/**
* \brief parse the options from the 'krb5_err_code' keyword in the rule into
* the Signature data structure.
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param krb5str pointer to the user provided options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectKrb5ErrCodeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *krb5str)
{
DetectKrb5ErrCodeData *krb5d = NULL;
SigMatch *sm = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_KRB5) != 0)
return -1;
krb5d = DetectKrb5ErrCodeParse(krb5str);
if (krb5d == NULL)
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_KRB5_ERRCODE;
sm->ctx = (void *)krb5d;
s->flags |= SIG_FLAG_STATE_MATCH;
SigMatchAppendSMToList(s, sm, g_krb5_err_code_list_id);
return 0;
error:
if (krb5d != NULL)
DetectKrb5ErrCodeFree(krb5d);
if (sm != NULL)
SCFree(sm);
return -1;
}
/**
* \brief parse the options from the 'ftpcommand' keyword in the rule into
* the Signature data structure.
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param ftpcommandstr pointer to the user provided ftpcommand options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectFtpdataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpcommandstr)
{
DetectFtpdataData *ftpcommandd = NULL;
SigMatch *sm = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_FTPDATA) != 0)
return -1;
ftpcommandd = DetectFtpdataParse(ftpcommandstr);
if (ftpcommandd == NULL)
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_FTPDATA;
sm->ctx = (void *)ftpcommandd;
SigMatchAppendSMToList(s, sm, g_ftpdata_buffer_id);
return 0;
error:
if (ftpcommandd != NULL)
DetectFtpdataFree(ftpcommandd);
if (sm != NULL)
SCFree(sm);
return -1;
}
/**
* \brief this function is used to add the parsed "id" option
* \brief into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param idstr pointer to the user provided "id" option
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
DetectSshVersionData *ssh = NULL;
SigMatch *sm = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
return -1;
ssh = DetectSshVersionParse(str);
if (ssh == NULL)
goto error;
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_SSH_PROTOVERSION;
sm->ctx = (void *)ssh;
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
return 0;
error:
if (ssh != NULL)
DetectSshVersionFree(ssh);
if (sm != NULL)
SCFree(sm);
return -1;
}
/**
* \brief this function is used to add the parsed ftpbounce
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param m pointer to the Current SigMatch
* \param ftpbouncestr pointer to the user provided ftpbounce options
* currently there are no options.
*
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpbouncestr)
{
SCEnter();
SigMatch *sm = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_FTP) != 0)
return -1;
sm = SigMatchAlloc();
if (sm == NULL) {
return -1;
}
sm->type = DETECT_FTPBOUNCE;
/* We don't need to allocate any data for ftpbounce here.
*
* TODO: As a suggestion, maybe we can add a flag in the flow
* to set the stream as "bounce detected" for fast Match.
* When you do a ftp bounce attack you usually use the same
* communication control stream to "setup" various destinations
* whithout breaking the connection, so I guess we can make it a bit faster
* with a flow flag set lookup in the Match function.
*/
sm->ctx = NULL;
SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
SCReturnInt(0);
}
/**
* \brief Function to add the parsed tls validity field into the current signature.
*
* \param de_ctx Pointer to the Detection Engine Context.
* \param s Pointer to the Current Signature.
* \param rawstr Pointer to the user provided flags options.
* \param type Defines if this is notBefore or notAfter.
*
* \retval 0 on Success.
* \retval -1 on Failure.
*/
static int DetectNfsVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
const char *rawstr)
{
DetectNfsVersionData *dd = NULL;
SigMatch *sm = NULL;
SCLogDebug("\'%s\'", rawstr);
if (DetectSignatureSetAppProto(s, ALPROTO_NFS) != 0)
return -1;
dd = DetectNfsVersionParse(rawstr);
if (dd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
goto error;
}
/* okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_NFS_VERSION;
sm->ctx = (void *)dd;
SCLogDebug("low %u hi %u", dd->lo, dd->hi);
SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id);
return 0;
error:
DetectNfsVersionFree(dd);
return -1;
}
/**
* \brief this function is used to add the parsed "fingerprint" option
* \brief into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param id pointer to the user provided "fingerprint" option
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
tls = DetectTlsFingerprintParse(str, s->init_data->negated);
if (tls == NULL)
goto error;
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_TLS_FINGERPRINT;
sm->ctx = (void *)tls;
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
return 0;
error:
if (tls != NULL)
DetectTlsFingerprintFree(tls);
if (sm != NULL)
SCFree(sm);
return -1;
}
/**
* \brief this function setup the http.header.raw keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
*/
static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (DetectBufferSetActiveList(s, g_http_raw_header_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
return -1;
return 0;
}
static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (DetectBufferSetActiveList(s, g_dns_query_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0)
return -1;
return 0;
}
static int DetectSmbNamedPipeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
if (DetectBufferSetActiveList(s, g_smb_named_pipe_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_SMB) < 0)
return -1;
return 0;
}
static int DetectHttpStartSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
return -1;
return 0;
}
/**
* \brief this function is used to add the parsed "store" option
* \brief into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param idstr pointer to the user provided "store" option
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
SigMatch *sm = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
sm = SigMatchAlloc();
if (sm == NULL)
return -1;
sm->type = DETECT_AL_TLS_STORE;
s->flags |= SIG_FLAG_TLSSTORE;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
return 0;
}
static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
{
SigMatch *sm = NULL;
SigMatch *prev_pm = NULL;
DetectBytejumpData *data = NULL;
char *offset = NULL;
int ret = -1;
data = DetectBytejumpParse(optstr, &offset);
if (data == NULL)
goto error;
int sm_list;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
sm_list = s->init_data->list;
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (data->flags & DETECT_BYTEJUMP_DCE) {
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
sm_list = SigMatchListSMBelongsTo(s, prev_pm);
if (sm_list < 0)
goto error;
}
} else {
sm_list = DETECT_SM_LIST_PMATCH;
}
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
goto error;
} else if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
sm_list = SigMatchListSMBelongsTo(s, prev_pm);
if (sm_list < 0)
goto error;
}
} else {
sm_list = DETECT_SM_LIST_PMATCH;
}
if (data->flags & DETECT_BYTEJUMP_DCE) {
if ((data->flags & DETECT_BYTEJUMP_STRING) ||
(data->flags & DETECT_BYTEJUMP_LITTLE) ||
(data->flags & DETECT_BYTEJUMP_BIG) ||
(data->flags & DETECT_BYTEJUMP_BEGIN) ||
(data->base == DETECT_BYTEJUMP_BASE_DEC) ||
(data->base == DETECT_BYTEJUMP_BASE_HEX) ||
(data->base == DETECT_BYTEJUMP_BASE_OCT) ) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
"A byte_jump keyword with dce holds other invalid modifiers.");
goto error;
}
}
if (offset != NULL) {
SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s);
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in byte_jump - %s\n", offset);
goto error;
}
data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
data->flags |= DETECT_BYTEJUMP_OFFSET_BE;
SCFree(offset);
}
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_BYTEJUMP;
sm->ctx = (SigMatchCtx *)data;
SigMatchAppendSMToList(s, sm, sm_list);
if (!(data->flags & DETECT_BYTEJUMP_RELATIVE))
goto okay;
if (prev_pm == NULL)
goto okay;
if (prev_pm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else if (prev_pm->type == DETECT_PCRE) {
DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
okay:
ret = 0;
return ret;
error:
DetectBytejumpFree(data);
return ret;
}
