Match on the value of the RFB security result, e.g. ``ok``, ``fail``, ``toomany`` or ``unknown``.
+rfb.secresult uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
Examples::
rfb.secresult: ok;
+ rfb.secresult: !0;
rfb.secresult: unknown;
// Author: Frank Honza <frank.honza@dcso.de>
-use crate::rfb::rfb::*;
+use super::parser::RFBSecurityResultStatus;
+use super::rfb::{RFBTransaction, ALPROTO_RFB};
+use crate::detect::uint::{
+ detect_match_uint, detect_parse_uint_enum, rs_detect_u32_free, rs_detect_u32_parse,
+ DetectUintData,
+};
+use crate::detect::{
+ DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister,
+ DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt,
+ SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT,
+};
+use std::ffi::CStr;
+use std::os::raw::{c_int, c_void};
use std::ptr;
-#[no_mangle]
-pub unsafe extern "C" fn rs_rfb_tx_get_name(
- tx: &mut RFBTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
-) -> u8 {
+unsafe extern "C" fn rfb_name_get_data(
+ tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32,
+) -> bool {
+ let tx = cast_pointer!(tx, RFBTransaction);
if let Some(ref r) = tx.tc_server_init {
let p = &r.name;
if !p.is_empty() {
*buffer = p.as_ptr();
*buffer_len = p.len() as u32;
- return 1;
+ return true;
}
}
*buffer = ptr::null();
*buffer_len = 0;
+ return false;
+}
- return 0;
+unsafe extern "C" fn rfb_name_get(
+ de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
+ tx: *const c_void, list_id: c_int,
+) -> *mut c_void {
+ return DetectHelperGetData(
+ de,
+ transforms,
+ flow,
+ flow_flags,
+ tx,
+ list_id,
+ rfb_name_get_data,
+ );
}
-#[no_mangle]
-pub unsafe extern "C" fn rs_rfb_tx_get_sectype(tx: &mut RFBTransaction, sectype: *mut u32) -> u8 {
- if let Some(ref r) = tx.chosen_security_type {
- *sectype = *r;
- return 1;
+static mut G_RFB_NAME_BUFFER_ID: c_int = 0;
+static mut G_RFB_SEC_TYPE_KW_ID: c_int = 0;
+static mut G_RFB_SEC_TYPE_BUFFER_ID: c_int = 0;
+static mut G_RFB_SEC_RESULT_KW_ID: c_int = 0;
+static mut G_RFB_SEC_RESULT_BUFFER_ID: c_int = 0;
+
+unsafe extern "C" fn rfb_name_setup(
+ de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
+) -> c_int {
+ if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 {
+ return -1;
}
+ if DetectBufferSetActiveList(de, s, G_RFB_NAME_BUFFER_ID) < 0 {
+ return -1;
+ }
+ return 0;
+}
- *sectype = 0;
+unsafe extern "C" fn rfb_sec_type_setup(
+ de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
+) -> c_int {
+ if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 {
+ return -1;
+ }
+ let ctx = rs_detect_u32_parse(raw) as *mut c_void;
+ if ctx.is_null() {
+ return -1;
+ }
+ if SigMatchAppendSMToList(de, s, G_RFB_SEC_TYPE_KW_ID, ctx, G_RFB_SEC_TYPE_BUFFER_ID).is_null()
+ {
+ rfb_sec_type_free(std::ptr::null_mut(), ctx);
+ return -1;
+ }
+ return 0;
+}
+fn rfb_sec_type_match_aux(tx: &mut RFBTransaction, ctx: &DetectUintData<u32>) -> c_int {
+ if let Some(r) = tx.chosen_security_type {
+ if detect_match_uint(ctx, r) {
+ return 1;
+ }
+ }
return 0;
}
-#[no_mangle]
-pub unsafe extern "C" fn rs_rfb_tx_get_secresult(
- tx: &mut RFBTransaction, secresult: *mut u32,
-) -> u8 {
- if let Some(ref r) = tx.tc_security_result {
- *secresult = r.status;
- return 1;
+unsafe extern "C" fn rfb_sec_type_match(
+ _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
+ _sig: *const c_void, ctx: *const c_void,
+) -> c_int {
+ let ctx = cast_pointer!(ctx, DetectUintData<u32>);
+ let tx = cast_pointer!(tx, RFBTransaction);
+ return rfb_sec_type_match_aux(tx, ctx);
+}
+
+unsafe extern "C" fn rfb_sec_type_free(_de: *mut c_void, ctx: *mut c_void) {
+ let ctx = cast_pointer!(ctx, DetectUintData<u32>);
+ rs_detect_u32_free(ctx);
+}
+
+unsafe extern "C" fn rfb_parse_sec_result(
+ ustr: *const std::os::raw::c_char,
+) -> *mut DetectUintData<u8> {
+ let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
+ if let Ok(s) = ft_name.to_str() {
+ if let Some(ctx) = detect_parse_uint_enum::<u32, RFBSecurityResultStatus>(s) {
+ let boxed = Box::new(ctx);
+ return Box::into_raw(boxed) as *mut _;
+ }
}
+ return std::ptr::null_mut();
+}
+unsafe extern "C" fn rfb_sec_result_setup(
+ de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
+) -> c_int {
+ if DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0 {
+ return -1;
+ }
+ let ctx = rfb_parse_sec_result(raw) as *mut c_void;
+ if ctx.is_null() {
+ return -1;
+ }
+ if SigMatchAppendSMToList(
+ de,
+ s,
+ G_RFB_SEC_RESULT_KW_ID,
+ ctx,
+ G_RFB_SEC_RESULT_BUFFER_ID,
+ )
+ .is_null()
+ {
+ rfb_sec_result_free(std::ptr::null_mut(), ctx);
+ return -1;
+ }
+ return 0;
+}
+
+fn rfb_sec_result_match_aux(tx: &RFBTransaction, ctx: &DetectUintData<u32>) -> c_int {
+ if let Some(r) = &tx.tc_security_result {
+ if detect_match_uint(ctx, r.status) {
+ return 1;
+ }
+ }
return 0;
}
+
+unsafe extern "C" fn rfb_sec_result_match(
+ _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
+ _sig: *const c_void, ctx: *const c_void,
+) -> c_int {
+ let tx = cast_pointer!(tx, RFBTransaction);
+ let ctx = cast_pointer!(ctx, DetectUintData<u32>);
+ return rfb_sec_result_match_aux(tx, ctx);
+}
+
+unsafe extern "C" fn rfb_sec_result_free(_de: *mut c_void, ctx: *mut c_void) {
+ // Just unbox...
+ let ctx = cast_pointer!(ctx, DetectUintData<u32>);
+ rs_detect_u32_free(ctx);
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn ScDetectRfbRegister() {
+ let kw = SCSigTableElmt {
+ name: b"rfb.name\0".as_ptr() as *const libc::c_char,
+ desc: b"sticky buffer to match on the RFB desktop name\0".as_ptr() as *const libc::c_char,
+ url: b"/rules/rfb-keywords.html#rfb-name\0".as_ptr() as *const libc::c_char,
+ Setup: rfb_name_setup,
+ flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER,
+ AppLayerTxMatch: None,
+ Free: None,
+ };
+ let _g_rfb_name_kw_id = DetectHelperKeywordRegister(&kw);
+ G_RFB_NAME_BUFFER_ID = DetectHelperBufferMpmRegister(
+ b"rfb.name\0".as_ptr() as *const libc::c_char,
+ b"rfb name\0".as_ptr() as *const libc::c_char,
+ ALPROTO_RFB,
+ true, //toclient
+ false,
+ rfb_name_get,
+ );
+ let kw = SCSigTableElmt {
+ name: b"rfb.sectype\0".as_ptr() as *const libc::c_char,
+ desc: b"match RFB security type\0".as_ptr() as *const libc::c_char,
+ url: b"/rules/rfb-keywords.html#rfb-sectype\0".as_ptr() as *const libc::c_char,
+ AppLayerTxMatch: Some(rfb_sec_type_match),
+ Setup: rfb_sec_type_setup,
+ Free: Some(rfb_sec_type_free),
+ flags: 0,
+ };
+ G_RFB_SEC_TYPE_KW_ID = DetectHelperKeywordRegister(&kw);
+ G_RFB_SEC_TYPE_BUFFER_ID = DetectHelperBufferRegister(
+ b"rfb.sectype\0".as_ptr() as *const libc::c_char,
+ ALPROTO_RFB,
+ false, // only to server
+ true,
+ );
+ let kw = SCSigTableElmt {
+ name: b"rfb.secresult\0".as_ptr() as *const libc::c_char,
+ desc: b"match RFB security result\0".as_ptr() as *const libc::c_char,
+ url: b"/rules/rfb-keywords.html#rfb-secresult\0".as_ptr() as *const libc::c_char,
+ AppLayerTxMatch: Some(rfb_sec_result_match),
+ Setup: rfb_sec_result_setup,
+ Free: Some(rfb_sec_result_free),
+ flags: 0,
+ };
+ G_RFB_SEC_RESULT_KW_ID = DetectHelperKeywordRegister(&kw);
+ G_RFB_SEC_RESULT_BUFFER_ID = DetectHelperBufferRegister(
+ b"rfb.secresult\0".as_ptr() as *const libc::c_char,
+ ALPROTO_RFB,
+ true, // only to client
+ false,
+ );
+}
+
+#[cfg(test)]
+mod test {
+ use super::*;
+ use crate::detect::uint::DetectUintMode;
+
+ #[test]
+ fn test_rfb_parse_sec_result() {
+ let ctx = detect_parse_uint_enum::<u32, RFBSecurityResultStatus>("fail").unwrap();
+ assert_eq!(ctx.arg1, 1);
+ assert_eq!(ctx.mode, DetectUintMode::DetectUintModeEqual);
+ assert!(detect_parse_uint_enum::<u32, RFBSecurityResultStatus>("invalidopt").is_none());
+ }
+}
// Author: Frank Honza <frank.honza@dcso.de>
+use super::parser::RFBSecurityResultStatus;
use super::rfb::RFBTransaction;
+use crate::detect::EnumString;
use crate::jsonbuilder::{JsonBuilder, JsonError};
use std;
use std::fmt::Write;
_ => (),
}
if let Some(security_result) = &tx.tc_security_result {
- let _ = match security_result.status {
- 0 => js.set_string("security_result", "OK")?,
- 1 => js.set_string("security-result", "FAIL")?,
- 2 => js.set_string("security_result", "TOOMANY")?,
- _ => js.set_string(
+ if let Some(status) = RFBSecurityResultStatus::from_u(security_result.status) {
+ js.set_string("security_result", &status.to_str().to_uppercase())?;
+ } else {
+ js.set_string(
"security_result",
&format!("UNKNOWN ({})", security_result.status),
- )?,
- };
+ )?;
+ }
}
js.close()?; // Close authentication.
pub security_type: u32,
}
+#[derive(Clone, Debug, Default, EnumStringU32)]
+#[repr(u32)]
+pub enum RFBSecurityResultStatus {
+ #[default]
+ Ok = 0,
+ Fail = 1,
+ TooMany = 2,
+ Unknown = 3,
+}
+
pub struct SecurityResult {
pub status: u32,
}
use std;
use std::ffi::CString;
-static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN;
+pub(super) static mut ALPROTO_RFB: AppProto = ALPROTO_UNKNOWN;
#[derive(FromPrimitive, Debug, AppLayerEvent)]
pub enum RFBEvent {
detect-replace.h \
detect-requires.h \
detect-rev.h \
- detect-rfb-name.h \
- detect-rfb-secresult.h \
- detect-rfb-sectype.h \
detect-rpc.h \
detect-sameip.h \
detect-sid.h \
detect-replace.c \
detect-requires.c \
detect-rev.c \
- detect-rfb-name.c \
- detect-rfb-secresult.c \
- detect-rfb-sectype.c \
detect-rpc.c \
detect-sameip.c \
detect-sid.c \
#include "detect-sip-stat-msg.h"
#include "detect-sip-request-line.h"
#include "detect-sip-response-line.h"
-#include "detect-rfb-secresult.h"
-#include "detect-rfb-sectype.h"
-#include "detect-rfb-name.h"
#include "detect-target.h"
#include "detect-template-rust-buffer.h"
#include "detect-quic-sni.h"
DetectSipStatMsgRegister();
DetectSipRequestLineRegister();
DetectSipResponseLineRegister();
- DetectRfbSecresultRegister();
- DetectRfbSectypeRegister();
- DetectRfbNameRegister();
DetectTargetRegister();
DetectTemplateRustBufferRegister();
DetectQuicSniRegister();
ScDetectWebsocketRegister();
ScDetectEnipRegister();
ScDetectMqttRegister();
+ ScDetectRfbRegister();
/* close keyword registration */
DetectBufferTypeCloseRegistration();
DETECT_AL_SIP_STAT_MSG,
DETECT_AL_SIP_REQUEST_LINE,
DETECT_AL_SIP_RESPONSE_LINE,
- DETECT_AL_RFB_SECRESULT,
- DETECT_AL_RFB_SECTYPE,
- DETECT_AL_RFB_NAME,
DETECT_TEMPLATE,
DETECT_TEMPLATE2,
DETECT_IPV4HDR,
+++ /dev/null
-/* Copyright (C) 2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- *
- * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
- */
-
-#include "suricata-common.h"
-#include "threads.h"
-#include "decode.h"
-#include "detect.h"
-
-#include "detect-parse.h"
-#include "detect-engine.h"
-#include "detect-engine-mpm.h"
-#include "detect-engine-prefilter.h"
-#include "detect-urilen.h"
-
-#include "flow.h"
-#include "flow-var.h"
-#include "flow-util.h"
-
-#include "util-debug.h"
-#include "util-unittest.h"
-#include "util-unittest-helper.h"
-#include "util-spm.h"
-
-#include "app-layer.h"
-#include "app-layer-parser.h"
-
-#include "detect-rfb-name.h"
-#include "stream-tcp.h"
-
-#include "rust.h"
-#include "app-layer-rfb.h"
-#include "rust-bindings.h"
-
-#define KEYWORD_NAME "rfb.name"
-#define KEYWORD_DOC "rfb-keywords.html#rfb-name";
-#define BUFFER_NAME "rfb.name"
-#define BUFFER_DESC "rfb name"
-static int g_buffer_id = 0;
-
-static int DetectRfbNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
-{
- if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0)
- return -1;
-
- if (DetectSignatureSetAppProto(s, ALPROTO_RFB) < 0)
- return -1;
-
- return 0;
-}
-
-static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
- const DetectEngineTransforms *transforms, Flow *_f,
- const uint8_t _flow_flags, void *txv, const int list_id)
-{
- InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
- if (buffer->inspect == NULL) {
- const uint8_t *b = NULL;
- uint32_t b_len = 0;
-
- if (rs_rfb_tx_get_name(txv, &b, &b_len) != 1)
- return NULL;
- if (b == NULL || b_len == 0)
- return NULL;
-
- InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
- InspectionBufferApplyTransforms(buffer, transforms);
- }
-
- return buffer;
-}
-
-void DetectRfbNameRegister(void)
-{
- sigmatch_table[DETECT_AL_RFB_NAME].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_RFB_NAME].url = "/rules/" KEYWORD_DOC
- sigmatch_table[DETECT_AL_RFB_NAME].desc = "sticky buffer to match on the RFB desktop name";
- sigmatch_table[DETECT_AL_RFB_NAME].Setup = DetectRfbNameSetup;
- sigmatch_table[DETECT_AL_RFB_NAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
-
- DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_RFB, SIG_FLAG_TOCLIENT, 1,
- DetectEngineInspectBufferGeneric, GetData);
-
- DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 1, PrefilterGenericMpmRegister,
- GetData, ALPROTO_RFB, 1);
-
- DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
-
- g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
-
- SCLogDebug("registering " BUFFER_NAME " rule option");
-}
+++ /dev/null
-/* Copyright (C) 2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Frank Honza
- */
-
-#ifndef SURICATA_DETECT_RFB_NAME_H
-#define SURICATA_DETECT_RFB_NAME_H
-
-void DetectRfbNameRegister(void);
-
-#endif /* SURICATA_DETECT_RFB_NAME_H */
+++ /dev/null
-/* Copyright (C) 2020-2021 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
- */
-
-#include "suricata-common.h"
-#include "conf.h"
-#include "detect.h"
-#include "detect-parse.h"
-#include "detect-engine.h"
-#include "detect-engine-content-inspection.h"
-#include "detect-rfb-secresult.h"
-#include "util-unittest.h"
-
-#include "rust.h"
-
-#define PARSE_REGEX "\\S[A-z]"
-static DetectParseRegex parse_regex;
-
-static int rfb_secresult_id = 0;
-
-static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- void *txv, const Signature *s,
- const SigMatchCtx *ctx);
-static int DetectRfbSecresultSetup (DetectEngineCtx *, Signature *, const char *);
-#ifdef UNITTESTS
-static void RfbSecresultRegisterTests(void);
-#endif
-void DetectRfbSecresultFree(DetectEngineCtx *, void *);
-
-typedef struct DetectRfbSecresultData_ {
- uint32_t result; /** result code */
-} DetectRfbSecresultData;
-
-/**
- * \brief Registration function for rfb.secresult: keyword
- */
-void DetectRfbSecresultRegister (void)
-{
- sigmatch_table[DETECT_AL_RFB_SECRESULT].name = "rfb.secresult";
- sigmatch_table[DETECT_AL_RFB_SECRESULT].desc = "match RFB security result";
- sigmatch_table[DETECT_AL_RFB_SECRESULT].url = "/rules/rfb-keywords.html#rfb-secresult";
- sigmatch_table[DETECT_AL_RFB_SECRESULT].AppLayerTxMatch = DetectRfbSecresultMatch;
- sigmatch_table[DETECT_AL_RFB_SECRESULT].Setup = DetectRfbSecresultSetup;
- sigmatch_table[DETECT_AL_RFB_SECRESULT].Free = DetectRfbSecresultFree;
-#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_RFB_SECRESULT].RegisterTests = RfbSecresultRegisterTests;
-#endif
- DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
-
- DetectAppLayerInspectEngineRegister("rfb.secresult", ALPROTO_RFB, SIG_FLAG_TOCLIENT, 1,
- DetectEngineInspectGenericList, NULL);
-
- rfb_secresult_id = DetectBufferTypeGetByName("rfb.secresult");
-}
-
-enum {
- RFB_SECRESULT_OK = 0,
- RFB_SECRESULT_FAIL,
- RFB_SECRESULT_TOOMANY,
- RFB_SECRESULT_UNKNOWN
-};
-
-/**
- * \struct DetectRfbSecresult_
- * DetectRfbSecresult_ is used to store values
- */
-
-struct DetectRfbSecresult_ {
- const char *result;
- uint16_t code;
-} results[] = {
- { "ok", RFB_SECRESULT_OK, },
- { "fail", RFB_SECRESULT_FAIL, },
- { "toomany", RFB_SECRESULT_TOOMANY, },
- { "unknown", RFB_SECRESULT_UNKNOWN, },
- { NULL, 0 },
-};
-
-/**
- * \internal
- * \brief Function to match security result of a RFB TX
- *
- * \param det_ctx Pointer to the pattern matcher thread.
- * \param f Pointer to the current flow.
- * \param flags Flags.
- * \param state App layer state.
- * \param txv Pointer to the RFBTransaction.
- * \param s Pointer to the Signature.
- * \param ctx Pointer to the sigmatch that we will cast into DetectRfbSecresultData.
- *
- * \retval 0 no match.
- * \retval 1 match.
- */
-static int DetectRfbSecresultMatch(DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- void *txv, const Signature *s,
- const SigMatchCtx *ctx)
-{
- const DetectRfbSecresultData *de = (const DetectRfbSecresultData *)ctx;
- uint32_t resultcode;
- int ret = 0;
-
- if (!de)
- return 0;
-
- ret = rs_rfb_tx_get_secresult(txv, &resultcode);
- if (ret == 0) {
- return 0;
- }
-
- if (de->result < 3) {
- /* we are asking for a defined code... */
- if (resultcode == de->result) {
- /* ... which needs to match */
- return 1;
- }
- } else {
- /* we are asking for an unknown code */
- if (resultcode > 2) {
- /* match any unknown code */
- return 1;
- }
- }
-
- return 0;
-}
-
-/**
- * \internal
- * \brief This function is used to parse options passed via rfb.secresults: keyword
- *
- * \param rawstr Pointer to the user provided secresult options
- *
- * \retval de pointer to DetectRfbSecresultData on success
- * \retval NULL on failure
- */
-static DetectRfbSecresultData *DetectRfbSecresultParse (const char *rawstr)
-{
- int i;
- DetectRfbSecresultData *de = NULL;
- int found = 0;
-
- pcre2_match_data *match = NULL;
- int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
- if (ret < 1) {
- SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
- goto error;
- }
-
- for(i = 0; results[i].result != NULL; i++) {
- if((strcasecmp(results[i].result,rawstr)) == 0) {
- found = 1;
- break;
- }
- }
-
- if(found == 0) {
- SCLogError("unknown secresult value %s", rawstr);
- goto error;
- }
-
- de = SCMalloc(sizeof(DetectRfbSecresultData));
- if (unlikely(de == NULL))
- goto error;
-
- de->result = results[i].code;
-
- pcre2_match_data_free(match);
- return de;
-
-error:
- if (match) {
- pcre2_match_data_free(match);
- }
- if (de) SCFree(de);
- return NULL;
-}
-
-/**
- * \internal
- * \brief this function is used to add the parsed secresult into the current signature
- *
- * \param de_ctx pointer to the Detection Engine Context
- * \param s pointer to the Current Signature
- * \param rawstr pointer to the user provided secresult options
- *
- * \retval 0 on Success
- * \retval -1 on Failure
- */
-static int DetectRfbSecresultSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
-{
- DetectRfbSecresultData *de = NULL;
-
- if (DetectSignatureSetAppProto(s, ALPROTO_RFB) < 0)
- return -1;
-
- de = DetectRfbSecresultParse(rawstr);
- if (de == NULL)
- goto error;
-
- if (SigMatchAppendSMToList(
- de_ctx, s, DETECT_AL_RFB_SECRESULT, (SigMatchCtx *)de, rfb_secresult_id) == NULL) {
- goto error;
- }
-
- return 0;
-
-error:
- if (de)
- SCFree(de);
- return -1;
-}
-
-/**
- * \internal
- * \brief this function will free memory associated with DetectRfbSecresultData
- *
- * \param de pointer to DetectRfbSecresultData
- */
-void DetectRfbSecresultFree(DetectEngineCtx *de_ctx, void *de_ptr)
-{
- DetectRfbSecresultData *de = (DetectRfbSecresultData *)de_ptr;
- if(de) SCFree(de);
-}
-
-/*
- * ONLY TESTS BELOW THIS COMMENT
- */
-
-#ifdef UNITTESTS
-/**
- * \test RfbSecresultTestParse01 is a test for a valid secresult value
- */
-static int RfbSecresultTestParse01 (void)
-{
- DetectRfbSecresultData *de = DetectRfbSecresultParse("fail");
-
- FAIL_IF_NULL(de);
-
- DetectRfbSecresultFree(NULL, de);
-
- PASS;
-}
-
-/**
- * \test RfbSecresultTestParse02 is a test for an invalid secresult value
- */
-static int RfbSecresultTestParse02 (void)
-{
- DetectRfbSecresultData *de = DetectRfbSecresultParse("invalidopt");
-
- FAIL_IF_NOT_NULL(de);
-
- PASS;
-}
-
-/**
- * \brief this function registers unit tests for RfbSecresult
- */
-void RfbSecresultRegisterTests(void)
-{
- UtRegisterTest("RfbSecresultTestParse01", RfbSecresultTestParse01);
- UtRegisterTest("RfbSecresultTestParse02", RfbSecresultTestParse02);
-}
-#endif /* UNITTESTS */
+++ /dev/null
-/* Copyright (C) 2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
- */
-
-#ifndef SURICATA_DETECT_RFB_SECRESULT_H
-#define SURICATA_DETECT_RFB_SECRESULT_H
-
-void DetectRfbSecresultRegister(void);
-
-#endif /*SURICATA_DETECT_RFB_SECRESULT_H */
+++ /dev/null
-/* Copyright (C) 2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- *
- * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
- */
-
-#include "suricata-common.h"
-#include "conf.h"
-#include "detect.h"
-#include "detect-parse.h"
-#include "detect-engine.h"
-#include "detect-engine-content-inspection.h"
-#include "detect-rfb-sectype.h"
-#include "detect-engine-uint.h"
-#include "app-layer-parser.h"
-#include "util-byte.h"
-
-#include "rust-bindings.h"
-
-
-static int DetectRfbSectypeSetup (DetectEngineCtx *, Signature *s, const char *str);
-static void DetectRfbSectypeFree(DetectEngineCtx *, void *);
-static int g_rfb_sectype_buffer_id = 0;
-
-static int DetectRfbSectypeMatch (DetectEngineThreadCtx *, Flow *,
- uint8_t, void *, void *, const Signature *,
- const SigMatchCtx *);
-
-/**
- * \brief Registration function for rfb.sectype keyword.
- */
-void DetectRfbSectypeRegister (void)
-{
- sigmatch_table[DETECT_AL_RFB_SECTYPE].name = "rfb.sectype";
- sigmatch_table[DETECT_AL_RFB_SECTYPE].desc = "match RFB security type";
- sigmatch_table[DETECT_AL_RFB_SECTYPE].url = "/rules/rfb-keywords.html#rfb-sectype";
- sigmatch_table[DETECT_AL_RFB_SECTYPE].AppLayerTxMatch = DetectRfbSectypeMatch;
- sigmatch_table[DETECT_AL_RFB_SECTYPE].Setup = DetectRfbSectypeSetup;
- sigmatch_table[DETECT_AL_RFB_SECTYPE].Free = DetectRfbSectypeFree;
-
- DetectAppLayerInspectEngineRegister(
- "rfb.sectype", ALPROTO_RFB, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);
-
- g_rfb_sectype_buffer_id = DetectBufferTypeGetByName("rfb.sectype");
-}
-
-/**
- * \internal
- * \brief Function to match security type of a RFB TX
- *
- * \param det_ctx Pointer to the pattern matcher thread.
- * \param f Pointer to the current flow.
- * \param flags Flags.
- * \param state App layer state.
- * \param txv Pointer to the RFBTransaction.
- * \param s Pointer to the Signature.
- * \param ctx Pointer to the sigmatch that we will cast into DetectU32Data.
- *
- * \retval 0 no match.
- * \retval 1 match.
- */
-static int DetectRfbSectypeMatch (DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- void *txv, const Signature *s,
- const SigMatchCtx *ctx)
-{
- SCEnter();
-
- const DetectU32Data *dd = (const DetectU32Data *)ctx;
- uint32_t version;
- rs_rfb_tx_get_sectype(txv, &version);
- if (DetectU32Match(version, dd))
- SCReturnInt(1);
- SCReturnInt(0);
-}
-
-/**
- * \brief Function to add the parsed RFB security type field into the current signature.
- *
- * \param de_ctx Pointer to the Detection Engine Context.
- * \param s Pointer to the Current Signature.
- * \param rawstr Pointer to the user provided flags options.
- *
- * \retval 0 on Success.
- * \retval -1 on Failure.
- */
-static int DetectRfbSectypeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
-{
- if (DetectSignatureSetAppProto(s, ALPROTO_RFB) != 0)
- return -1;
-
- DetectU32Data *dd = DetectU32Parse(rawstr);
- if (dd == NULL) {
- SCLogError("Parsing \'%s\' failed", rawstr);
- return -1;
- }
-
- /* okay so far so good, lets get this into a SigMatch
- * and put it in the Signature. */
-
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_RFB_SECTYPE, (SigMatchCtx *)dd,
- g_rfb_sectype_buffer_id) == NULL) {
- goto error;
- }
- return 0;
-
-error:
- DetectRfbSectypeFree(de_ctx, dd);
- return -1;
-}
-
-/**
- * \internal
- * \brief Function to free memory associated with DetectU32Data.
- *
- * \param de_ptr Pointer to DetectU32Data.
- */
-static void DetectRfbSectypeFree(DetectEngineCtx *de_ctx, void *ptr)
-{
- rs_detect_u32_free(ptr);
-}
+++ /dev/null
-/* Copyright (C) 2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Sascha Steinbiss <sascha.steinbiss@dcso.de>
- */
-
-#ifndef SURICATA_DETECT_RFB_SECTYPE_H
-#define SURICATA_DETECT_RFB_SECTYPE_H
-
-void DetectRfbSectypeRegister(void);
-
-#endif /* SURICATA_DETECT_RFB_SECTYPE_H */
projects / thirdparty / suricata.git / commitdiff
