From: Eric Leblond Date: Fri, 13 Jul 2012 13:46:02 +0000 (+0200) Subject: sig: add l3_proto keyword X-Git-Tag: suricata-1.4beta1~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=71b4257bc23840c8dabdf598cb8ce1a02a54b129;p=thirdparty%2Fsuricata.git sig: add l3_proto keyword This patch adds a l3_proto keyword to the signature language. It can be used to specify if the signature has to match on IPv4, IPv6 or both. For example, one can write: alert http any any -> any 22 (msg: "HTTP v6"; l3_proto:ip6; sid:14;) This should close #494. --- diff --git a/src/Makefile.am b/src/Makefile.am index 00f5cb3503..95c5226c0e 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -112,6 +112,7 @@ detect-rawbytes.c detect-rawbytes.h \ detect-bytetest.c detect-bytetest.h \ detect-bytejump.c detect-bytejump.h \ detect-sameip.c detect-sameip.h \ +detect-l3proto.c detect-l3proto.h \ detect-ipproto.c detect-ipproto.h \ detect-within.c detect-within.h \ detect-distance.c detect-distance.h \ diff --git a/src/detect-l3proto.c b/src/detect-l3proto.c new file mode 100644 index 0000000000..0d710c028e --- /dev/null +++ b/src/detect-l3proto.c @@ -0,0 +1,117 @@ +/* Copyright (C) 2012 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Eric Leblond + * + * + * Implements the l3_proto keyword + */ + +#include "suricata-common.h" +#include "debug.h" +#include "decode.h" +#include "detect.h" + +#include "detect-ipproto.h" + +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" + +#include "detect-engine-siggroup.h" +#include "detect-engine-address.h" + +#include "util-byte.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "util-debug.h" + +static int DetectL3ProtoSetup(DetectEngineCtx *, Signature *, char *); + +void DetectL3ProtoRegister(void) +{ + sigmatch_table[DETECT_L3PROTO].name = "l3_proto"; + sigmatch_table[DETECT_L3PROTO].Match = NULL; + sigmatch_table[DETECT_L3PROTO].Setup = DetectL3ProtoSetup; + sigmatch_table[DETECT_L3PROTO].Free = NULL; + sigmatch_table[DETECT_L3PROTO].RegisterTests = NULL; + + return; +} +/** + * \internal + * \brief Setup l3_proto keyword. + * + * \param de_ctx Detection engine context + * \param s Signature + * \param optstr Options string + * + * \return Non-zero on error + */ +static int DetectL3ProtoSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) +{ + char *str = optstr; + char dubbed = 0; + + /* strip "'s */ + if (optstr[0] == '\"' && optstr[strlen(optstr) - 1] == '\"') { + str = SCStrdup(optstr + 1); + if (str == NULL) + goto error; + str[strlen(optstr) - 2] = '\0'; + dubbed = 1; + } + + /* reset possible any value */ + if (s->proto.flags & DETECT_PROTO_ANY) { + s->proto.flags &= ~DETECT_PROTO_ANY; + } + + /* authorized value, ip, any, ip4, ipv4, ip6, ipv6 */ + if (strcasecmp(str,"ipv4") == 0 || + strcasecmp(str,"ip4") == 0 ) { + if (s->proto.flags & DETECT_PROTO_IPV6) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Conflicting l3 proto specified"); + goto error; + } + s->proto.flags |= DETECT_PROTO_IPV4; + SCLogDebug("IPv4 protocol detected"); + } else if (strcasecmp(str,"ipv6") == 0 || + strcasecmp(str,"ip6") == 0 ) { + if (s->proto.flags & DETECT_PROTO_IPV6) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Conflicting l3 proto specified"); + goto error; + } + s->proto.flags |= DETECT_PROTO_IPV6; + SCLogDebug("IPv6 protocol detected"); + } else { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid l3 proto: \"%s\"", str); + goto error; + } + + if (dubbed) + SCFree(str); + return 0; +error: + if (dubbed) + SCFree(str); + return -1; +} diff --git a/src/detect-l3proto.h b/src/detect-l3proto.h new file mode 100644 index 0000000000..447cd95d09 --- /dev/null +++ b/src/detect-l3proto.h @@ -0,0 +1,33 @@ +/* Copyright (C) 2012 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Eric Leblond + * + */ + +#ifndef __DETECT_L3PROTO_H__ +#define __DETECT_L3PROTO_H__ + +/** + * \brief Registration function for ip_proto keyword. + */ +void DetectL3ProtoRegister (void); + +#endif /* __DETECT_L3PROTO_H__ */ diff --git a/src/detect.c b/src/detect.c index 224f325a9e..1bc1f665d0 100644 --- a/src/detect.c +++ b/src/detect.c @@ -72,6 +72,7 @@ #include "detect-bytetest.h" #include "detect-bytejump.h" #include "detect-sameip.h" +#include "detect-l3proto.h" #include "detect-ipproto.h" #include "detect-within.h" #include "detect-distance.h" @@ -4726,6 +4727,7 @@ void SigTableSetup(void) { DetectBytetestRegister(); DetectBytejumpRegister(); DetectSameipRegister(); + DetectL3ProtoRegister(); DetectIPProtoRegister(); DetectWithinRegister(); DetectDistanceRegister(); diff --git a/src/detect.h b/src/detect.h index 2c883f7bf3..fac30bd7a4 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1051,6 +1051,8 @@ enum { DETECT_FILEMD5, DETECT_FILESIZE, + DETECT_L3PROTO, + /* make sure this stays last */ DETECT_TBLSIZE, };