OISF / suricata / 22550934724

{

    SCEnter();

    bool r = false;

    const DetectAppLayerProtocolData *data = (const DetectAppLayerProtocolData *)ctx;

    if (s->type == SIG_TYPE_PDONLY &&

            (p->flags & (PKT_PROTO_DETECT_TS_DONE | PKT_PROTO_DETECT_TC_DONE)) == 0) {

        SCLogDebug("packet %" PRIu64 ": flags not set", PcapPacketCntGet(p));

        SCReturnInt(0);

    }

    const Flow *f = p->flow;

    if (f == NULL) {

    switch (data->mode) {

        case DETECT_ALPROTO_DIRECTION:

            if (data->negated) {

                if (p->flowflags & FLOW_PKT_TOSERVER) {

                    if (f->alproto_ts == ALPROTO_UNKNOWN)

                        SCReturnInt(0);

                    r = AppProtoEquals(data->alproto, f->alproto_ts);

                } else {

                    if (f->alproto_tc == ALPROTO_UNKNOWN)

                        SCReturnInt(0);

                    r = AppProtoEquals(data->alproto, f->alproto_tc);

                }

            } else {

                if (p->flowflags & FLOW_PKT_TOSERVER) {

                    r = AppProtoEquals(data->alproto, f->alproto_ts);

                } else {

                    r = AppProtoEquals(data->alproto, f->alproto_tc);

                }

            }

            break;

        case DETECT_ALPROTO_ORIG:

        case DETECT_ALPROTO_FINAL:

            if (data->negated) {

                if (f->alproto == ALPROTO_UNKNOWN)

                r = AppProtoEquals(data->alproto, f->alproto);

            } else {

            break;

        case DETECT_ALPROTO_TOSERVER:

        case DETECT_ALPROTO_EITHER:

            if (data->negated) {

                if (f->alproto_ts == ALPROTO_UNKNOWN && f->alproto_tc == ALPROTO_UNKNOWN)

                    SCReturnInt(0);

                r = AppProtoEquals(data->alproto, f->alproto_tc) ||

                    AppProtoEquals(data->alproto, f->alproto_ts);

            } else {

            break;

    }

    r = r ^ data->negated;

    if (r) {

        SCReturnInt(1);

    }

    SCReturnInt(0);

}

#define MAX_ALPROTO_NAME 50

{

    DetectAppLayerProtocolData *data;

    AppProto alproto = ALPROTO_UNKNOWN;

    char alproto_copy[MAX_ALPROTO_NAME];

    char *sep = strchr(arg, ',');

    char *alproto_name;

    if (sep && sep - arg < MAX_ALPROTO_NAME) {

        strlcpy(alproto_copy, arg, sep - arg + 1);

        alproto_name = alproto_copy;

    } else {

        alproto_name = (char *)arg;

    }

    if (strcmp(alproto_name, "failed") == 0) {

        alproto = ALPROTO_FAILED;

    } else if (strcmp(alproto_name, "unknown") == 0) {

        if (negate) {

        alproto = ALPROTO_UNKNOWN;

    } else {

        alproto = AppLayerGetProtoByName(alproto_name);

        if (alproto == ALPROTO_UNKNOWN) {

            SCLogError("app-layer-protocol "

                       "keyword supplied with unknown protocol \"%s\"",

                    alproto_name);

            return NULL;

        }

    }

    uint8_t mode = DETECT_ALPROTO_DIRECTION;

    if (sep) {

        if (strcmp(sep + 1, "final") == 0) {

            mode = DETECT_ALPROTO_FINAL;

        } else if (strcmp(sep + 1, "original") == 0) {

            mode = DETECT_ALPROTO_ORIG;

        } else if (strcmp(sep + 1, "either") == 0) {

            mode = DETECT_ALPROTO_EITHER;

        } else if (strcmp(sep + 1, "to_server") == 0) {

            mode = DETECT_ALPROTO_TOSERVER;

        } else if (strcmp(sep + 1, "to_client") == 0) {

            mode = DETECT_ALPROTO_TOCLIENT;

        } else if (strcmp(sep + 1, "direction") == 0) {

            mode = DETECT_ALPROTO_DIRECTION;

        } else {

            SCLogError("app-layer-protocol "

                       "keyword supplied with unknown mode \"%s\"",

                    sep + 1);

            return NULL;

        }

    }

    data = SCMalloc(sizeof(DetectAppLayerProtocolData));

    if (unlikely(data == NULL))

    data->alproto = alproto;

    data->negated = negate;

    data->mode = mode;

    return data;

}

{

    if ((them->negated ^ us->negated) && them->mode == us->mode)

        return true;

    if (!us->negated && them->mode == us->mode)

        return true;

    if (us->alproto == them->alproto && them->mode == us->mode)

        return true;

    return false;

}

{

    DetectAppLayerProtocolData *data = NULL;

    if (s->alproto != ALPROTO_UNKNOWN) {

        SCLogError("Either we already "

                   "have the rule match on an app layer protocol set through "

                   "other keywords that match on this protocol, or have "

                   "already seen a non-negated app-layer-protocol.");

        goto error;

    }

    data = DetectAppLayerProtocolParse(arg, s->init_data->negated);

    if (data == NULL)

        goto error;

    SigMatch *tsm = s->init_data->smlists[DETECT_SM_LIST_MATCH];

    for ( ; tsm != NULL; tsm = tsm->next) {

        if (tsm->type == DETECT_APP_LAYER_PROTOCOL) {

            const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;

            if (HasConflicts(data, them)) {

                SCLogError("can't mix "

                           "positive app-layer-protocol match with negated "

                           "match or match for 'failed'.");

                goto error;

            }

        }

    }

    if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_PROTOCOL, (SigMatchCtx *)data,

                DETECT_SM_LIST_MATCH) == NULL) {

    return 0;

error:

    if (data != NULL)

        SCFree(data);

    return -1;

}

{

    SCFree(ptr);

}

{

    const PrefilterPacketHeaderCtx *ctx = pectx;

    if (!PrefilterPacketHeaderExtraMatch(ctx, p)) {

    if (p->flow == NULL) {

    if ((p->flags & (PKT_PROTO_DETECT_TS_DONE|PKT_PROTO_DETECT_TC_DONE)) == 0) {

        SCLogDebug("packet %" PRIu64 ": flags not set", PcapPacketCntGet(p));

        SCReturn;

    }

    Flow *f = p->flow;

    AppProto alproto = ALPROTO_UNKNOWN;

    bool negated = (bool)ctx->v1.u8[2];

    switch (ctx->v1.u8[3]) {

        case DETECT_ALPROTO_DIRECTION:

            if (p->flowflags & FLOW_PKT_TOSERVER) {

                alproto = f->alproto_ts;

            } else {

                alproto = f->alproto_tc;

            }

            break;

    }

    if (negated) {

        if (alproto != ALPROTO_UNKNOWN) {

            if (!AppProtoEquals(ctx->v1.u16[0], alproto)) {

                PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);

            }

        }

    } else {

}

{

    const DetectAppLayerProtocolData *a = smctx;

    v->u16[0] = a->alproto;

    v->u8[2] = (uint8_t)a->negated;

    v->u8[3] = a->mode;

}

{

    const DetectAppLayerProtocolData *a = smctx;

    if (v.u16[0] == a->alproto && v.u8[2] == (uint8_t)a->negated && v.u8[3] == a->mode)

        return true;

    return false;

}

{

    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_APP_LAYER_PROTOCOL, SIG_MASK_REQUIRE_FLOW,

            PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,

            PrefilterPacketAppProtoMatch);

}

{

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].name = "app-layer-protocol";

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Match = DetectAppLayerProtocolPacketMatch;

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Setup = DetectAppLayerProtocolSetup;

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Free = DetectAppLayerProtocolFree;

#ifdef UNITTESTS

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].RegisterTests = DetectAppLayerProtocolRegisterTests;

#endif

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].flags =

            (SIGMATCH_QUOTES_OPTIONAL | SIGMATCH_HANDLE_NEGATION | SIGMATCH_SUPPORT_FIREWALL);

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SetupPrefilter = PrefilterSetupAppProto;

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SupportsPrefilter = PrefilterAppProtoIsPrefilterable;

}

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", false);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated != 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", true);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated == 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:!http; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF(s->flags & SIG_FLAG_APPLAYER);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated == 0);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:!http; app-layer-protocol:!smtp; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF(s->flags & SIG_FLAG_APPLAYER);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated == 0);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->next->ctx;

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_SMTP);

    FAIL_IF(data->negated == 0);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "

            "(app-layer-protocol:smtp; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "

            "(app-layer-protocol:!smtp; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:!smtp; app-layer-protocol:http; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; app-layer-protocol:!smtp; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:smtp; app-layer-protocol:!http; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", false);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_FAILED);

    FAIL_IF(data->negated != 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", true);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_FAILED);

    FAIL_IF(data->negated == 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:failed; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_FAILED);

    FAIL_IF(data->negated);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    Signature *s1 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; flowbits:set,blah; sid:1;)");

    FAIL_IF_NULL(s1);

    FAIL_IF(s1->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s1->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s1->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s1->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    Signature *s2 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; flow:to_client; sid:2;)");

    FAIL_IF_NULL(s2);

    FAIL_IF(s2->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s2->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s2->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s2->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    Signature *s3 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; flow:to_client,established; sid:3;)");

    FAIL_IF_NULL(s3);

    FAIL_IF(s3->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s3->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s3->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s3->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    SigGroupBuild(de_ctx);

    FAIL_IF_NOT(s1->type == SIG_TYPE_PDONLY);

    FAIL_IF_NOT(s2->type == SIG_TYPE_PDONLY);

    FAIL_IF(s3->type == SIG_TYPE_PDONLY); // failure now

    DetectEngineCtxFree(de_ctx);

    PASS;

}

{

    UtRegisterTest("DetectAppLayerProtocolTest01",

                   DetectAppLayerProtocolTest01);

    UtRegisterTest("DetectAppLayerProtocolTest02",

                   DetectAppLayerProtocolTest02);

    UtRegisterTest("DetectAppLayerProtocolTest03",

                   DetectAppLayerProtocolTest03);

    UtRegisterTest("DetectAppLayerProtocolTest04",

                   DetectAppLayerProtocolTest04);

    UtRegisterTest("DetectAppLayerProtocolTest05",

                   DetectAppLayerProtocolTest05);

    UtRegisterTest("DetectAppLayerProtocolTest06",

                   DetectAppLayerProtocolTest06);

    UtRegisterTest("DetectAppLayerProtocolTest07",

                   DetectAppLayerProtocolTest07);

    UtRegisterTest("DetectAppLayerProtocolTest08",

                   DetectAppLayerProtocolTest08);

    UtRegisterTest("DetectAppLayerProtocolTest09",

                   DetectAppLayerProtocolTest09);

    UtRegisterTest("DetectAppLayerProtocolTest10",

                   DetectAppLayerProtocolTest10);

    UtRegisterTest("DetectAppLayerProtocolTest11",

                   DetectAppLayerProtocolTest11);

    UtRegisterTest("DetectAppLayerProtocolTest12",

                   DetectAppLayerProtocolTest12);

    UtRegisterTest("DetectAppLayerProtocolTest13",

                   DetectAppLayerProtocolTest13);

    UtRegisterTest("DetectAppLayerProtocolTest14",

                   DetectAppLayerProtocolTest14);

}