From 62a186ceef99ea6f18e193d52da5af6a35f453d4 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 17 Jul 2024 14:31:53 +0200 Subject: [PATCH] detect/rfb: move keywords to rust Ticket: 7178 On the way, convert rfb.secresult to a generic integer with enumeration cf ticket 6723 --- doc/userguide/rules/rfb-keywords.rst | 3 + rust/src/rfb/detect.rs | 231 ++++++++++++++++++++-- rust/src/rfb/logger.rs | 15 +- rust/src/rfb/parser.rs | 10 + rust/src/rfb/rfb.rs | 2 +- src/Makefile.am | 6 - src/detect-engine-register.c | 7 +- src/detect-engine-register.h | 3 - src/detect-rfb-name.c | 110 ----------- src/detect-rfb-name.h | 29 --- src/detect-rfb-secresult.c | 285 --------------------------- src/detect-rfb-secresult.h | 29 --- src/detect-rfb-sectype.c | 137 ------------- src/detect-rfb-sectype.h | 29 --- 14 files changed, 234 insertions(+), 662 deletions(-) delete mode 100644 src/detect-rfb-name.c delete mode 100644 src/detect-rfb-name.h delete mode 100644 src/detect-rfb-secresult.c delete mode 100644 src/detect-rfb-secresult.h delete mode 100644 src/detect-rfb-sectype.c delete mode 100644 src/detect-rfb-sectype.h diff --git a/doc/userguide/rules/rfb-keywords.rst b/doc/userguide/rules/rfb-keywords.rst index 1715143daa..24b8ccf48f 100644 --- a/doc/userguide/rules/rfb-keywords.rst +++ b/doc/userguide/rules/rfb-keywords.rst @@ -25,9 +25,12 @@ rfb.secresult Match on the value of the RFB security result, e.g. ``ok``, ``fail``, ``toomany`` or ``unknown``. +rfb.secresult uses an :ref:`unsigned 32-bit integer `. + Examples:: rfb.secresult: ok; + rfb.secresult: !0; rfb.secresult: unknown; diff --git a/rust/src/rfb/detect.rs b/rust/src/rfb/detect.rs index 1cf0887c4f..3e0d9b2724 100644 --- a/rust/src/rfb/detect.rs +++ b/rust/src/rfb/detect.rs @@ -17,48 +17,239 @@ // Author: Frank Honza -use crate::rfb::rfb::*; +use super::parser::RFBSecurityResultStatus; +use super::rfb::{RFBTransaction, ALPROTO_RFB}; +use crate::detect::uint::{ + detect_match_uint, detect_parse_uint_enum, rs_detect_u32_free, rs_detect_u32_parse, + DetectUintData, +}; +use crate::detect::{ + DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister, + DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt, + SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT, +}; +use std::ffi::CStr; +use std::os::raw::{c_int, c_void}; use std::ptr; -#[no_mangle] -pub unsafe extern "C" fn rs_rfb_tx_get_name( - tx: &mut RFBTransaction, buffer: *mut *const u8, buffer_len: *mut u32, -) -> u8 { +unsafe extern "C" fn rfb_name_get_data( + tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, RFBTransaction); if let Some(ref r) = tx.tc_server_init { let p = &r.name; if !p.is_empty() { *buffer = p.as_ptr(); *buffer_len = p.len() as u32; - return 1; + return true; } } *buffer = ptr::null(); *buffer_len = 0; + return false; +} - return 0; +unsafe extern "C" fn rfb_name_get( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + rfb_name_get_data, + ); } -#[no_mangle] -pub unsafe extern "C" fn rs_rfb_tx_get_sectype(tx: &mut RFBTransaction, sectype: *mut u32) -> u8 { - if let Some(ref r) = tx.chosen_security_type { - *sectype = *r; - return 1; +static mut G_RFB_NAME_BUFFER_ID: c_int = 0; +static mut G_RFB_SEC_TYPE_KW_ID: c_int = 0; +static mut G_RFB_SEC_TYPE_BUFFER_ID: c_int = 0; +static mut G_RFB_SEC_RESULT_KW_ID: c_int = 0; +static mut G_RFB_SEC_RESULT_BUFFER_ID: c_int = 0; + +unsafe extern "C" fn rfb_name_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 { + return -1; } + if DetectBufferSetActiveList(de, s, G_RFB_NAME_BUFFER_ID) < 0 { + return -1; + } + return 0; +} - *sectype = 0; +unsafe extern "C" fn rfb_sec_type_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 { + return -1; + } + let ctx = rs_detect_u32_parse(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList(de, s, G_RFB_SEC_TYPE_KW_ID, ctx, G_RFB_SEC_TYPE_BUFFER_ID).is_null() + { + rfb_sec_type_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; +} +fn rfb_sec_type_match_aux(tx: &mut RFBTransaction, ctx: &DetectUintData) -> c_int { + if let Some(r) = tx.chosen_security_type { + if detect_match_uint(ctx, r) { + return 1; + } + } return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_rfb_tx_get_secresult( - tx: &mut RFBTransaction, secresult: *mut u32, -) -> u8 { - if let Some(ref r) = tx.tc_security_result { - *secresult = r.status; - return 1; +unsafe extern "C" fn rfb_sec_type_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let ctx = cast_pointer!(ctx, DetectUintData); + let tx = cast_pointer!(tx, RFBTransaction); + return rfb_sec_type_match_aux(tx, ctx); +} + +unsafe extern "C" fn rfb_sec_type_free(_de: *mut c_void, ctx: *mut c_void) { + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u32_free(ctx); +} + +unsafe extern "C" fn rfb_parse_sec_result( + ustr: *const std::os::raw::c_char, +) -> *mut DetectUintData { + let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe + if let Ok(s) = ft_name.to_str() { + if let Some(ctx) = detect_parse_uint_enum::(s) { + let boxed = Box::new(ctx); + return Box::into_raw(boxed) as *mut _; + } } + return std::ptr::null_mut(); +} +unsafe extern "C" fn rfb_sec_result_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 { + return -1; + } + let ctx = rfb_parse_sec_result(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList( + de, + s, + G_RFB_SEC_RESULT_KW_ID, + ctx, + G_RFB_SEC_RESULT_BUFFER_ID, + ) + .is_null() + { + rfb_sec_result_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; +} + +fn rfb_sec_result_match_aux(tx: &RFBTransaction, ctx: &DetectUintData) -> c_int { + if let Some(r) = &tx.tc_security_result { + if detect_match_uint(ctx, r.status) { + return 1; + } + } return 0; } + +unsafe extern "C" fn rfb_sec_result_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, RFBTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + return rfb_sec_result_match_aux(tx, ctx); +} + +unsafe extern "C" fn rfb_sec_result_free(_de: *mut c_void, ctx: *mut c_void) { + // Just unbox... + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u32_free(ctx); +} + +#[no_mangle] +pub unsafe extern "C" fn ScDetectRfbRegister() { + let kw = SCSigTableElmt { + name: b"rfb.name\0".as_ptr() as *const libc::c_char, + desc: b"sticky buffer to match on the RFB desktop name\0".as_ptr() as *const libc::c_char, + url: b"/rules/rfb-keywords.html#rfb-name\0".as_ptr() as *const libc::c_char, + Setup: rfb_name_setup, + flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER, + AppLayerTxMatch: None, + Free: None, + }; + let _g_rfb_name_kw_id = DetectHelperKeywordRegister(&kw); + G_RFB_NAME_BUFFER_ID = DetectHelperBufferMpmRegister( + b"rfb.name\0".as_ptr() as *const libc::c_char, + b"rfb name\0".as_ptr() as *const libc::c_char, + ALPROTO_RFB, + true, //toclient + false, + rfb_name_get, + ); + let kw = SCSigTableElmt { + name: b"rfb.sectype\0".as_ptr() as *const libc::c_char, + desc: b"match RFB security type\0".as_ptr() as *const libc::c_char, + url: b"/rules/rfb-keywords.html#rfb-sectype\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(rfb_sec_type_match), + Setup: rfb_sec_type_setup, + Free: Some(rfb_sec_type_free), + flags: 0, + }; + G_RFB_SEC_TYPE_KW_ID = DetectHelperKeywordRegister(&kw); + G_RFB_SEC_TYPE_BUFFER_ID = DetectHelperBufferRegister( + b"rfb.sectype\0".as_ptr() as *const libc::c_char, + ALPROTO_RFB, + false, // only to server + true, + ); + let kw = SCSigTableElmt { + name: b"rfb.secresult\0".as_ptr() as *const libc::c_char, + desc: b"match RFB security result\0".as_ptr() as *const libc::c_char, + url: b"/rules/rfb-keywords.html#rfb-secresult\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(rfb_sec_result_match), + Setup: rfb_sec_result_setup, + Free: Some(rfb_sec_result_free), + flags: 0, + }; + G_RFB_SEC_RESULT_KW_ID = DetectHelperKeywordRegister(&kw); + G_RFB_SEC_RESULT_BUFFER_ID = DetectHelperBufferRegister( + b"rfb.secresult\0".as_ptr() as *const libc::c_char, + ALPROTO_RFB, + true, // only to client + false, + ); +} + +#[cfg(test)] +mod test { + use super::*; + use crate::detect::uint::DetectUintMode; + + #[test] + fn test_rfb_parse_sec_result() { + let ctx = detect_parse_uint_enum::("fail").unwrap(); + assert_eq!(ctx.arg1, 1); + assert_eq!(ctx.mode, DetectUintMode::DetectUintModeEqual); + assert!(detect_parse_uint_enum::("invalidopt").is_none()); + } +} diff --git a/rust/src/rfb/logger.rs b/rust/src/rfb/logger.rs index 62bb20966f..10211832ee 100644 --- a/rust/src/rfb/logger.rs +++ b/rust/src/rfb/logger.rs @@ -17,7 +17,9 @@ // Author: Frank Honza +use super::parser::RFBSecurityResultStatus; use super::rfb::RFBTransaction; +use crate::detect::EnumString; use crate::jsonbuilder::{JsonBuilder, JsonError}; use std; use std::fmt::Write; @@ -67,15 +69,14 @@ fn log_rfb(tx: &RFBTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { _ => (), } if let Some(security_result) = &tx.tc_security_result { - let _ = match security_result.status { - 0 => js.set_string("security_result", "OK")?, - 1 => js.set_string("security-result", "FAIL")?, - 2 => js.set_string("security_result", "TOOMANY")?, - _ => js.set_string( + if let Some(status) = RFBSecurityResultStatus::from_u(security_result.status) { + js.set_string("security_result", &status.to_str().to_uppercase())?; + } else { + js.set_string( "security_result", &format!("UNKNOWN ({})", security_result.status), - )?, - }; + )?; + } } js.close()?; // Close authentication. diff --git a/rust/src/rfb/parser.rs b/rust/src/rfb/parser.rs index 73958062d2..73273b5b53 100644 --- a/rust/src/rfb/parser.rs +++ b/rust/src/rfb/parser.rs @@ -78,6 +78,16 @@ pub struct ServerSecurityType { pub security_type: u32, } +#[derive(Clone, Debug, Default, EnumStringU32)] +#[repr(u32)] +pub enum RFBSecurityResultStatus { + #[default] + Ok = 0, + Fail = 1, + TooMany = 2, + Unknown = 3, +} + pub struct SecurityResult { pub status: u32, } diff --git a/rust/src/rfb/rfb.rs b/rust/src/rfb/rfb.rs index 6e923cab55..ec3bdbd962 100644 --- a/rust/src/rfb/rfb.rs +++ b/rust/src/rfb/rfb.rs @@ -27,7 +27,7 @@ use nom7::Err; use std; use std::ffi::CString; -static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN; +pub(super) static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN; #[derive(FromPrimitive, Debug, AppLayerEvent)] pub enum RFBEvent { diff --git a/src/Makefile.am b/src/Makefile.am index f241b6a4e3..a882c6fcd4 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -259,9 +259,6 @@ noinst_HEADERS = \ detect-replace.h \ detect-requires.h \ detect-rev.h \ - detect-rfb-name.h \ - detect-rfb-secresult.h \ - detect-rfb-sectype.h \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ @@ -842,9 +839,6 @@ libsuricata_c_a_SOURCES = \ detect-replace.c \ detect-requires.c \ detect-rev.c \ - detect-rfb-name.c \ - detect-rfb-secresult.c \ - detect-rfb-sectype.c \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 688eafbc7f..bbf8b916ae 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -208,9 +208,6 @@ #include "detect-sip-stat-msg.h" #include "detect-sip-request-line.h" #include "detect-sip-response-line.h" -#include "detect-rfb-secresult.h" -#include "detect-rfb-sectype.h" -#include "detect-rfb-name.h" #include "detect-target.h" #include "detect-template-rust-buffer.h" #include "detect-quic-sni.h" @@ -672,9 +669,6 @@ void SigTableSetup(void) DetectSipStatMsgRegister(); DetectSipRequestLineRegister(); DetectSipResponseLineRegister(); - DetectRfbSecresultRegister(); - DetectRfbSectypeRegister(); - DetectRfbNameRegister(); DetectTargetRegister(); DetectTemplateRustBufferRegister(); DetectQuicSniRegister(); @@ -709,6 +703,7 @@ void SigTableSetup(void) ScDetectWebsocketRegister(); ScDetectEnipRegister(); ScDetectMqttRegister(); + ScDetectRfbRegister(); /* close keyword registration */ DetectBufferTypeCloseRegistration(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 81a8cdb6ee..7c3b5b4514 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -280,9 +280,6 @@ enum DetectKeywordId { DETECT_AL_SIP_STAT_MSG, DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, - DETECT_AL_RFB_SECRESULT, - DETECT_AL_RFB_SECTYPE, - DETECT_AL_RFB_NAME, DETECT_TEMPLATE, DETECT_TEMPLATE2, DETECT_IPV4HDR, diff --git a/src/detect-rfb-name.c b/src/detect-rfb-name.c deleted file mode 100644 index 222223a449..0000000000 --- a/src/detect-rfb-name.c +++ /dev/null @@ -1,110 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * - * \author Sascha Steinbiss - */ - -#include "suricata-common.h" -#include "threads.h" -#include "decode.h" -#include "detect.h" - -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-urilen.h" - -#include "flow.h" -#include "flow-var.h" -#include "flow-util.h" - -#include "util-debug.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "util-spm.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "detect-rfb-name.h" -#include "stream-tcp.h" - -#include "rust.h" -#include "app-layer-rfb.h" -#include "rust-bindings.h" - -#define KEYWORD_NAME "rfb.name" -#define KEYWORD_DOC "rfb-keywords.html#rfb-name"; -#define BUFFER_NAME "rfb.name" -#define BUFFER_DESC "rfb name" -static int g_buffer_id = 0; - -static int DetectRfbNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_RFB) < 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *_f, - const uint8_t _flow_flags, void *txv, const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (rs_rfb_tx_get_name(txv, &b, &b_len) != 1) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - - return buffer; -} - -void DetectRfbNameRegister(void) -{ - sigmatch_table[DETECT_AL_RFB_NAME].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_RFB_NAME].url = "/rules/" KEYWORD_DOC - sigmatch_table[DETECT_AL_RFB_NAME].desc = "sticky buffer to match on the RFB desktop name"; - sigmatch_table[DETECT_AL_RFB_NAME].Setup = DetectRfbNameSetup; - sigmatch_table[DETECT_AL_RFB_NAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; - - DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_RFB, SIG_FLAG_TOCLIENT, 1, - DetectEngineInspectBufferGeneric, GetData); - - DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 1, PrefilterGenericMpmRegister, - GetData, ALPROTO_RFB, 1); - - DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); - - g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); - - SCLogDebug("registering " BUFFER_NAME " rule option"); -} diff --git a/src/detect-rfb-name.h b/src/detect-rfb-name.h deleted file mode 100644 index 70a8a60b91..0000000000 --- a/src/detect-rfb-name.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Frank Honza - */ - -#ifndef SURICATA_DETECT_RFB_NAME_H -#define SURICATA_DETECT_RFB_NAME_H - -void DetectRfbNameRegister(void); - -#endif /* SURICATA_DETECT_RFB_NAME_H */ diff --git a/src/detect-rfb-secresult.c b/src/detect-rfb-secresult.c deleted file mode 100644 index 946886ca23..0000000000 --- a/src/detect-rfb-secresult.c +++ /dev/null @@ -1,285 +0,0 @@ -/* Copyright (C) 2020-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Sascha Steinbiss - */ - -#include "suricata-common.h" -#include "conf.h" -#include "detect.h" -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-content-inspection.h" -#include "detect-rfb-secresult.h" -#include "util-unittest.h" - -#include "rust.h" - -#define PARSE_REGEX "\\S[A-z]" -static DetectParseRegex parse_regex; - -static int rfb_secresult_id = 0; - -static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - void *txv, const Signature *s, - const SigMatchCtx *ctx); -static int DetectRfbSecresultSetup (DetectEngineCtx *, Signature *, const char *); -#ifdef UNITTESTS -static void RfbSecresultRegisterTests(void); -#endif -void DetectRfbSecresultFree(DetectEngineCtx *, void *); - -typedef struct DetectRfbSecresultData_ { - uint32_t result; /** result code */ -} DetectRfbSecresultData; - -/** - * \brief Registration function for rfb.secresult: keyword - */ -void DetectRfbSecresultRegister (void) -{ - sigmatch_table[DETECT_AL_RFB_SECRESULT].name = "rfb.secresult"; - sigmatch_table[DETECT_AL_RFB_SECRESULT].desc = "match RFB security result"; - sigmatch_table[DETECT_AL_RFB_SECRESULT].url = "/rules/rfb-keywords.html#rfb-secresult"; - sigmatch_table[DETECT_AL_RFB_SECRESULT].AppLayerTxMatch = DetectRfbSecresultMatch; - sigmatch_table[DETECT_AL_RFB_SECRESULT].Setup = DetectRfbSecresultSetup; - sigmatch_table[DETECT_AL_RFB_SECRESULT].Free = DetectRfbSecresultFree; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_RFB_SECRESULT].RegisterTests = RfbSecresultRegisterTests; -#endif - DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); - - DetectAppLayerInspectEngineRegister("rfb.secresult", ALPROTO_RFB, SIG_FLAG_TOCLIENT, 1, - DetectEngineInspectGenericList, NULL); - - rfb_secresult_id = DetectBufferTypeGetByName("rfb.secresult"); -} - -enum { - RFB_SECRESULT_OK = 0, - RFB_SECRESULT_FAIL, - RFB_SECRESULT_TOOMANY, - RFB_SECRESULT_UNKNOWN -}; - -/** - * \struct DetectRfbSecresult_ - * DetectRfbSecresult_ is used to store values - */ - -struct DetectRfbSecresult_ { - const char *result; - uint16_t code; -} results[] = { - { "ok", RFB_SECRESULT_OK, }, - { "fail", RFB_SECRESULT_FAIL, }, - { "toomany", RFB_SECRESULT_TOOMANY, }, - { "unknown", RFB_SECRESULT_UNKNOWN, }, - { NULL, 0 }, -}; - -/** - * \internal - * \brief Function to match security result of a RFB TX - * - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param txv Pointer to the RFBTransaction. - * \param s Pointer to the Signature. - * \param ctx Pointer to the sigmatch that we will cast into DetectRfbSecresultData. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - void *txv, const Signature *s, - const SigMatchCtx *ctx) -{ - const DetectRfbSecresultData *de = (const DetectRfbSecresultData *)ctx; - uint32_t resultcode; - int ret = 0; - - if (!de) - return 0; - - ret = rs_rfb_tx_get_secresult(txv, &resultcode); - if (ret == 0) { - return 0; - } - - if (de->result < 3) { - /* we are asking for a defined code... */ - if (resultcode == de->result) { - /* ... which needs to match */ - return 1; - } - } else { - /* we are asking for an unknown code */ - if (resultcode > 2) { - /* match any unknown code */ - return 1; - } - } - - return 0; -} - -/** - * \internal - * \brief This function is used to parse options passed via rfb.secresults: keyword - * - * \param rawstr Pointer to the user provided secresult options - * - * \retval de pointer to DetectRfbSecresultData on success - * \retval NULL on failure - */ -static DetectRfbSecresultData *DetectRfbSecresultParse (const char *rawstr) -{ - int i; - DetectRfbSecresultData *de = NULL; - int found = 0; - - pcre2_match_data *match = NULL; - int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0); - if (ret < 1) { - SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr); - goto error; - } - - for(i = 0; results[i].result != NULL; i++) { - if((strcasecmp(results[i].result,rawstr)) == 0) { - found = 1; - break; - } - } - - if(found == 0) { - SCLogError("unknown secresult value %s", rawstr); - goto error; - } - - de = SCMalloc(sizeof(DetectRfbSecresultData)); - if (unlikely(de == NULL)) - goto error; - - de->result = results[i].code; - - pcre2_match_data_free(match); - return de; - -error: - if (match) { - pcre2_match_data_free(match); - } - if (de) SCFree(de); - return NULL; -} - -/** - * \internal - * \brief this function is used to add the parsed secresult into the current signature - * - * \param de_ctx pointer to the Detection Engine Context - * \param s pointer to the Current Signature - * \param rawstr pointer to the user provided secresult options - * - * \retval 0 on Success - * \retval -1 on Failure - */ -static int DetectRfbSecresultSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - DetectRfbSecresultData *de = NULL; - - if (DetectSignatureSetAppProto(s, ALPROTO_RFB) < 0) - return -1; - - de = DetectRfbSecresultParse(rawstr); - if (de == NULL) - goto error; - - if (SigMatchAppendSMToList( - de_ctx, s, DETECT_AL_RFB_SECRESULT, (SigMatchCtx *)de, rfb_secresult_id) == NULL) { - goto error; - } - - return 0; - -error: - if (de) - SCFree(de); - return -1; -} - -/** - * \internal - * \brief this function will free memory associated with DetectRfbSecresultData - * - * \param de pointer to DetectRfbSecresultData - */ -void DetectRfbSecresultFree(DetectEngineCtx *de_ctx, void *de_ptr) -{ - DetectRfbSecresultData *de = (DetectRfbSecresultData *)de_ptr; - if(de) SCFree(de); -} - -/* - * ONLY TESTS BELOW THIS COMMENT - */ - -#ifdef UNITTESTS -/** - * \test RfbSecresultTestParse01 is a test for a valid secresult value - */ -static int RfbSecresultTestParse01 (void) -{ - DetectRfbSecresultData *de = DetectRfbSecresultParse("fail"); - - FAIL_IF_NULL(de); - - DetectRfbSecresultFree(NULL, de); - - PASS; -} - -/** - * \test RfbSecresultTestParse02 is a test for an invalid secresult value - */ -static int RfbSecresultTestParse02 (void) -{ - DetectRfbSecresultData *de = DetectRfbSecresultParse("invalidopt"); - - FAIL_IF_NOT_NULL(de); - - PASS; -} - -/** - * \brief this function registers unit tests for RfbSecresult - */ -void RfbSecresultRegisterTests(void) -{ - UtRegisterTest("RfbSecresultTestParse01", RfbSecresultTestParse01); - UtRegisterTest("RfbSecresultTestParse02", RfbSecresultTestParse02); -} -#endif /* UNITTESTS */ diff --git a/src/detect-rfb-secresult.h b/src/detect-rfb-secresult.h deleted file mode 100644 index 74c70c748e..0000000000 --- a/src/detect-rfb-secresult.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Sascha Steinbiss - */ - -#ifndef SURICATA_DETECT_RFB_SECRESULT_H -#define SURICATA_DETECT_RFB_SECRESULT_H - -void DetectRfbSecresultRegister(void); - -#endif /*SURICATA_DETECT_RFB_SECRESULT_H */ diff --git a/src/detect-rfb-sectype.c b/src/detect-rfb-sectype.c deleted file mode 100644 index d3758d3ded..0000000000 --- a/src/detect-rfb-sectype.c +++ /dev/null @@ -1,137 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * - * \author Sascha Steinbiss - */ - -#include "suricata-common.h" -#include "conf.h" -#include "detect.h" -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-content-inspection.h" -#include "detect-rfb-sectype.h" -#include "detect-engine-uint.h" -#include "app-layer-parser.h" -#include "util-byte.h" - -#include "rust-bindings.h" - - -static int DetectRfbSectypeSetup (DetectEngineCtx *, Signature *s, const char *str); -static void DetectRfbSectypeFree(DetectEngineCtx *, void *); -static int g_rfb_sectype_buffer_id = 0; - -static int DetectRfbSectypeMatch (DetectEngineThreadCtx *, Flow *, - uint8_t, void *, void *, const Signature *, - const SigMatchCtx *); - -/** - * \brief Registration function for rfb.sectype keyword. - */ -void DetectRfbSectypeRegister (void) -{ - sigmatch_table[DETECT_AL_RFB_SECTYPE].name = "rfb.sectype"; - sigmatch_table[DETECT_AL_RFB_SECTYPE].desc = "match RFB security type"; - sigmatch_table[DETECT_AL_RFB_SECTYPE].url = "/rules/rfb-keywords.html#rfb-sectype"; - sigmatch_table[DETECT_AL_RFB_SECTYPE].AppLayerTxMatch = DetectRfbSectypeMatch; - sigmatch_table[DETECT_AL_RFB_SECTYPE].Setup = DetectRfbSectypeSetup; - sigmatch_table[DETECT_AL_RFB_SECTYPE].Free = DetectRfbSectypeFree; - - DetectAppLayerInspectEngineRegister( - "rfb.sectype", ALPROTO_RFB, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); - - g_rfb_sectype_buffer_id = DetectBufferTypeGetByName("rfb.sectype"); -} - -/** - * \internal - * \brief Function to match security type of a RFB TX - * - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param txv Pointer to the RFBTransaction. - * \param s Pointer to the Signature. - * \param ctx Pointer to the sigmatch that we will cast into DetectU32Data. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectRfbSectypeMatch (DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - void *txv, const Signature *s, - const SigMatchCtx *ctx) -{ - SCEnter(); - - const DetectU32Data *dd = (const DetectU32Data *)ctx; - uint32_t version; - rs_rfb_tx_get_sectype(txv, &version); - if (DetectU32Match(version, dd)) - SCReturnInt(1); - SCReturnInt(0); -} - -/** - * \brief Function to add the parsed RFB security type field into the current signature. - * - * \param de_ctx Pointer to the Detection Engine Context. - * \param s Pointer to the Current Signature. - * \param rawstr Pointer to the user provided flags options. - * - * \retval 0 on Success. - * \retval -1 on Failure. - */ -static int DetectRfbSectypeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - if (DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0) - return -1; - - DetectU32Data *dd = DetectU32Parse(rawstr); - if (dd == NULL) { - SCLogError("Parsing \'%s\' failed", rawstr); - return -1; - } - - /* okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ - - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_RFB_SECTYPE, (SigMatchCtx *)dd, - g_rfb_sectype_buffer_id) == NULL) { - goto error; - } - return 0; - -error: - DetectRfbSectypeFree(de_ctx, dd); - return -1; -} - -/** - * \internal - * \brief Function to free memory associated with DetectU32Data. - * - * \param de_ptr Pointer to DetectU32Data. - */ -static void DetectRfbSectypeFree(DetectEngineCtx *de_ctx, void *ptr) -{ - rs_detect_u32_free(ptr); -} diff --git a/src/detect-rfb-sectype.h b/src/detect-rfb-sectype.h deleted file mode 100644 index e2860a3558..0000000000 --- a/src/detect-rfb-sectype.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Sascha Steinbiss - */ - -#ifndef SURICATA_DETECT_RFB_SECTYPE_H -#define SURICATA_DETECT_RFB_SECTYPE_H - -void DetectRfbSectypeRegister(void); - -#endif /* SURICATA_DETECT_RFB_SECTYPE_H */ -- 2.47.2