detect: helper to have pure rust keywords

Only implemented for snmp.version and mqtt.password
But should be implemented for more

rust/src/mqtt/detect.rs

@@ -168,23 +168,23 @@ pub unsafe extern "C" fn rs_mqtt_tx_get_connect_username(
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_mqtt_tx_get_connect_password(
-    tx: &MQTTTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
-) -> u8 {
+    tx: &MQTTTransaction, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32,
+) -> bool {
     for msg in tx.msg.iter() {
         if let MQTTOperation::CONNECT(ref cv) = msg.op {
             if let Some(p) = &cv.password {
                 if !p.is_empty() {
                     *buffer = p.as_ptr();
                     *buffer_len = p.len() as u32;
-                    return 1;
+                    return true;
                 }
             }
         }
     }
 
     *buffer = ptr::null();
     *buffer_len = 0;
-    return 0;
+    return false;
 }
 
 #[no_mangle]

src/Makefile.am

@@ -137,6 +137,7 @@ noinst_HEADERS = \
 	detect-engine-file.h \
 	detect-engine-frame.h \
 	detect-engine.h \
+	detect-engine-helper.h \
 	detect-engine-iponly.h \
 	detect-engine-loader.h \
 	detect-engine-mpm.h \
@@ -741,6 +742,7 @@ libsuricata_c_a_SOURCES = \
 	detect-engine-event.c \
 	detect-engine-file.c \
 	detect-engine-frame.c \
+	detect-engine-helper.c \
 	detect-engine-iponly.c \
 	detect-engine-loader.c \
 	detect-engine-mpm.c \

src/detect-engine-helper.c

@@ -0,0 +1,110 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <[email protected]>
+ *
+ */
+
+#include "suricata-common.h"
+#include "detect-engine.h"
+#include "detect-engine-helper.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-prefilter.h"
+#include "detect-parse.h"
+
+int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver)
+{
+    if (toserver) {
+        DetectAppLayerInspectEngineRegister2(
+                name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);
+    }
+    if (toclient) {
+        DetectAppLayerInspectEngineRegister2(
+                name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectGenericList, NULL);
+    }
+    return DetectBufferTypeRegister(name);
+}
+
+InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
+        const int list_id,
+        bool (*GetBuf)(void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len))
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        const uint8_t *b = NULL;
+        uint32_t b_len = 0;
+
+        if (!GetBuf(txv, flow_flags, &b, &b_len))
+            return NULL;
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
+int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto,
+        bool toclient, bool toserver, InspectionBufferGetDataPtr GetData)
+{
+    if (toserver) {
+        DetectAppLayerInspectEngineRegister2(
+                name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData);
+        DetectAppLayerMpmRegister2(
+                name, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, alproto, 0);
+    }
+    if (toclient) {
+        DetectAppLayerInspectEngineRegister2(
+                name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectBufferGeneric, GetData);
+        DetectAppLayerMpmRegister2(
+                name, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, alproto, 0);
+    }
+    DetectBufferTypeSetDescriptionByName(name, desc);
+    return DetectBufferTypeGetByName(name);
+}
+
+int DetectHelperKeywordRegister(const SCPluginSigTableElmt *kw)
+{
+    if (DETECT_TBLSIZE_IDX < DETECT_TBLSIZE) {
+        sigmatch_table[DETECT_TBLSIZE_IDX].name = kw->name;
+        sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc;
+        sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags;
+        sigmatch_table[DETECT_TBLSIZE_IDX].AppLayerTxMatch = kw->AppLayerTxMatch;
+        sigmatch_table[DETECT_TBLSIZE_IDX].Setup = kw->Setup;
+        sigmatch_table[DETECT_TBLSIZE_IDX].Free = kw->Free;
+        DETECT_TBLSIZE_IDX++;
+        return DETECT_TBLSIZE_IDX - 1;
+    }
+    return -1;
+}
+
+int DetectHelperKeywordSetup(DetectEngineCtx *de_ctx, AppProto alproto, uint16_t kw_id, int buf_id,
+        Signature *s, void *ctx)
+{
+    if (DetectSignatureSetAppProto(s, alproto) != 0)
+        return -1;
+
+    /* okay so far so good, lets get this into a SigMatch
+     * and put it in the Signature. */
+    if (SigMatchAppendSMToList(de_ctx, s, kw_id, (SigMatchCtx *)ctx, buf_id) == NULL) {
+        return -1;
+    }
+    return 0;
+}

src/detect-engine-helper.h

@@ -0,0 +1,54 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <[email protected]>
+ */
+
+#ifndef __DETECT_ENGINE_HELPER_H
+#define __DETECT_ENGINE_HELPER_H
+
+#include "app-layer-protos.h"
+#include "detect.h"
+
+// Structure for keyword dynamic registration by plugin
+typedef struct SCPluginSigTableElmt {
+    const char *name;
+    const char *desc;
+    uint16_t flags;
+    int (*Setup)(DetectEngineCtx *, Signature *, const char *);
+    void (*Free)(DetectEngineCtx *, void *);
+    int (*AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv,
+            const Signature *, const SigMatchCtx *);
+} SCPluginSigTableElmt;
+
+int DetectHelperKeywordRegister(const SCPluginSigTableElmt *kw);
+int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver);
+
+typedef bool (*SimpleGetTxBuffer)(void *, uint8_t, const uint8_t **, uint32_t *);
+
+int DetectHelperKeywordSetup(DetectEngineCtx *de_ctx, AppProto alproto, uint16_t kw_id, int buf_id,
+        Signature *s, void *ctx);
+InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
+        const int list_id, SimpleGetTxBuffer GetBuf);
+int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto,
+        bool toclient, bool toserver, InspectionBufferGetDataPtr GetData);
+
+#endif /* __DETECT_ENGINE_HELPER_H */

src/detect-mqtt-connect-password.c

@@ -26,6 +26,7 @@
 #include "detect.h"
 #include "detect-parse.h"
 #include "detect-engine.h"
+#include "detect-engine-helper.h"
 #include "detect-engine-mpm.h"
 #include "detect-engine-prefilter.h"
 #include "detect-mqtt-connect-password.h"
@@ -49,24 +50,11 @@ static int DetectMQTTConnectPasswordSetup(DetectEngineCtx *de_ctx, Signature *s,
 }
 
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
-        const DetectEngineTransforms *transforms,
-        Flow *_f, const uint8_t _flow_flags,
-        void *txv, const int list_id)
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv,
+        const int list_id)
 {
-    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
-    if (buffer->inspect == NULL) {
-        const uint8_t *b = NULL;
-        uint32_t b_len = 0;
-
-        if (rs_mqtt_tx_get_connect_password(txv, &b, &b_len) != 1)
-            return NULL;
-        if (b == NULL || b_len == 0)
-            return NULL;
-
-        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
-        InspectionBufferApplyTransforms(buffer, transforms);
-    }
-    return buffer;
+    return DetectHelperGetData(det_ctx, transforms, _f, flow_flags, txv, list_id,
+            (SimpleGetTxBuffer)rs_mqtt_tx_get_connect_password);
 }
 
 void DetectMQTTConnectPasswordRegister(void)
@@ -78,17 +66,8 @@ void DetectMQTTConnectPasswordRegister(void)
     sigmatch_table[DETECT_AL_MQTT_CONNECT_PASSWORD].Setup = DetectMQTTConnectPasswordSetup;
     sigmatch_table[DETECT_AL_MQTT_CONNECT_PASSWORD].flags |= SIGMATCH_NOOPT;
 
-    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT,
-            SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectBufferGeneric, GetData);
-
-    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
-            PrefilterGenericMpmRegister, GetData, ALPROTO_MQTT,
-	        1);
-
-    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
-
-    g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+    g_buffer_id = DetectHelperBufferMpmRegister(
+            BUFFER_NAME, BUFFER_DESC, ALPROTO_MQTT, false, true, GetData);
 
     SCLogDebug("registering " BUFFER_NAME " rule option");
 }

src/detect-snmp-version.c

@@ -29,6 +29,7 @@
 #include "detect-engine-content-inspection.h"
 #include "detect-snmp-version.h"
 #include "detect-engine-uint.h"
+#include "detect-engine-helper.h"
 #include "app-layer-parser.h"
 #include "rust.h"
 
@@ -60,13 +61,7 @@ void DetectSNMPVersionRegister (void)
     sigmatch_table[DETECT_AL_SNMP_VERSION].RegisterTests = DetectSNMPVersionRegisterTests;
 #endif
 
-    DetectAppLayerInspectEngineRegister2("snmp.version", ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectGenericList, NULL);
-
-    DetectAppLayerInspectEngineRegister2("snmp.version", ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectGenericList, NULL);
-
-    g_snmp_version_buffer_id = DetectBufferTypeGetByName("snmp.version");
+    g_snmp_version_buffer_id = DetectHelperBufferRegister("snmp.version", ALPROTO_SNMP, true, true);
 }
 
 /**
@@ -131,30 +126,18 @@ static DetectU32Data *DetectSNMPVersionParse(const char *rawstr)
 static int DetectSNMPVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
                                    const char *rawstr)
 {
-    DetectU32Data *dd = NULL;
-
-    if (DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0)
-        return -1;
-
-    dd = DetectSNMPVersionParse(rawstr);
+    DetectU32Data *dd = DetectSNMPVersionParse(rawstr);
     if (dd == NULL) {
         SCLogError("Parsing \'%s\' failed", rawstr);
-        goto error;
+        return -1;
     }
-
-    /* okay so far so good, lets get this into a SigMatch
-     * and put it in the Signature. */
-
-    SCLogDebug("snmp.version %d", dd->arg1);
-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SNMP_VERSION, (SigMatchCtx *)dd,
-                g_snmp_version_buffer_id) == NULL) {
-        goto error;
+    if (DetectHelperKeywordSetup(de_ctx, ALPROTO_SNMP, DETECT_AL_SNMP_VERSION,
+                g_snmp_version_buffer_id, s, dd) < 0) {
+        DetectSNMPVersionFree(de_ctx, dd);
+        return -1;
     }
+    SCLogDebug("snmp.version %d", dd->arg1);
     return 0;
-
-error:
-    DetectSNMPVersionFree(de_ctx, dd);
-    return -1;
 }
 
 /**