr() as *const libc::c_char, + ALPROTO_DHCP, + true, + true, + ); + } +} diff --git a/rust/src/dhcp/dhcp.rs b/rust/src/dhcp/dhcp.rs index 7f0da5526e..e43d4e863a 100644 --- a/rust/src/dhcp/dhcp.rs +++ b/rust/src/dhcp/dhcp.rs @@ -22,7 +22,7 @@ use crate::dhcp::parser::*; use std; use std::ffi::CString; -static mut ALPROTO_DHCP: AppProto = ALPROTO_UNKNOWN; +pub(super) static mut ALPROTO_DHCP: AppProto = ALPROTO_UNKNOWN; static DHCP_MIN_FRAME_LEN: u32 = 232; diff --git a/src/Makefile.am b/src/Makefile.am index b2b03d093b..5aeb194ca2 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -310,9 +310,6 @@ noinst_HEADERS = \ detect-smb-ntlmssp.h \ detect-smb-share.h \ detect-smb-version.h \ - detect-dhcp-leasetime.h \ - detect-dhcp-rebinding-time.h \ - detect-dhcp-renewal-time.h \ detect-ssh-hassh.h \ detect-ssh-hassh-server.h \ detect-ssh-hassh-server-string.h \ @@ -932,9 +929,6 @@ libsuricata_c_a_SOURCES = \ detect-smb-ntlmssp.c \ detect-smb-share.c \ detect-smb-version.c \ - detect-dhcp-leasetime.c \ - detect-dhcp-rebinding-time.c \ - detect-dhcp-renewal-time.c \ detect-ssh-hassh.c \ detect-ssh-hassh-server.c \ detect-ssh-hassh-server-string.c \ diff --git a/src/detect-dhcp-leasetime.c b/src/detect-dhcp-leasetime.c deleted file mode 100644 index f86d645dc6..0000000000 --- a/src/detect-dhcp-leasetime.c +++ /dev/null @@ -1,127 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "suricata-common.h" -#include "rust.h" -#include "detect-dhcp-leasetime.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-engine-uint.h" -#include "detect-parse.h" - -static int g_buffer_id = 0; - -/** - * \internal - * \brief Function to match leasetime of a TX - * - * \param t Pointer to thread vars. - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param s Pointer to the Signature. - * \param m Pointer to the sigmatch that we will cast into - * DetectU64Data. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectDHCPLeaseTimeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, - void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) -{ - SCEnter(); - - uint64_t leasetime; - if (rs_dhcp_tx_get_leasetime(txv, &leasetime)) { - const DetectU64Data *dd = (const DetectU64Data *)ctx; - if (DetectU64Match(leasetime, dd)) { - SCReturnInt(1); - } - } - SCReturnInt(0); -} - -/** - * \internal - * \brief Function to free memory associated with DetectU64Data. - * - * \param de_ptr Pointer to DetectU64Data. - */ -static void DetectDHCPLeaseTimeFree(DetectEngineCtx *de_ctx, void *ptr) -{ - rs_detect_u64_free(ptr); -} - -/** - * \brief Function to add the parsed dhcp leasetime field into the current signature. - * - * \param de_ctx Pointer to the Detection Engine Context. - * \param s Pointer to the Current Signature. - * \param rawstr Pointer to the user provided flags options. - * \param type Defines if this is notBefore or notAfter. - * - * \retval 0 on Success. - * \retval -1 on Failure. - */ -static int DetectDHCPLeaseTimeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - if (DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0) - return -1; - - DetectU64Data *dd = DetectU64Parse(rawstr); - if (dd == NULL) { - SCLogError("Parsing \'%s\' failed for %s", rawstr, - sigmatch_table[DETECT_AL_DHCP_LEASETIME].name); - return -1; - } - - /* okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ - - if (SigMatchAppendSMToList( - de_ctx, s, DETECT_AL_DHCP_LEASETIME, (SigMatchCtx *)dd, g_buffer_id) == NULL) { - goto error; - } - return 0; - -error: - DetectDHCPLeaseTimeFree(de_ctx, dd); - return -1; -} - -/** - * \brief Registration function for dhcp.procedure keyword. - */ -void DetectDHCPLeaseTimeRegister(void) -{ - sigmatch_table[DETECT_AL_DHCP_LEASETIME].name = "dhcp.leasetime"; - sigmatch_table[DETECT_AL_DHCP_LEASETIME].desc = "match DHCP leasetime"; - sigmatch_table[DETECT_AL_DHCP_LEASETIME].url = "/rules/dhcp-keywords.html#dhcp-leasetime"; - sigmatch_table[DETECT_AL_DHCP_LEASETIME].AppLayerTxMatch = DetectDHCPLeaseTimeMatch; - sigmatch_table[DETECT_AL_DHCP_LEASETIME].Setup = DetectDHCPLeaseTimeSetup; - sigmatch_table[DETECT_AL_DHCP_LEASETIME].Free = DetectDHCPLeaseTimeFree; - - DetectAppLayerInspectEngineRegister("dhcp.leasetime", ALPROTO_DHCP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectGenericList, NULL); - - DetectAppLayerInspectEngineRegister("dhcp.leasetime", ALPROTO_DHCP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectGenericList, NULL); - - g_buffer_id = DetectBufferTypeGetByName("dhcp.leasetime"); -} diff --git a/src/detect-dhcp-leasetime.h b/src/detect-dhcp-leasetime.h deleted file mode 100644 index 53b1f42ac7..0000000000 --- a/src/detect-dhcp-leasetime.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#ifndef SURICATA_DETECT_DHCP_LEASETIME_H -#define SURICATA_DETECT_DHCP_LEASETIME_H - -void DetectDHCPLeaseTimeRegister(void); - -#endif /* SURICATA_DETECT_DHCP_LEASETIME_H */ diff --git a/src/detect-dhcp-rebinding-time.c b/src/detect-dhcp-rebinding-time.c deleted file mode 100644 index 737d332841..0000000000 --- a/src/detect-dhcp-rebinding-time.c +++ /dev/null @@ -1,128 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "suricata-common.h" -#include "rust.h" -#include "detect-dhcp-rebinding-time.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-engine-uint.h" -#include "detect-parse.h" - -static int g_buffer_id = 0; - -/** - * \internal - * \brief Function to match rebinding time of a TX - * - * \param t Pointer to thread vars. - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param s Pointer to the Signature. - * \param m Pointer to the sigmatch that we will cast into - * DetectU64Data. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectDHCPRebindingTimeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, - void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) -{ - SCEnter(); - - uint64_t res; - if (rs_dhcp_tx_get_rebinding_time(txv, &res)) { - const DetectU64Data *dd = (const DetectU64Data *)ctx; - if (DetectU64Match(res, dd)) { - SCReturnInt(1); - } - } - SCReturnInt(0); -} - -/** - * \internal - * \brief Function to free memory associated with DetectU64Data. - * - * \param de_ptr Pointer to DetectU64Data. - */ -static void DetectDHCPRebindingTimeFree(DetectEngineCtx *de_ctx, void *ptr) -{ - rs_detect_u64_free(ptr); -} - -/** - * \brief Function to add the parsed dhcp rebinding time field into the current signature. - * - * \param de_ctx Pointer to the Detection Engine Context. - * \param s Pointer to the Current Signature. - * \param rawstr Pointer to the user provided flags options. - * \param type Defines if this is notBefore or notAfter. - * - * \retval 0 on Success. - * \retval -1 on Failure. - */ -static int DetectDHCPRebindingTimeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - if (DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0) - return -1; - - DetectU64Data *dd = DetectU64Parse(rawstr); - if (dd == NULL) { - SCLogError("Parsing \'%s\' failed for %s", rawstr, - sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].name); - return -1; - } - - /* okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ - - if (SigMatchAppendSMToList( - de_ctx, s, DETECT_AL_DHCP_REBINDING_TIME, (SigMatchCtx *)dd, g_buffer_id) == NULL) { - goto error; - } - return 0; - -error: - DetectDHCPRebindingTimeFree(de_ctx, dd); - return -1; -} - -/** - * \brief Registration function for dhcp.procedure keyword. - */ -void DetectDHCPRebindingTimeRegister(void) -{ - sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].name = "dhcp.rebinding_time"; - sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].desc = "match DHCP rebinding time"; - sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].url = - "/rules/dhcp-keywords.html#dhcp-rebinding-time"; - sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].AppLayerTxMatch = DetectDHCPRebindingTimeMatch; - sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].Setup = DetectDHCPRebindingTimeSetup; - sigmatch_table[DETECT_AL_DHCP_REBINDING_TIME].Free = DetectDHCPRebindingTimeFree; - - DetectAppLayerInspectEngineRegister("dhcp.rebinding-time", ALPROTO_DHCP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectGenericList, NULL); - - DetectAppLayerInspectEngineRegister("dhcp.rebinding-time", ALPROTO_DHCP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectGenericList, NULL); - - g_buffer_id = DetectBufferTypeGetByName("dhcp.rebinding-time"); -} diff --git a/src/detect-dhcp-rebinding-time.h b/src/detect-dhcp-rebinding-time.h deleted file mode 100644 index b14f0af661..0000000000 --- a/src/detect-dhcp-rebinding-time.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#ifndef SURICATA_DETECT_DHCP_REBINDING_TIME_H -#define SURICATA_DETECT_DHCP_REBINDING_TIME_H - -void DetectDHCPRebindingTimeRegister(void); - -#endif /* SURICATA_DETECT_DHCP_REBINDING_TIME_H */ diff --git a/src/detect-dhcp-renewal-time.c b/src/detect-dhcp-renewal-time.c deleted file mode 100644 index d991fa1d2a..0000000000 --- a/src/detect-dhcp-renewal-time.c +++ /dev/null @@ -1,127 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "suricata-common.h" -#include "rust.h" -#include "detect-dhcp-renewal-time.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-engine-uint.h" -#include "detect-parse.h" - -static int g_buffer_id = 0; - -/** - * \internal - * \brief Function to match renewal time of a TX - * - * \param t Pointer to thread vars. - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param s Pointer to the Signature. - * \param m Pointer to the sigmatch that we will cast into - * DetectU64Data. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectDHCPRenewalTimeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, - void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) -{ - SCEnter(); - - uint64_t res; - if (rs_dhcp_tx_get_renewal_time(txv, &res)) { - const DetectU64Data *dd = (const DetectU64Data *)ctx; - if (DetectU64Match(res, dd)) { - SCReturnInt(1); - } - } - SCReturnInt(0); -} - -/** - * \internal - * \brief Function to free memory associated with DetectU64Data. - * - * \param de_ptr Pointer to DetectU64Data. - */ -static void DetectDHCPRenewalTimeFree(DetectEngineCtx *de_ctx, void *ptr) -{ - rs_detect_u64_free(ptr); -} - -/** - * \brief Function to add the parsed dhcp renewal time field into the current signature. - * - * \param de_ctx Pointer to the Detection Engine Context. - * \param s Pointer to the Current Signature. - * \param rawstr Pointer to the user provided flags options. - * \param type Defines if this is notBefore or notAfter. - * - * \retval 0 on Success. - * \retval -1 on Failure. - */ -static int DetectDHCPRenewalTimeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - if (DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0) - return -1; - - DetectU64Data *dd = DetectU64Parse(rawstr); - if (dd == NULL) { - SCLogError("Parsing \'%s\' failed for %s", rawstr, - sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].name); - return -1; - } - - /* okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ - - if (SigMatchAppendSMToList( - de_ctx, s, DETECT_AL_DHCP_RENEWAL_TIME, (SigMatchCtx *)dd, g_buffer_id) == NULL) { - goto error; - } - return 0; - -error: - DetectDHCPRenewalTimeFree(de_ctx, dd); - return -1; -} - -/** - * \brief Registration function for dhcp.procedure keyword. - */ -void DetectDHCPRenewalTimeRegister(void) -{ - sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].name = "dhcp.renewal_time"; - sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].desc = "match DHCP renewal time"; - sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].url = "/rules/dhcp-keywords.html#dhcp-renewal-time"; - sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].AppLayerTxMatch = DetectDHCPRenewalTimeMatch; - sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].Setup = DetectDHCPRenewalTimeSetup; - sigmatch_table[DETECT_AL_DHCP_RENEWAL_TIME].Free = DetectDHCPRenewalTimeFree; - - DetectAppLayerInspectEngineRegister("dhcp.renewal-time", ALPROTO_DHCP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectGenericList, NULL); - - DetectAppLayerInspectEngineRegister("dhcp.renewal-time", ALPROTO_DHCP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectGenericList, NULL); - - g_buffer_id = DetectBufferTypeGetByName("dhcp.renewal-time"); -} diff --git a/src/detect-dhcp-renewal-time.h b/src/detect-dhcp-renewal-time.h deleted file mode 100644 index 06d64c5560..0000000000 --- a/src/detect-dhcp-renewal-time.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#ifndef SURICATA_DETECT_DHCP_RENEWAL_TIME_H -#define SURICATA_DETECT_DHCP_RENEWAL_TIME_H - -void DetectDHCPRenewalTimeRegister(void); - -#endif /* SURICATA_DETECT_DHCP_RENEWAL_TIME_H */ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 93ece73ed4..f76eadf17a 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -212,9 +212,6 @@ #include "detect-rfb-name.h" #include "detect-target.h" #include "detect-template-rust-buffer.h" -#include "detect-dhcp-leasetime.h" -#include "detect-dhcp-rebinding-time.h" -#include "detect-dhcp-renewal-time.h" #include "detect-mqtt-type.h" #include "detect-mqtt-flags.h" #include "detect-mqtt-qos.h" @@ -733,9 +730,6 @@ void SigTableSetup(void) DetectRfbNameRegister(); DetectTargetRegister(); DetectTemplateRustBufferRegister(); - DetectDHCPLeaseTimeRegister(); - DetectDHCPRebindingTimeRegister(); - DetectDHCPRenewalTimeRegister(); DetectMQTTTypeRegister(); DetectMQTTFlagsRegister(); DetectMQTTQosRegister(); @@ -781,6 +775,7 @@ void SigTableSetup(void) DetectFileHandlerRegister(); ScDetectSNMPRegister(); + ScDetectDHCPRegister(); /* close keyword registration */ DetectBufferTypeCloseRegistration(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index c361b4b252..abdffa255b 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -309,9 +309,6 @@ enum DetectKeywordId { DETECT_FTPDATA, DETECT_TARGET, DETECT_AL_TEMPLATE_BUFFER, - DETECT_AL_DHCP_LEASETIME, - DETECT_AL_DHCP_REBINDING_TIME, - DETECT_AL_DHCP_RENEWAL_TIME, DETECT_AL_MQTT_TYPE, DETECT_AL_MQTT_FLAGS, DETECT_AL_MQTT_QOS, -- 2.47.2