From fbfee2b344f189b1416f9aaf5f9424fafdbd38b6 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 May 2024 10:17:33 +0200 Subject: [PATCH 1/7] tests: do not bother to free a null pointer --- src/detect-icode.c | 2 -- src/detect-itype.c | 1 - 2 files changed, 3 deletions(-) diff --git a/src/detect-icode.c b/src/detect-icode.c index 33d5beea4ebf..ab56553cc0c6 100644 --- a/src/detect-icode.c +++ b/src/detect-icode.c @@ -311,7 +311,6 @@ static int DetectICodeParseTest08(void) DetectU8Data *icd = DetectU8Parse("> 8 <> 20"); FAIL_IF_NOT_NULL(icd); - DetectICodeFree(NULL, icd); PASS; } @@ -324,7 +323,6 @@ static int DetectICodeParseTest09(void) DetectU8Data *icd = DetectU8Parse("8<<20"); FAIL_IF_NOT_NULL(icd); - DetectICodeFree(NULL, icd); PASS; } diff --git a/src/detect-itype.c b/src/detect-itype.c index 8a9af908836b..237d0548e6f1 100644 --- a/src/detect-itype.c +++ b/src/detect-itype.c @@ -334,7 +334,6 @@ static int DetectITypeParseTest08(void) DetectU8Data *itd = NULL; itd = DetectITypeParse(NULL, "> 8 <> 20"); FAIL_IF_NOT_NULL(itd); - DetectITypeFree(NULL, itd); PASS; } From ce982b18b32bd9a7acc5de5cc60f9aa779701c57 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 May 2024 10:18:14 +0200 Subject: [PATCH 2/7] rust: return empty slice without using from_raw_parts As this triggers rustc 1.78 unsafe precondition(s) violated: slice::from_raw_parts requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX` --- rust/src/applayer.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rust/src/applayer.rs b/rust/src/applayer.rs index 522143fb6d0e..dbf4b2cd2d4c 100644 --- a/rust/src/applayer.rs +++ b/rust/src/applayer.rs @@ -58,6 +58,9 @@ impl StreamSlice { self.input_len } pub fn as_slice(&self) -> &[u8] { + if self.input.is_null() && self.input_len == 0 { + return &[]; + } unsafe { std::slice::from_raw_parts(self.input, self.input_len as usize) } } pub fn is_empty(&self) -> bool { From bb70725ae216a16a8f6e4bcac13836e7a9567c70 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 May 2024 10:27:51 +0200 Subject: [PATCH 3/7] app-layer: do not probe a gap If the flow begins with a gap, do not try run probing parsers to recognize app-layer on it, as they have no data. --- src/app-layer-detect-proto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index c47a437659fd..c5df63b0885a 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -1431,7 +1431,7 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f } } - if (!FLOW_IS_PP_DONE(f, flags)) { + if (!FLOW_IS_PP_DONE(f, flags) && buf != NULL) { bool rflow = false; alproto = AppLayerProtoDetectPPGetProto(f, buf, buflen, ipproto, flags, &rflow); if (AppProtoIsValid(alproto)) { From 964a38493f07696fd889f4907ee0dc2ff20e1d4b Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 30 Apr 2024 22:19:06 +0200 Subject: [PATCH 4/7] fuzz: build with dependencies on rust and c lib So that there is no need to remove the final binary, to recompile it if there has been changes in the code. --- src/Makefile.am | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index ee334a4063d6..50aaebc4be58 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1327,6 +1327,7 @@ LDADD_FUZZ = libsuricata_c.a $(RUST_SURICATA_LIB) $(HTP_LDADD) $(RUST_LDADD) fuzz_applayerprotodetectgetproto_SOURCES = tests/fuzz/fuzz_applayerprotodetectgetproto.c fuzz_applayerprotodetectgetproto_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_applayerprotodetectgetproto_LDADD = $(LDADD_FUZZ) +fuzz_applayerprotodetectgetproto_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_applayerprotodetectgetproto_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1338,6 +1339,7 @@ nodist_EXTRA_fuzz_applayerprotodetectgetproto_SOURCES = force-cxx-linking.cxx fuzz_applayerparserparse_SOURCES = tests/fuzz/fuzz_applayerparserparse.c fuzz_applayerparserparse_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_applayerparserparse_LDADD = $(LDADD_FUZZ) +fuzz_applayerparserparse_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_applayerparserparse_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1349,6 +1351,7 @@ nodist_EXTRA_fuzz_applayerparserparse_SOURCES = force-cxx-linking.cxx fuzz_siginit_SOURCES = tests/fuzz/fuzz_siginit.c fuzz_siginit_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_siginit_LDADD = $(LDADD_FUZZ) +fuzz_siginit_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_siginit_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1360,6 +1363,7 @@ nodist_EXTRA_fuzz_siginit_SOURCES = force-cxx-linking.cxx fuzz_confyamlloadstring_SOURCES = tests/fuzz/fuzz_confyamlloadstring.c fuzz_confyamlloadstring_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_confyamlloadstring_LDADD = $(LDADD_FUZZ) +fuzz_confyamlloadstring_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_confyamlloadstring_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1371,6 +1375,7 @@ nodist_EXTRA_fuzz_confyamlloadstring_SOURCES = force-cxx-linking.cxx fuzz_decodepcapfile_SOURCES = tests/fuzz/fuzz_decodepcapfile.c fuzz_decodepcapfile_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_decodepcapfile_LDADD = $(LDADD_FUZZ) +fuzz_decodepcapfile_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_decodepcapfile_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1382,6 +1387,7 @@ nodist_EXTRA_fuzz_decodepcapfile_SOURCES = force-cxx-linking.cxx fuzz_sigpcap_SOURCES = tests/fuzz/fuzz_sigpcap.c fuzz_sigpcap_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_sigpcap_LDADD = $(LDADD_FUZZ) +fuzz_sigpcap_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_sigpcap_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1394,6 +1400,7 @@ if HAS_FUZZPCAP fuzz_sigpcap_aware_SOURCES = tests/fuzz/fuzz_sigpcap_aware.c fuzz_sigpcap_aware_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_sigpcap_aware_LDADD = $(LDADD_FUZZ) -lfuzzpcap +fuzz_sigpcap_aware_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_sigpcap_aware_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1405,6 +1412,7 @@ nodist_EXTRA_fuzz_sigpcap_aware_SOURCES = force-cxx-linking.cxx fuzz_predefpcap_aware_SOURCES = tests/fuzz/fuzz_predefpcap_aware.c fuzz_predefpcap_aware_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_predefpcap_aware_LDADD = $(LDADD_FUZZ) -lfuzzpcap +fuzz_predefpcap_aware_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_predefpcap_aware_LDFLAGS += $(LIB_FUZZING_ENGINE) else @@ -1417,6 +1425,7 @@ endif fuzz_mimedecparseline_SOURCES = tests/fuzz/fuzz_mimedecparseline.c fuzz_mimedecparseline_LDFLAGS = $(LDFLAGS_FUZZ) fuzz_mimedecparseline_LDADD = $(LDADD_FUZZ) +fuzz_mimedecparseline_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if HAS_FUZZLDFLAGS fuzz_mimedecparseline_LDFLAGS += $(LIB_FUZZING_ENGINE) else From 57151704d98a6e22b8292ef3f4877447bd73e06b Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 26 Apr 2024 16:31:47 +0200 Subject: [PATCH 5/7] detect: helper to have pure rust keywords detect: make number of keywords dynamic Ticket: 4683 --- configure.ac | 11 ++++ examples/lib/simple/Makefile.am | 2 +- rust/cbindgen.toml | 1 + rust/src/detect/mod.rs | 61 ++++++++++++++++++ src/Makefile.am | 12 +++- src/detect-engine-helper.c | 107 ++++++++++++++++++++++++++++++++ src/detect-engine-helper.h | 41 ++++++++++++ src/detect-engine-register.c | 26 +++++++- src/detect-engine-register.h | 7 ++- src/detect-engine.c | 10 +++ src/detect-parse.c | 6 +- src/detect-parse.h | 2 +- src/detect.h | 6 +- src/suricata.c | 1 + 14 files changed, 279 insertions(+), 14 deletions(-) create mode 100644 src/detect-engine-helper.c create mode 100644 src/detect-engine-helper.h diff --git a/configure.ac b/configure.ac index 232ee9bed2b2..72ec015fa20e 100644 --- a/configure.ac +++ b/configure.ac @@ -324,6 +324,17 @@ CFLAGS="$CFLAGS -std=gnu99" fi + # check if our target supports -Wl,--start-group + AC_MSG_CHECKING(for -Wl,--start-group support) + OLDFLAGS=$LDFLAGS + LDFLAGS="-Wl,--start-group,--end-group" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[ + have_linker_group_support=yes + AC_MSG_RESULT(yes)], + [AC_MSG_RESULT(no)]) + LDFLAGS=$OLDFLAGS + AM_CONDITIONAL([LINKER_SUPPORTS_GROUP], [test "x$have_linker_group_support" = "xyes"]) + # check if our target supports thread local storage AC_MSG_CHECKING(for thread local storage gnu __thread support) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], diff --git a/examples/lib/simple/Makefile.am b/examples/lib/simple/Makefile.am index afc6505c3bae..c4004b9446c9 100644 --- a/examples/lib/simple/Makefile.am +++ b/examples/lib/simple/Makefile.am @@ -5,7 +5,7 @@ simple_SOURCES = main.c AM_CPPFLAGS = -I$(top_srcdir)/src simple_LDFLAGS = $(all_libraries) $(SECLDFLAGS) -simple_LDADD = $(top_builddir)/src/libsuricata_c.a ../../$(RUST_SURICATA_LIB) $(RUST_LDADD) +simple_LDADD = "-Wl,--start-group,$(top_builddir)/src/libsuricata_c.a,../../$(RUST_SURICATA_LIB),--end-group" $(RUST_LDADD) if HTP_LDADD simple_LDADD += ../../$(HTP_LDADD) endif diff --git a/rust/cbindgen.toml b/rust/cbindgen.toml index 3240f4661ef1..b277e00506d8 100644 --- a/rust/cbindgen.toml +++ b/rust/cbindgen.toml @@ -82,6 +82,7 @@ include = [ "QuicState", "QuicTransaction", "FtpEvent", + "SCSigTableElmt", ] # A list of items to not include in the generated bindings diff --git a/rust/src/detect/mod.rs b/rust/src/detect/mod.rs index 2b1fd0e464b0..bb2441798edb 100644 --- a/rust/src/detect/mod.rs +++ b/rust/src/detect/mod.rs @@ -27,6 +27,9 @@ pub mod uri; pub mod requires; pub mod tojson; +use crate::core::AppProto; +use std::os::raw::{c_int, c_void}; + /// EnumString trait that will be implemented on enums that /// derive StringEnum. pub trait EnumString { @@ -43,6 +46,64 @@ pub trait EnumString { fn from_str(s: &str) -> Option where Self: Sized; } +#[repr(C)] +#[allow(non_snake_case)] +pub struct SCSigTableElmt { + pub name: *const libc::c_char, + pub desc: *const libc::c_char, + pub url: *const libc::c_char, + pub flags: u16, + pub Setup: unsafe extern "C" fn( + de: *mut c_void, + s: *mut c_void, + raw: *const std::os::raw::c_char, + ) -> c_int, + pub Free: Option, + pub AppLayerTxMatch: Option< + unsafe extern "C" fn( + de: *mut c_void, + f: *mut c_void, + flags: u8, + state: *mut c_void, + tx: *mut c_void, + sig: *const c_void, + ctx: *const c_void, + ) -> c_int, + >, +} + +pub(crate) const SIGMATCH_NOOPT: u16 = 1; // BIT_U16(0) in detect.h +pub(crate) const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; // BIT_U16(9) + +extern { + pub fn DetectBufferSetActiveList(de: *mut c_void, s: *mut c_void, bufid: c_int) -> c_int; + pub fn DetectHelperGetData( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, + get_buf: unsafe extern "C" fn(*const c_void, u8, *mut *const u8, *mut u32) -> bool, + ) -> *mut c_void; + pub fn DetectHelperBufferMpmRegister( + name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, toclient: bool, + toserver: bool, + get_data: unsafe extern "C" fn( + *mut c_void, + *const c_void, + *const c_void, + u8, + *const c_void, + i32, + ) -> *mut c_void, + ) -> c_int; + pub fn DetectHelperKeywordRegister(kw: *const SCSigTableElmt) -> c_int; + pub fn DetectHelperBufferRegister( + name: *const libc::c_char, alproto: AppProto, toclient: bool, toserver: bool, + ) -> c_int; + pub fn DetectSignatureSetAppProto(s: *mut c_void, alproto: AppProto) -> c_int; + pub fn SigMatchAppendSMToList( + de: *mut c_void, s: *mut c_void, kwid: c_int, ctx: *const c_void, bufid: c_int, + ) -> *mut c_void; +} + #[cfg(test)] mod test { use super::*; diff --git a/src/Makefile.am b/src/Makefile.am index 50aaebc4be58..42921842647b 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -133,6 +133,7 @@ noinst_HEADERS = \ detect-engine-file.h \ detect-engine-frame.h \ detect-engine.h \ + detect-engine-helper.h \ detect-engine-iponly.h \ detect-engine-loader.h \ detect-engine-mpm.h \ @@ -743,6 +744,7 @@ libsuricata_c_a_SOURCES = \ detect-engine-event.c \ detect-engine-file.c \ detect-engine-frame.c \ + detect-engine-helper.c \ detect-engine-iponly.c \ detect-engine-loader.c \ detect-engine-mpm.c \ @@ -1286,7 +1288,13 @@ suricata_SOURCES = main.c # the library search path. suricata_LDFLAGS = $(all_libraries) ${SECLDFLAGS} -suricata_LDADD = libsuricata_c.a $(RUST_SURICATA_LIB) $(HTP_LDADD) $(RUST_LDADD) +# rust library depends also on c +if LINKER_SUPPORTS_GROUP +LDADD_GENERIC = "-Wl,--start-group,libsuricata_c.a,$(RUST_SURICATA_LIB),--end-group" $(HTP_LDADD) $(RUST_LDADD) +else +LDADD_GENERIC = libsuricata_c.a $(RUST_SURICATA_LIB) libsuricata_c.a $(RUST_SURICATA_LIB) $(HTP_LDADD) $(RUST_LDADD) +endif +suricata_LDADD = $(LDADD_GENERIC) suricata_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB) if BUILD_SHARED_LIBRARY @@ -1322,7 +1330,7 @@ uninstall-local: if BUILD_FUZZTARGETS LDFLAGS_FUZZ = $(all_libraries) $(SECLDFLAGS) -LDADD_FUZZ = libsuricata_c.a $(RUST_SURICATA_LIB) $(HTP_LDADD) $(RUST_LDADD) +LDADD_FUZZ = $(LDADD_GENERIC) fuzz_applayerprotodetectgetproto_SOURCES = tests/fuzz/fuzz_applayerprotodetectgetproto.c fuzz_applayerprotodetectgetproto_LDFLAGS = $(LDFLAGS_FUZZ) diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c new file mode 100644 index 000000000000..0b7c9ccb2077 --- /dev/null +++ b/src/detect-engine-helper.c @@ -0,0 +1,107 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Philippe Antoine + * + */ + +#include "suricata-common.h" +#include "detect-engine.h" +#include "detect-engine-helper.h" +#include "detect-engine-mpm.h" +#include "detect-engine-prefilter.h" +#include "detect-parse.h" + +int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver) +{ + if (toserver) { + DetectAppLayerInspectEngineRegister( + name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); + } + if (toclient) { + DetectAppLayerInspectEngineRegister( + name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectGenericList, NULL); + } + return DetectBufferTypeRegister(name); +} + +InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, + bool (*GetBuf)(void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)) +{ + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + const uint8_t *b = NULL; + uint32_t b_len = 0; + + if (!GetBuf(txv, flow_flags, &b, &b_len)) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + return buffer; +} + +int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, + bool toclient, bool toserver, InspectionBufferGetDataPtr GetData) +{ + if (toserver) { + DetectAppLayerInspectEngineRegister( + name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerMpmRegister( + name, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + } + if (toclient) { + DetectAppLayerInspectEngineRegister( + name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerMpmRegister( + name, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + } + DetectBufferTypeSetDescriptionByName(name, desc); + return DetectBufferTypeGetByName(name); +} + +int DetectHelperKeywordRegister(const SCSigTableElmt *kw) +{ + if (DETECT_TBLSIZE_IDX >= DETECT_TBLSIZE) { + void *tmp = SCRealloc( + sigmatch_table, (DETECT_TBLSIZE + DETECT_TBLSIZE_STEP) * sizeof(SigTableElmt)); + if (unlikely(tmp == NULL)) { + return -1; + } + sigmatch_table = tmp; + DETECT_TBLSIZE += DETECT_TBLSIZE_STEP; + } + + sigmatch_table[DETECT_TBLSIZE_IDX].name = kw->name; + sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc; + sigmatch_table[DETECT_TBLSIZE_IDX].url = kw->url; + sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags; + sigmatch_table[DETECT_TBLSIZE_IDX].AppLayerTxMatch = + (int (*)(DetectEngineThreadCtx * det_ctx, Flow * f, uint8_t flags, void *alstate, + void *txv, const Signature *s, const SigMatchCtx *ctx)) kw->AppLayerTxMatch; + sigmatch_table[DETECT_TBLSIZE_IDX].Setup = + (int (*)(DetectEngineCtx * de, Signature * s, const char *raw)) kw->Setup; + sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx * de, void *ptr)) kw->Free; + DETECT_TBLSIZE_IDX++; + return DETECT_TBLSIZE_IDX - 1; +} diff --git a/src/detect-engine-helper.h b/src/detect-engine-helper.h new file mode 100644 index 000000000000..bd8fe6cce5a6 --- /dev/null +++ b/src/detect-engine-helper.h @@ -0,0 +1,41 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Philippe Antoine + */ + +#ifndef SURICATA_DETECT_ENGINE_HELPER_H +#define SURICATA_DETECT_ENGINE_HELPER_H + +#include "app-layer-protos.h" +#include "detect.h" +#include "rust.h" + +int DetectHelperKeywordRegister(const SCSigTableElmt *kw); +int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver); + +typedef bool (*SimpleGetTxBuffer)(void *, uint8_t, const uint8_t **, uint32_t *); +InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, SimpleGetTxBuffer GetBuf); +int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, + bool toclient, bool toserver, InspectionBufferGetDataPtr GetData); + +#endif /* SURICATA_DETECT_ENGINE_HELPER_H */ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 5608ae218f51..c4070f0c5faf 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -321,6 +321,9 @@ #include "util-mpm-ac.h" #include "runmodes.h" +int DETECT_TBLSIZE = 0; +int DETECT_TBLSIZE_IDX = DETECT_TBLSIZE_STATIC; + static void PrintFeatureList(const SigTableElmt *e, char sep) { const uint16_t flags = e->flags; @@ -389,7 +392,7 @@ static void SigMultilinePrint(int i, const char *prefix) int SigTableList(const char *keyword) { - size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt); + size_t size = DETECT_TBLSIZE; size_t i; if (keyword == NULL) { @@ -464,15 +467,32 @@ int SigTableList(const char *keyword) static void DetectFileHandlerRegister(void) { - for (int i = 0; i < DETECT_TBLSIZE; i++) { + for (int i = 0; i < DETECT_TBLSIZE_STATIC; i++) { if (filehandler_table[i].name) DetectFileRegisterFileProtocols(&filehandler_table[i]); } } +void SigTableCleanup(void) +{ + if (sigmatch_table != NULL) { + SCFree(sigmatch_table); + sigmatch_table = NULL; + DETECT_TBLSIZE = 0; + } +} + void SigTableSetup(void) { - memset(sigmatch_table, 0, sizeof(sigmatch_table)); + if (sigmatch_table == NULL) { + DETECT_TBLSIZE = DETECT_TBLSIZE_STATIC + DETECT_TBLSIZE_STEP; + sigmatch_table = SCCalloc(DETECT_TBLSIZE, sizeof(SigTableElmt)); + if (sigmatch_table == NULL) { + DETECT_TBLSIZE = 0; + FatalError("Could not allocate sigmatch_table"); + return; + } + } DetectSidRegister(); DetectPriorityRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index cd2edf5979b8..c740588236fa 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -355,10 +355,15 @@ enum DetectKeywordId { DETECT_AL_JA4_HASH, /* make sure this stays last */ - DETECT_TBLSIZE, + DETECT_TBLSIZE_STATIC, }; +extern int DETECT_TBLSIZE; +extern int DETECT_TBLSIZE_IDX; +// step for reallocating sigmatch_table +#define DETECT_TBLSIZE_STEP 256 int SigTableList(const char *keyword); +void SigTableCleanup(void); void SigTableSetup(void); void SigTableRegisterTests(void); diff --git a/src/detect-engine.c b/src/detect-engine.c index 21ce4906f58b..3c5727ecc4d5 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2439,6 +2439,14 @@ static DetectEngineCtx *DetectEngineCtxInitReal( goto error; } + de_ctx->sm_types_prefilter = SCCalloc(DETECT_TBLSIZE, sizeof(bool)); + if (de_ctx->sm_types_prefilter == NULL) { + goto error; + } + de_ctx->sm_types_silent_error = SCCalloc(DETECT_TBLSIZE, sizeof(bool)); + if (de_ctx->sm_types_silent_error == NULL) { + goto error; + } if (DetectEngineCtxLoadConf(de_ctx) == -1) { goto error; } @@ -2572,6 +2580,8 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) SigGroupCleanup(de_ctx); SpmDestroyGlobalThreadCtx(de_ctx->spm_global_thread_ctx); + SCFree(de_ctx->sm_types_prefilter); + SCFree(de_ctx->sm_types_silent_error); MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx); diff --git a/src/detect-parse.c b/src/detect-parse.c index 028943920072..8f4482c62b6e 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -74,7 +74,7 @@ #include "util-validate.h" /* Table with all filehandler registrations */ -DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE]; +DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]; void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg) { @@ -124,7 +124,7 @@ void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg) } /* Table with all SigMatch registrations */ -SigTableElmt sigmatch_table[DETECT_TBLSIZE]; +SigTableElmt *sigmatch_table = NULL; extern bool sc_set_caps; @@ -394,7 +394,7 @@ bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx, bool SigMatchStrictEnabled(const enum DetectKeywordId id) { - if (id < DETECT_TBLSIZE) { + if ((int)id < DETECT_TBLSIZE) { return ((sigmatch_table[id].flags & SIGMATCH_STRICT_PARSING) != 0); } return false; diff --git a/src/detect-parse.h b/src/detect-parse.h index 0a993a794f84..ec2c204c0f42 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -42,7 +42,7 @@ typedef struct DetectFileHandlerTableElmt_ { void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry); /* File registration table */ -extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE]; +extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]; /** Flags to indicate if the Signature parsing must be done * switching the source and dest (for ip addresses and ports) diff --git a/src/detect.h b/src/detect.h index 52b456318969..29e8c5eaf516 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1019,8 +1019,8 @@ typedef struct DetectEngineCtx_ { /** per keyword flag indicating if a prefilter has been * set for it. If true, the setup function will have to * run. */ - bool sm_types_prefilter[DETECT_TBLSIZE]; - bool sm_types_silent_error[DETECT_TBLSIZE]; + bool *sm_types_prefilter; + bool *sm_types_silent_error; /* classification config parsing */ @@ -1552,7 +1552,7 @@ typedef struct DetectEngineMasterCtx_ { } DetectEngineMasterCtx; /* Table with all SigMatch registrations */ -extern SigTableElmt sigmatch_table[DETECT_TBLSIZE]; +extern SigTableElmt *sigmatch_table; /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */ diff --git a/src/suricata.c b/src/suricata.c index 6d316771f9a0..abad2ca45fa5 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -394,6 +394,7 @@ void GlobalsDestroy(void) FeatureTrackingRelease(); SCProtoNameRelease(); TimeDeinit(); + SigTableCleanup(); TmqhCleanup(); TmModuleRunDeInit(); ParseSizeDeinit(); From 41da302e7e1329d53799b5f70b0e314f43f81bd8 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 26 Apr 2024 16:32:49 +0200 Subject: [PATCH 6/7] detect/snmp: move keywords to rust Ticket: 4863 On the way, convert unit test DetectSNMPCommunityTest to a SV test. And also, make snmp.pdu_type use a generic uint32 for detection, allowing operators, instead of just equality. --- doc/userguide/rules/snmp-keywords.rst | 4 + rust/src/snmp/detect.rs | 263 +++++++++++++++++++++++--- rust/src/snmp/snmp.rs | 2 +- src/Makefile.am | 10 - src/detect-engine-register.c | 10 +- src/detect-engine-register.h | 4 - src/detect-snmp-community.c | 101 ---------- src/detect-snmp-community.h | 29 --- src/detect-snmp-pdu_type.c | 221 ---------------------- src/detect-snmp-pdu_type.h | 29 --- src/detect-snmp-usm.c | 81 -------- src/detect-snmp-usm.h | 23 --- src/detect-snmp-version.c | 174 ----------------- src/detect-snmp-version.h | 29 --- src/tests/detect-snmp-pdu_type.c | 40 ---- src/tests/detect-snmp-version.c | 57 ------ 16 files changed, 243 insertions(+), 834 deletions(-) delete mode 100644 src/detect-snmp-community.c delete mode 100644 src/detect-snmp-community.h delete mode 100644 src/detect-snmp-pdu_type.c delete mode 100644 src/detect-snmp-pdu_type.h delete mode 100644 src/detect-snmp-usm.c delete mode 100644 src/detect-snmp-usm.h delete mode 100644 src/detect-snmp-version.c delete mode 100644 src/detect-snmp-version.h delete mode 100644 src/tests/detect-snmp-pdu_type.c delete mode 100644 src/tests/detect-snmp-version.c diff --git a/doc/userguide/rules/snmp-keywords.rst b/doc/userguide/rules/snmp-keywords.rst index a5349c2e5056..8429f0d805d7 100644 --- a/doc/userguide/rules/snmp-keywords.rst +++ b/doc/userguide/rules/snmp-keywords.rst @@ -6,6 +6,8 @@ snmp.version SNMP protocol version (integer). Expected values are 1, 2 (for version 2c) or 3. +snmp.version uses an, :ref:` unsigned 32-bits integer `. + Syntax:: snmp.version:[op] @@ -69,6 +71,8 @@ snmp.pdu_type SNMP PDU type (integer). +snmp.pdu_type uses an, :ref:` unsigned 32-bits integer `. + Common values are: - 0: GetRequest diff --git a/rust/src/snmp/detect.rs b/rust/src/snmp/detect.rs index bb4ffd12c3ba..7dee00a707b1 100644 --- a/rust/src/snmp/detect.rs +++ b/rust/src/snmp/detect.rs @@ -17,42 +17,251 @@ // written by Pierre Chifflier -use crate::snmp::snmp::SNMPTransaction; +use super::snmp::{SNMPTransaction, ALPROTO_SNMP}; +use crate::detect::uint::{ + rs_detect_u32_free, rs_detect_u32_match, rs_detect_u32_parse, DetectUintData, +}; +use crate::detect::{ + DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister, + DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt, + SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT, +}; +use std::os::raw::{c_int, c_void}; -#[no_mangle] -pub unsafe extern "C" fn rs_snmp_tx_get_version(tx: &mut SNMPTransaction, version: *mut u32) { - debug_assert!(tx.version != 0, "SNMP version is 0"); - *version = tx.version; +static mut G_SNMP_VERSION_KW_ID: c_int = 0; +static mut G_SNMP_VERSION_BUFFER_ID: c_int = 0; +static mut G_SNMP_PDUTYPE_KW_ID: c_int = 0; +static mut G_SNMP_PDUTYPE_BUFFER_ID: c_int = 0; +static mut G_SNMP_USM_BUFFER_ID: c_int = 0; +static mut G_SNMP_COMMUNITY_BUFFER_ID: c_int = 0; + +unsafe extern "C" fn snmp_detect_version_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0 { + return -1; + } + let ctx = rs_detect_u32_parse(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList(de, s, G_SNMP_VERSION_KW_ID, ctx, G_SNMP_VERSION_BUFFER_ID).is_null() + { + snmp_detect_version_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_snmp_tx_get_community( - tx: &mut SNMPTransaction, buf: *mut *const u8, len: *mut u32, -) { - if let Some(ref c) = tx.community { - *buf = c.as_ptr(); - *len = c.len() as u32; +unsafe extern "C" fn snmp_detect_version_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, SNMPTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + return rs_detect_u32_match(tx.version, ctx); +} + +unsafe extern "C" fn snmp_detect_version_free(_de: *mut c_void, ctx: *mut c_void) { + // Just unbox... + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u32_free(ctx); +} + +unsafe extern "C" fn snmp_detect_pdutype_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0 { + return -1; } + let ctx = rs_detect_u32_parse(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList(de, s, G_SNMP_PDUTYPE_KW_ID, ctx, G_SNMP_PDUTYPE_BUFFER_ID).is_null() + { + snmp_detect_pdutype_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; } -#[no_mangle] -pub unsafe extern "C" fn rs_snmp_tx_get_pdu_type(tx: &mut SNMPTransaction, pdu_type: *mut u32) { - match tx.info { - Some(ref info) => { - *pdu_type = info.pdu_type.0; - } - None => { - *pdu_type = 0xffffffff; - } +unsafe extern "C" fn snmp_detect_pdutype_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, SNMPTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + if let Some(ref info) = tx.info { + let pdu_type = info.pdu_type.0; + return rs_detect_u32_match(pdu_type, ctx); + } + return 0; +} + +unsafe extern "C" fn snmp_detect_pdutype_free(_de: *mut c_void, ctx: *mut c_void) { + // Just unbox... + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u32_free(ctx); +} + +pub unsafe extern "C" fn snmp_detect_usm_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_SNMP_USM_BUFFER_ID) < 0 { + return -1; } + return 0; } +pub unsafe extern "C" fn snmp_detect_usm_get( + tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, SNMPTransaction); + if let Some(ref c) = tx.usm { + *buffer = c.as_ptr(); + *buffer_len = c.len() as u32; + return true; + } + return false; +} + +pub unsafe extern "C" fn snmp_detect_usm_get_data( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + snmp_detect_usm_get, + ); +} + +pub unsafe extern "C" fn snmp_detect_community_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_SNMP_COMMUNITY_BUFFER_ID) < 0 { + return -1; + } + return 0; +} + +pub unsafe extern "C" fn snmp_detect_community_get( + tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, SNMPTransaction); + if let Some(ref c) = tx.community { + *buffer = c.as_ptr(); + *buffer_len = c.len() as u32; + return true; + } + return false; +} + +pub unsafe extern "C" fn snmp_detect_community_get_data( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + snmp_detect_community_get, + ); +} #[no_mangle] -pub unsafe extern "C" fn rs_snmp_tx_get_usm( - tx: &mut SNMPTransaction, buf: *mut *const u8, len: *mut u32, -) { - if let Some(ref c) = tx.usm { - *buf = c.as_ptr(); - *len = c.len() as u32; +pub unsafe extern "C" fn ScDetectSNMPRegister() { + let kw = SCSigTableElmt { + name: b"snmp.version\0".as_ptr() as *const libc::c_char, + desc: b"match SNMP version\0".as_ptr() as *const libc::c_char, + url: b"/rules/snmp-keywords.html#snmp-version\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(snmp_detect_version_match), + Setup: snmp_detect_version_setup, + Free: Some(snmp_detect_version_free), + flags: 0, + }; + unsafe { + G_SNMP_VERSION_KW_ID = DetectHelperKeywordRegister(&kw); + G_SNMP_VERSION_BUFFER_ID = DetectHelperBufferRegister( + b"snmp.version\0".as_ptr() as *const libc::c_char, + ALPROTO_SNMP, + true, + true, + ); + } + + let kw = SCSigTableElmt { + name: b"snmp.pdu_type\0".as_ptr() as *const libc::c_char, + desc: b"match SNMP PDU type\0".as_ptr() as *const libc::c_char, + url: b"/rules/snmp-keywords.html#snmp-pdu-type\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(snmp_detect_pdutype_match), + Setup: snmp_detect_pdutype_setup, + Free: Some(snmp_detect_pdutype_free), + flags: 0, + }; + unsafe { + G_SNMP_PDUTYPE_KW_ID = DetectHelperKeywordRegister(&kw); + G_SNMP_PDUTYPE_BUFFER_ID = DetectHelperBufferRegister( + b"snmp.pdu_type\0".as_ptr() as *const libc::c_char, + ALPROTO_SNMP, + true, + true, + ); + } + + let kw = SCSigTableElmt { + name: b"snmp.usm\0".as_ptr() as *const libc::c_char, + desc: b"SNMP content modifier to match on the SNMP usm\0".as_ptr() as *const libc::c_char, + url: b"/rules/snmp-keywords.html#snmp-usm\0".as_ptr() as *const libc::c_char, + Setup: snmp_detect_usm_setup, + flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER, + AppLayerTxMatch: None, + Free: None, + }; + unsafe { + let _g_snmp_usm_kw_id = DetectHelperKeywordRegister(&kw); + G_SNMP_USM_BUFFER_ID = DetectHelperBufferMpmRegister( + b"snmp.usm\0".as_ptr() as *const libc::c_char, + b"SNMP USM\0".as_ptr() as *const libc::c_char, + ALPROTO_SNMP, + true, + true, + snmp_detect_usm_get_data, + ); + } + + let kw = SCSigTableElmt { + name: b"snmp.community\0".as_ptr() as *const libc::c_char, + desc: b"SNMP content modifier to match on the SNMP community\0".as_ptr() + as *const libc::c_char, + url: b"/rules/snmp-keywords.html#snmp-community\0".as_ptr() as *const libc::c_char, + Setup: snmp_detect_community_setup, + flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER, + AppLayerTxMatch: None, + Free: None, + }; + unsafe { + let _g_snmp_community_kw_id = DetectHelperKeywordRegister(&kw); + G_SNMP_COMMUNITY_BUFFER_ID = DetectHelperBufferMpmRegister( + b"snmp.community\0".as_ptr() as *const libc::c_char, + b"SNMP Community identifier\0".as_ptr() as *const libc::c_char, + ALPROTO_SNMP, + true, + true, + snmp_detect_community_get_data, + ); } } diff --git a/rust/src/snmp/snmp.rs b/rust/src/snmp/snmp.rs index 3b78b47f7a1d..51aed9fb883f 100644 --- a/rust/src/snmp/snmp.rs +++ b/rust/src/snmp/snmp.rs @@ -322,7 +322,7 @@ pub extern "C" fn rs_snmp_tx_get_alstate_progress(_tx: *mut std::os::raw::c_void 1 } -static mut ALPROTO_SNMP : AppProto = ALPROTO_UNKNOWN; +pub(super) static mut ALPROTO_SNMP : AppProto = ALPROTO_UNKNOWN; // Read PDU sequence and extract version, if similar to SNMP definition fn parse_pdu_envelope_version(i:&[u8]) -> IResult<&[u8],u32> { diff --git a/src/Makefile.am b/src/Makefile.am index 42921842647b..c0b66a5f1dd5 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -294,10 +294,6 @@ noinst_HEADERS = \ detect-smb-ntlmssp.h \ detect-smb-share.h \ detect-smb-version.h \ - detect-snmp-community.h \ - detect-snmp-pdu_type.h \ - detect-snmp-usm.h \ - detect-snmp-version.h \ detect-dhcp-leasetime.h \ detect-dhcp-rebinding-time.h \ detect-dhcp-renewal-time.h \ @@ -903,10 +899,6 @@ libsuricata_c_a_SOURCES = \ detect-smb-ntlmssp.c \ detect-smb-share.c \ detect-smb-version.c \ - detect-snmp-community.c \ - detect-snmp-pdu_type.c \ - detect-snmp-usm.c \ - detect-snmp-version.c \ detect-dhcp-leasetime.c \ detect-dhcp-rebinding-time.c \ detect-dhcp-renewal-time.c \ @@ -1229,8 +1221,6 @@ EXTRA_DIST = \ tests/detect-http2.c \ tests/detect-icmpv6-mtu.c \ tests/detect-icmpv6hdr.c \ - tests/detect-snmp-pdu_type.c \ - tests/detect-snmp-version.c \ tests/detect-template.c \ tests/detect-transform-pcrexform.c \ tests/detect-transform-xor.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index c4070f0c5faf..3a096e6bfdaa 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -214,10 +214,6 @@ #include "detect-dhcp-leasetime.h" #include "detect-dhcp-rebinding-time.h" #include "detect-dhcp-renewal-time.h" -#include "detect-snmp-usm.h" -#include "detect-snmp-version.h" -#include "detect-snmp-community.h" -#include "detect-snmp-pdu_type.h" #include "detect-mqtt-type.h" #include "detect-mqtt-flags.h" #include "detect-mqtt-qos.h" @@ -703,10 +699,6 @@ void SigTableSetup(void) DetectDHCPLeaseTimeRegister(); DetectDHCPRebindingTimeRegister(); DetectDHCPRenewalTimeRegister(); - DetectSNMPUsmRegister(); - DetectSNMPVersionRegister(); - DetectSNMPCommunityRegister(); - DetectSNMPPduTypeRegister(); DetectMQTTTypeRegister(); DetectMQTTFlagsRegister(); DetectMQTTQosRegister(); @@ -751,6 +743,8 @@ void SigTableSetup(void) DetectFileHandlerRegister(); + ScDetectSNMPRegister(); + /* close keyword registration */ DetectBufferTypeCloseRegistration(); } diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index c740588236fa..500d1a4c8293 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -293,10 +293,6 @@ enum DetectKeywordId { DETECT_AL_DHCP_LEASETIME, DETECT_AL_DHCP_REBINDING_TIME, DETECT_AL_DHCP_RENEWAL_TIME, - DETECT_AL_SNMP_USM, - DETECT_AL_SNMP_VERSION, - DETECT_AL_SNMP_COMMUNITY, - DETECT_AL_SNMP_PDU_TYPE, DETECT_AL_MQTT_TYPE, DETECT_AL_MQTT_FLAGS, DETECT_AL_MQTT_QOS, diff --git a/src/detect-snmp-community.c b/src/detect-snmp-community.c deleted file mode 100644 index 76c4bddd0ab6..000000000000 --- a/src/detect-snmp-community.c +++ /dev/null @@ -1,101 +0,0 @@ -/* Copyright (C) 2015-2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - * - * Set up of the "snmp.community" keyword to allow content - * inspections on the decoded snmp community. - */ - -#include "suricata-common.h" -#include "conf.h" -#include "detect.h" -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-engine-content-inspection.h" -#include "detect-snmp-community.h" -#include "app-layer-parser.h" -#include "rust.h" - -static int DetectSNMPCommunitySetup(DetectEngineCtx *, Signature *, - const char *); -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, - const int list_id); -static int g_snmp_rust_id = 0; - -void DetectSNMPCommunityRegister(void) -{ - sigmatch_table[DETECT_AL_SNMP_COMMUNITY].name = "snmp.community"; - sigmatch_table[DETECT_AL_SNMP_COMMUNITY].desc = - "SNMP content modifier to match on the SNMP community"; - sigmatch_table[DETECT_AL_SNMP_COMMUNITY].Setup = DetectSNMPCommunitySetup; - sigmatch_table[DETECT_AL_SNMP_COMMUNITY].url = "/rules/snmp-keywords.html#snmp-community"; - sigmatch_table[DETECT_AL_SNMP_COMMUNITY].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; - - /* register inspect engines */ - DetectAppLayerInspectEngineRegister("snmp.community", ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister("snmp.community", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SNMP, 0); - DetectAppLayerInspectEngineRegister("snmp.community", ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister("snmp.community", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SNMP, 0); - - DetectBufferTypeSetDescriptionByName("snmp.community", "SNMP Community identifier"); - - g_snmp_rust_id = DetectBufferTypeGetByName("snmp.community"); -} - -static int DetectSNMPCommunitySetup(DetectEngineCtx *de_ctx, Signature *s, - const char *str) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_snmp_rust_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, - const uint8_t flow_flags, void *txv, const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - uint32_t data_len = 0; - const uint8_t *data = NULL; - - rs_snmp_tx_get_community(txv, &data, &data_len); - if (data == NULL || data_len == 0) { - return NULL; - } - - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - - return buffer; -} diff --git a/src/detect-snmp-community.h b/src/detect-snmp-community.h deleted file mode 100644 index 082d9c1970f6..000000000000 --- a/src/detect-snmp-community.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015-2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author FirstName LastName - */ - -#ifndef SURICATA_DETECT_SNMP_COMMUNITY_H -#define SURICATA_DETECT_SNMP_COMMUNITY_H - -void DetectSNMPCommunityRegister(void); - -#endif /* SURICATA_DETECT_SNMP_COMMUNITY_H */ diff --git a/src/detect-snmp-pdu_type.c b/src/detect-snmp-pdu_type.c deleted file mode 100644 index 331abce7f355..000000000000 --- a/src/detect-snmp-pdu_type.c +++ /dev/null @@ -1,221 +0,0 @@ -/* Copyright (C) 2015-2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#include "suricata-common.h" -#include "conf.h" -#include "detect.h" -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-content-inspection.h" -#include "detect-snmp-pdu_type.h" -#include "app-layer-parser.h" -#include "rust.h" - -/** - * [snmp.pdu_type]:; - */ -#define PARSE_REGEX "^\\s*([0-9]+)\\s*$" -static DetectParseRegex parse_regex; - -typedef struct DetectSNMPPduTypeData_ { - uint32_t pdu_type; -} DetectSNMPPduTypeData; - -static DetectSNMPPduTypeData *DetectSNMPPduTypeParse (const char *); -static int DetectSNMPPduTypeSetup (DetectEngineCtx *, Signature *s, const char *str); -static void DetectSNMPPduTypeFree(DetectEngineCtx *, void *); -#ifdef UNITTESTS -static void DetectSNMPPduTypeRegisterTests(void); -#endif -static int g_snmp_pdu_type_buffer_id = 0; - -static int DetectSNMPPduTypeMatch (DetectEngineThreadCtx *, Flow *, - uint8_t, void *, void *, const Signature *, - const SigMatchCtx *); - -void DetectSNMPPduTypeRegister(void) -{ - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].name = "snmp.pdu_type"; - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].desc = "match SNMP PDU type"; - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].url = "/rules/snmp-keywords.html#snmp-pdu-type"; - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Match = NULL; - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].AppLayerTxMatch = DetectSNMPPduTypeMatch; - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Setup = DetectSNMPPduTypeSetup; - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Free = DetectSNMPPduTypeFree; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].RegisterTests = DetectSNMPPduTypeRegisterTests; -#endif - - DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); - - DetectAppLayerInspectEngineRegister("snmp.pdu_type", ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectGenericList, NULL); - - DetectAppLayerInspectEngineRegister("snmp.pdu_type", ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectGenericList, NULL); - - g_snmp_pdu_type_buffer_id = DetectBufferTypeGetByName("snmp.pdu_type"); -} - -/** - * \internal - * \brief Function to match pdu_type of a TX - * - * \param t Pointer to thread vars. - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param s Pointer to the Signature. - * \param m Pointer to the sigmatch that we will cast into - * DetectSNMPPduTypeData. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectSNMPPduTypeMatch (DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - void *txv, const Signature *s, - const SigMatchCtx *ctx) -{ - SCEnter(); - - const DetectSNMPPduTypeData *dd = (const DetectSNMPPduTypeData *)ctx; - uint32_t pdu_type; - rs_snmp_tx_get_pdu_type(txv, &pdu_type); - SCLogDebug("pdu_type %u ref_pdu_type %d", - pdu_type, dd->pdu_type); - if (pdu_type == dd->pdu_type) - SCReturnInt(1); - SCReturnInt(0); -} - -/** - * \internal - * \brief Function to parse options passed via snmp.pdu_type keywords. - * - * \param rawstr Pointer to the user provided options. - * - * \retval dd pointer to DetectSNMPPduTypeData on success. - * \retval NULL on failure. - */ -static DetectSNMPPduTypeData *DetectSNMPPduTypeParse (const char *rawstr) -{ - DetectSNMPPduTypeData *dd = NULL; - int res = 0; - size_t pcre2len; - char value1[20] = ""; - char *endptr = NULL; - - pcre2_match_data *match = NULL; - int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0); - if (ret != 2) { - SCLogError("Parse error %s", rawstr); - goto error; - } - - pcre2len = sizeof(value1); - res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)value1, &pcre2len); - if (res < 0) { - SCLogError("pcre2_substring_copy_bynumber failed"); - goto error; - } - - dd = SCCalloc(1, sizeof(DetectSNMPPduTypeData)); - if (unlikely(dd == NULL)) - goto error; - - /* set the value */ - dd->pdu_type = strtoul(value1, &endptr, 10); - if (endptr == NULL || *endptr != '\0') { - SCLogError("invalid character as arg " - "to snmp.pdu_type keyword"); - goto error; - } - - pcre2_match_data_free(match); - return dd; - -error: - if (match) { - pcre2_match_data_free(match); - } - if (dd) - SCFree(dd); - return NULL; -} - -/** - * \brief Function to add the parsed snmp pdu_type field into the current signature. - * - * \param de_ctx Pointer to the Detection Engine Context. - * \param s Pointer to the Current Signature. - * \param rawstr Pointer to the user provided flags options. - * \param type Defines if this is notBefore or notAfter. - * - * \retval 0 on Success. - * \retval -1 on Failure. - */ -static int DetectSNMPPduTypeSetup (DetectEngineCtx *de_ctx, Signature *s, - const char *rawstr) -{ - DetectSNMPPduTypeData *dd = NULL; - - if (DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0) - return -1; - - dd = DetectSNMPPduTypeParse(rawstr); - if (dd == NULL) { - SCLogError("Parsing \'%s\' failed", rawstr); - goto error; - } - - /* okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ - - SCLogDebug("snmp.pdu_type %d", dd->pdu_type); - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SNMP_PDU_TYPE, (SigMatchCtx *)dd, - g_snmp_pdu_type_buffer_id) == NULL) { - goto error; - } - return 0; - -error: - DetectSNMPPduTypeFree(de_ctx, dd); - return -1; -} - -/** - * \internal - * \brief Function to free memory associated with DetectSNMPPduTypeData. - * - * \param de_ptr Pointer to DetectSNMPPduTypeData. - */ -static void DetectSNMPPduTypeFree(DetectEngineCtx *de_ctx, void *ptr) -{ - SCFree(ptr); -} - -#ifdef UNITTESTS -#include "tests/detect-snmp-pdu_type.c" -#endif /* UNITTESTS */ diff --git a/src/detect-snmp-pdu_type.h b/src/detect-snmp-pdu_type.h deleted file mode 100644 index a01dc98d4580..000000000000 --- a/src/detect-snmp-pdu_type.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015-2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#ifndef SURICATA_DETECT_SNMP_PDU_TYPE_H -#define SURICATA_DETECT_SNMP_PDU_TYPE_H - -void DetectSNMPPduTypeRegister(void); - -#endif /* SURICATA_DETECT_SNMP_PDU_TYPE_H */ diff --git a/src/detect-snmp-usm.c b/src/detect-snmp-usm.c deleted file mode 100644 index fd1a814d164d..000000000000 --- a/src/detect-snmp-usm.c +++ /dev/null @@ -1,81 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "suricata-common.h" -#include "rust.h" -#include "detect-snmp-usm.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "detect-parse.h" - -static int g_buffer_id = 0; - -static int DetectSNMPUsmSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) -{ - if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, - const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - uint32_t data_len = 0; - const uint8_t *data = NULL; - - rs_snmp_tx_get_usm(txv, &data, &data_len); - if (data == NULL || data_len == 0) { - return NULL; - } - - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - - return buffer; -} - -void DetectSNMPUsmRegister(void) -{ - sigmatch_table[DETECT_AL_SNMP_USM].name = "snmp.usm"; - sigmatch_table[DETECT_AL_SNMP_USM].desc = "SNMP content modifier to match on the SNMP usm"; - sigmatch_table[DETECT_AL_SNMP_USM].Setup = DetectSNMPUsmSetup; - - sigmatch_table[DETECT_AL_SNMP_USM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; - - /* register inspect engines */ - DetectAppLayerInspectEngineRegister("snmp.usm", ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister("snmp.usm", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SNMP, 0); - DetectAppLayerInspectEngineRegister("snmp.usm", ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister("snmp.usm", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_SNMP, 0); - - DetectBufferTypeSetDescriptionByName("snmp.usm", "SNMP USM"); - - g_buffer_id = DetectBufferTypeGetByName("snmp.usm"); -} diff --git a/src/detect-snmp-usm.h b/src/detect-snmp-usm.h deleted file mode 100644 index 9c86dad807b7..000000000000 --- a/src/detect-snmp-usm.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (C) 2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#ifndef SURICATA_DETECT_SNMP_USM_H -#define SURICATA_DETECT_SNMP_USM_H - -void DetectSNMPUsmRegister(void); - -#endif /* SURICATA_DETECT_SNMP_USM_H */ diff --git a/src/detect-snmp-version.c b/src/detect-snmp-version.c deleted file mode 100644 index cde70f251024..000000000000 --- a/src/detect-snmp-version.c +++ /dev/null @@ -1,174 +0,0 @@ -/* Copyright (C) 2015-2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#include "suricata-common.h" -#include "conf.h" -#include "detect.h" -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-content-inspection.h" -#include "detect-snmp-version.h" -#include "detect-engine-uint.h" -#include "app-layer-parser.h" -#include "rust.h" - - -static int DetectSNMPVersionSetup (DetectEngineCtx *, Signature *s, const char *str); -static void DetectSNMPVersionFree(DetectEngineCtx *, void *); -#ifdef UNITTESTS -static void DetectSNMPVersionRegisterTests(void); -#endif -static int g_snmp_version_buffer_id = 0; - -static int DetectSNMPVersionMatch (DetectEngineThreadCtx *, Flow *, - uint8_t, void *, void *, const Signature *, - const SigMatchCtx *); - -/** - * \brief Registration function for snmp.procedure keyword. - */ -void DetectSNMPVersionRegister (void) -{ - sigmatch_table[DETECT_AL_SNMP_VERSION].name = "snmp.version"; - sigmatch_table[DETECT_AL_SNMP_VERSION].desc = "match SNMP version"; - sigmatch_table[DETECT_AL_SNMP_VERSION].url = "/rules/snmp-keywords.html#snmp-version"; - sigmatch_table[DETECT_AL_SNMP_VERSION].Match = NULL; - sigmatch_table[DETECT_AL_SNMP_VERSION].AppLayerTxMatch = DetectSNMPVersionMatch; - sigmatch_table[DETECT_AL_SNMP_VERSION].Setup = DetectSNMPVersionSetup; - sigmatch_table[DETECT_AL_SNMP_VERSION].Free = DetectSNMPVersionFree; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_SNMP_VERSION].RegisterTests = DetectSNMPVersionRegisterTests; -#endif - - DetectAppLayerInspectEngineRegister("snmp.version", ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectGenericList, NULL); - - DetectAppLayerInspectEngineRegister("snmp.version", ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectGenericList, NULL); - - g_snmp_version_buffer_id = DetectBufferTypeGetByName("snmp.version"); -} - -/** - * \internal - * \brief Function to match version of a TX - * - * \param t Pointer to thread vars. - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param s Pointer to the Signature. - * \param m Pointer to the sigmatch that we will cast into - * DetectU32Data. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectSNMPVersionMatch (DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - void *txv, const Signature *s, - const SigMatchCtx *ctx) -{ - SCEnter(); - - const DetectU32Data *dd = (const DetectU32Data *)ctx; - uint32_t version; - rs_snmp_tx_get_version(txv, &version); - SCLogDebug("version %u mode %u ref_version %d", version, dd->mode, dd->arg1); - if (DetectU32Match(version, dd)) - SCReturnInt(1); - SCReturnInt(0); -} - -/** - * \internal - * \brief Function to parse options passed via snmp.version keywords. - * - * \param rawstr Pointer to the user provided options. - * - * \retval dd pointer to DetectU32Data on success. - * \retval NULL on failure. - */ -static DetectU32Data *DetectSNMPVersionParse(const char *rawstr) -{ - return DetectU32Parse(rawstr); -} - - - -/** - * \brief Function to add the parsed snmp version field into the current signature. - * - * \param de_ctx Pointer to the Detection Engine Context. - * \param s Pointer to the Current Signature. - * \param rawstr Pointer to the user provided flags options. - * \param type Defines if this is notBefore or notAfter. - * - * \retval 0 on Success. - * \retval -1 on Failure. - */ -static int DetectSNMPVersionSetup (DetectEngineCtx *de_ctx, Signature *s, - const char *rawstr) -{ - DetectU32Data *dd = NULL; - - if (DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0) - return -1; - - dd = DetectSNMPVersionParse(rawstr); - if (dd == NULL) { - SCLogError("Parsing \'%s\' failed", rawstr); - goto error; - } - - /* okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ - - SCLogDebug("snmp.version %d", dd->arg1); - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SNMP_VERSION, (SigMatchCtx *)dd, - g_snmp_version_buffer_id) == NULL) { - goto error; - } - return 0; - -error: - DetectSNMPVersionFree(de_ctx, dd); - return -1; -} - -/** - * \internal - * \brief Function to free memory associated with DetectU32Data. - * - * \param de_ptr Pointer to DetectU32Data. - */ -static void DetectSNMPVersionFree(DetectEngineCtx *de_ctx, void *ptr) -{ - rs_detect_u32_free(ptr); -} - - -#ifdef UNITTESTS -#include "tests/detect-snmp-version.c" -#endif /* UNITTESTS */ diff --git a/src/detect-snmp-version.h b/src/detect-snmp-version.h deleted file mode 100644 index cd71b59a245c..000000000000 --- a/src/detect-snmp-version.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015-2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#ifndef SURICATA_DETECT_SNMP_VERSION_H -#define SURICATA_DETECT_SNMP_VERSION_H - -void DetectSNMPVersionRegister(void); - -#endif /* SURICATA_DETECT_SNMP_VERSION_H */ diff --git a/src/tests/detect-snmp-pdu_type.c b/src/tests/detect-snmp-pdu_type.c deleted file mode 100644 index 0e7693bcc625..000000000000 --- a/src/tests/detect-snmp-pdu_type.c +++ /dev/null @@ -1,40 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "util-unittest.h" -#include "util-unittest-helper.h" - -/** - * \test This is a test for a valid value 2. - * - * \retval 1 on success. - * \retval 0 on failure. - */ -static int SNMPValidityTestParse01 (void) -{ - DetectSNMPPduTypeData *dd = NULL; - dd = DetectSNMPPduTypeParse("2"); - FAIL_IF_NULL(dd); - FAIL_IF_NOT(dd->pdu_type == 2); - DetectSNMPPduTypeFree(NULL, dd); - PASS; -} - -static void DetectSNMPPduTypeRegisterTests(void) -{ - UtRegisterTest("SNMPValidityTestParse01", SNMPValidityTestParse01); -} diff --git a/src/tests/detect-snmp-version.c b/src/tests/detect-snmp-version.c deleted file mode 100644 index 5da24b1b8700..000000000000 --- a/src/tests/detect-snmp-version.c +++ /dev/null @@ -1,57 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "util-unittest.h" -#include "util-unittest-helper.h" - -/** - * \test This is a test for a valid value 2. - * - * \retval 1 on success. - * \retval 0 on failure. - */ -static int SNMPValidityTestParse01 (void) -{ - DetectU32Data *dd = NULL; - dd = DetectSNMPVersionParse("2"); - FAIL_IF_NULL(dd); - FAIL_IF_NOT(dd->arg1 == 2 && dd->mode == DETECT_UINT_EQ); - DetectSNMPVersionFree(NULL, dd); - PASS; -} - -/** - * \test This is a test for a valid value >2. - * - * \retval 1 on success. - * \retval 0 on failure. - */ -static int SNMPValidityTestParse02 (void) -{ - DetectU32Data *dd = NULL; - dd = DetectSNMPVersionParse(">2"); - FAIL_IF_NULL(dd); - FAIL_IF_NOT(dd->arg1 == 2 && dd->mode == DETECT_UINT_GT); - DetectSNMPVersionFree(NULL, dd); - PASS; -} - -static void DetectSNMPVersionRegisterTests(void) -{ - UtRegisterTest("SNMPValidityTestParse01", SNMPValidityTestParse01); - UtRegisterTest("SNMPValidityTestParse02", SNMPValidityTestParse02); -} From 0f9a9ba5f43196c164386a1883cc0017080d844f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 May 2024 15:09:28 +0200 Subject: [PATCH 7/7] fixup dpdk --- .github/workflows/builds.yml | 7 +++++++ configure.ac | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 93d0e1092505..863b09fc759e 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -2309,7 +2309,14 @@ jobs: cp prep/cbindgen $HOME/.cargo/bin chmod 755 $HOME/.cargo/bin/cbindgen echo "$HOME/.cargo/bin" >> $GITHUB_PATH + # dummy debug + - run: pkg-config --libs-only-L libdpdk + - run: pkg-config --cflags libdpdk + - run: pkg-config --libs libdpdk - run: ./autogen.sh + # dummy debug + - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure + - run: make -j ${{ env.CPUS }} - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-dpdk - run: make -j ${{ env.CPUS }} - run: make check diff --git a/configure.ac b/configure.ac index 72ec015fa20e..bbe62722f8f0 100644 --- a/configure.ac +++ b/configure.ac @@ -1430,7 +1430,7 @@ exit 1 fi CFLAGS="${CFLAGS} `pkg-config --cflags libdpdk`" - LIBS="${LIBS} -Wl,-R,`pkg-config --libs-only-L libdpdk | cut -c 3-` -lnuma `pkg-config --libs libdpdk`" + LIBS="${LIBS} -lnuma `pkg-config --libs libdpdk`" if test ! -z "$(ldconfig -p | grep librte_net_bond)"; then AC_DEFINE([HAVE_DPDK_BOND],[1],(DPDK Bond PMD support enabled))