/** * \brief parse the options from the 'krb5_err_code' keyword in the rule into * the Signature data structure. * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param krb5str pointer to the user provided options * * \retval 0 on Success * \retval -1 on Failure */ static int DetectKrb5ErrCodeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *krb5str) { DetectKrb5ErrCodeData *krb5d = NULL; SigMatch *sm = NULL; if (DetectSignatureSetAppProto(s, ALPROTO_KRB5) != 0) return -1; krb5d = DetectKrb5ErrCodeParse(krb5str); if (krb5d == NULL) goto error; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_AL_KRB5_ERRCODE; sm->ctx = (void *)krb5d; s->flags |= SIG_FLAG_STATE_MATCH; SigMatchAppendSMToList(s, sm, g_krb5_err_code_list_id); return 0; error: if (krb5d != NULL) DetectKrb5ErrCodeFree(krb5d); if (sm != NULL) SCFree(sm); return -1; }
/** * \brief parse the options from the 'ftpcommand' keyword in the rule into * the Signature data structure. * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param ftpcommandstr pointer to the user provided ftpcommand options * * \retval 0 on Success * \retval -1 on Failure */ static int DetectFtpdataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpcommandstr) { DetectFtpdataData *ftpcommandd = NULL; SigMatch *sm = NULL; if (DetectSignatureSetAppProto(s, ALPROTO_FTPDATA) != 0) return -1; ftpcommandd = DetectFtpdataParse(ftpcommandstr); if (ftpcommandd == NULL) goto error; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_FTPDATA; sm->ctx = (void *)ftpcommandd; SigMatchAppendSMToList(s, sm, g_ftpdata_buffer_id); return 0; error: if (ftpcommandd != NULL) DetectFtpdataFree(ftpcommandd); if (sm != NULL) SCFree(sm); return -1; }
/** * \brief this function is used to add the parsed "id" option * \brief into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param idstr pointer to the user provided "id" option * * \retval 0 on Success * \retval -1 on Failure */ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str) { DetectSshVersionData *ssh = NULL; SigMatch *sm = NULL; if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0) return -1; ssh = DetectSshVersionParse(str); if (ssh == NULL) goto error; /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_AL_SSH_PROTOVERSION; sm->ctx = (void *)ssh; SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id); return 0; error: if (ssh != NULL) DetectSshVersionFree(ssh); if (sm != NULL) SCFree(sm); return -1; }
/** * \brief this function is used to add the parsed ftpbounce * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param m pointer to the Current SigMatch * \param ftpbouncestr pointer to the user provided ftpbounce options * currently there are no options. * * \retval 0 on Success * \retval -1 on Failure */ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpbouncestr) { SCEnter(); SigMatch *sm = NULL; if (DetectSignatureSetAppProto(s, ALPROTO_FTP) != 0) return -1; sm = SigMatchAlloc(); if (sm == NULL) { return -1; } sm->type = DETECT_FTPBOUNCE; /* We don't need to allocate any data for ftpbounce here. * * TODO: As a suggestion, maybe we can add a flag in the flow * to set the stream as "bounce detected" for fast Match. * When you do a ftp bounce attack you usually use the same * communication control stream to "setup" various destinations * whithout breaking the connection, so I guess we can make it a bit faster * with a flow flag set lookup in the Match function. */ sm->ctx = NULL; SigMatchAppendSMToList(s, sm, g_ftp_request_list_id); SCReturnInt(0); }
/** * \brief Function to add the parsed tls validity field into the current signature. * * \param de_ctx Pointer to the Detection Engine Context. * \param s Pointer to the Current Signature. * \param rawstr Pointer to the user provided flags options. * \param type Defines if this is notBefore or notAfter. * * \retval 0 on Success. * \retval -1 on Failure. */ static int DetectNfsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) { DetectNfsVersionData *dd = NULL; SigMatch *sm = NULL; SCLogDebug("\'%s\'", rawstr); if (DetectSignatureSetAppProto(s, ALPROTO_NFS) != 0) return -1; dd = DetectNfsVersionParse(rawstr); if (dd == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr); goto error; } /* okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_AL_NFS_VERSION; sm->ctx = (void *)dd; SCLogDebug("low %u hi %u", dd->lo, dd->hi); SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id); return 0; error: DetectNfsVersionFree(dd); return -1; }
/** * \brief this function is used to add the parsed "fingerprint" option * \brief into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param id pointer to the user provided "fingerprint" option * * \retval 0 on Success * \retval -1 on Failure */ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str) { DetectTlsData *tls = NULL; SigMatch *sm = NULL; if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) return -1; tls = DetectTlsFingerprintParse(str, s->init_data->negated); if (tls == NULL) goto error; /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_AL_TLS_FINGERPRINT; sm->ctx = (void *)tls; SigMatchAppendSMToList(s, sm, g_tls_cert_list_id); return 0; error: if (tls != NULL) DetectTlsFingerprintFree(tls); if (sm != NULL) SCFree(sm); return -1; }
/** * \brief this function setup the http.header.raw keyword used in the rule * * \param de_ctx Pointer to the Detection Engine Context * \param s Pointer to the Signature to which the current keyword belongs * \param str Should hold an empty string always * * \retval 0 On success */ static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) { if (DetectBufferSetActiveList(s, g_http_raw_header_buffer_id) < 0) return -1; if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0) return -1; return 0; }
static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) { if (DetectBufferSetActiveList(s, g_dns_query_buffer_id) < 0) return -1; if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) return -1; return 0; }
static int DetectSmbNamedPipeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { if (DetectBufferSetActiveList(s, g_smb_named_pipe_buffer_id) < 0) return -1; if (DetectSignatureSetAppProto(s, ALPROTO_SMB) < 0) return -1; return 0; }
static int DetectHttpStartSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { if (DetectBufferSetActiveList(s, g_buffer_id) < 0) return -1; if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0) return -1; return 0; }
/** * \brief this function is used to add the parsed "store" option * \brief into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param idstr pointer to the user provided "store" option * * \retval 0 on Success * \retval -1 on Failure */ static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str) { SigMatch *sm = NULL; if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) return -1; sm = SigMatchAlloc(); if (sm == NULL) return -1; sm->type = DETECT_AL_TLS_STORE; s->flags |= SIG_FLAG_TLSSTORE; SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH); return 0; }
static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr) { SigMatch *sm = NULL; SigMatch *prev_pm = NULL; DetectBytejumpData *data = NULL; char *offset = NULL; int ret = -1; data = DetectBytejumpParse(optstr, &offset); if (data == NULL) goto error; int sm_list; if (s->init_data->list != DETECT_SM_LIST_NOTSET) { sm_list = s->init_data->list; if (data->flags & DETECT_BYTEJUMP_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } } else if (data->flags & DETECT_BYTEJUMP_DCE) { if (data->flags & DETECT_BYTEJUMP_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { sm_list = SigMatchListSMBelongsTo(s, prev_pm); if (sm_list < 0) goto error; } } else { sm_list = DETECT_SM_LIST_PMATCH; } if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) goto error; } else if (data->flags & DETECT_BYTEJUMP_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { sm_list = SigMatchListSMBelongsTo(s, prev_pm); if (sm_list < 0) goto error; } } else { sm_list = DETECT_SM_LIST_PMATCH; } if (data->flags & DETECT_BYTEJUMP_DCE) { if ((data->flags & DETECT_BYTEJUMP_STRING) || (data->flags & DETECT_BYTEJUMP_LITTLE) || (data->flags & DETECT_BYTEJUMP_BIG) || (data->flags & DETECT_BYTEJUMP_BEGIN) || (data->base == DETECT_BYTEJUMP_BASE_DEC) || (data->base == DETECT_BYTEJUMP_BASE_HEX) || (data->base == DETECT_BYTEJUMP_BASE_OCT) ) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " "A byte_jump keyword with dce holds other invalid modifiers."); goto error; } } if (offset != NULL) { SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_jump - %s\n", offset); goto error; } data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; data->flags |= DETECT_BYTEJUMP_OFFSET_BE; SCFree(offset); } sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_BYTEJUMP; sm->ctx = (SigMatchCtx *)data; SigMatchAppendSMToList(s, sm, sm_list); if (!(data->flags & DETECT_BYTEJUMP_RELATIVE)) goto okay; if (prev_pm == NULL) goto okay; if (prev_pm->type == DETECT_CONTENT) { DetectContentData *cd = (DetectContentData *)prev_pm->ctx; cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; } else if (prev_pm->type == DETECT_PCRE) { DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; pd->flags |= DETECT_PCRE_RELATIVE_NEXT; } okay: ret = 0; return ret; error: DetectBytejumpFree(data); return ret; }