22802647571

Committed 07 Mar 2026 04:23PM UTC coverage: 75.827% (-3.4%) from 79.233%

Build # 22802647571

Build Type

push

github

Committed by

jasonish

Commit Message

github-ci: add schema ordering check for yaml schema

Coverage Stats

253365 of 334137 relevant lines covered (75.83%)

3384729.69 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

75.89

/src/detect-ftpdata.c

/* Copyright (C) 2017-2020 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Eric Leblond <eric@regit.org>
 *
 * Match on ftp command used to trigger a ftp data transfer
 */

#include "suricata-common.h"
#include "util-unittest.h"

#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-state.h"

#include "app-layer-ftp.h"

#include "detect-ftpdata.h"

/**
 * \brief Regex for parsing our keyword options
 */
#define PARSE_REGEX  "^\\s*(stor|retr)\\s*$"
static DetectParseRegex parse_regex;

/* Prototypes of functions registered in DetectFtpdataRegister below */
static int DetectFtpdataMatch(DetectEngineThreadCtx *,
        Flow *, uint8_t, void *, void *,
        const Signature *, const SigMatchCtx *);
static int DetectFtpdataSetup (DetectEngineCtx *, Signature *, const char *);
static void DetectFtpdataFree (DetectEngineCtx *, void *);
#ifdef UNITTESTS
static void DetectFtpdataRegisterTests (void);
#endif
static int g_ftpdata_buffer_id = 0;

/**
 * \brief Registration function for ftpcommand: keyword
 *
 * This function is called once in the 'lifetime' of the engine.
 */
void DetectFtpdataRegister(void) {
    /* keyword name: this is how the keyword is used in a rule */
    sigmatch_table[DETECT_FTPDATA].name = "ftpdata_command";
    /* description: listed in "suricata --list-keywords=all" */
    sigmatch_table[DETECT_FTPDATA].desc = "match FTP command triggering a FTP data channel";
    sigmatch_table[DETECT_FTPDATA].url = "/rules/ftp-keywords.html#ftpdata-command";
    sigmatch_table[DETECT_FTPDATA].AppLayerTxMatch = DetectFtpdataMatch;
    /* setup function is called during signature parsing, when the ftpcommand
     * keyword is encountered in the rule */
    sigmatch_table[DETECT_FTPDATA].Setup = DetectFtpdataSetup;
    /* free function is called when the detect engine is freed. Normally at
     * shutdown, but also during rule reloads. */
    sigmatch_table[DETECT_FTPDATA].Free = DetectFtpdataFree;
    /* registers unittests into the system */
#ifdef UNITTESTS
    sigmatch_table[DETECT_FTPDATA].RegisterTests = DetectFtpdataRegisterTests;
#endif
    DetectAppLayerInspectEngineRegister("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectGenericList, NULL);

    DetectAppLayerInspectEngineRegister("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0,
            DetectEngineInspectGenericList, NULL);
    g_ftpdata_buffer_id = DetectBufferTypeGetByName("ftpdata_command");

    /* set up the PCRE for keyword parsing */
    DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
}

/**
 * \brief This function is used to check matches from the FTP App Layer Parser
 *
 * \param t pointer to thread vars
 * \param det_ctx pointer to the pattern matcher thread
 * \param p pointer to the current packet
 * \param m pointer to the sigmatch
 * \retval 0 no match
 * \retval 1 match
 */
static int DetectFtpdataMatch(DetectEngineThreadCtx *det_ctx,
        Flow *f, uint8_t flags,
        void *state, void *txv,
        const Signature *s, const SigMatchCtx *m)
{
    const DetectFtpdataData *ftpcommandd = (const DetectFtpdataData *) m;
    const FtpDataState *ftp_state = (const FtpDataState *)state;

    if (ftp_state == NULL)
        return 0;

    if (ftpcommandd->command == ftp_state->command) {
        /* Only match if the flow is in the good direction */
        if ((flags & STREAM_TOSERVER) && (ftpcommandd->command == FTP_COMMAND_RETR)) {
            return 0;
        } else if ((flags & STREAM_TOCLIENT) && (ftpcommandd->command == FTP_COMMAND_STOR)) {
            return 0;
        }
        return 1;
    }

    return 0;
}

/**
 * \brief This function is used to parse ftpcommand options passed via ftpcommand: keyword
 *
 * \param ftpcommandstr Pointer to the user provided ftpcommand options
 *
 * \retval ftpcommandd pointer to DetectFtpdataData on success
 * \retval NULL on failure
 */
static DetectFtpdataData *DetectFtpdataParse(const char *ftpcommandstr)
{
    DetectFtpdataData *ftpcommandd = NULL;
    char arg1[5] = "";
    size_t pcre2len;
    pcre2_match_data *match = NULL;

    int ret = DetectParsePcreExec(&parse_regex, &match, ftpcommandstr, 0, 0);
    if (ret != 2) {
        SCLogError("parse error, ret %" PRId32 "", ret);
        goto error;
    }

    pcre2len = sizeof(arg1);
    int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
    if (res < 0) {
        SCLogError("pcre2_substring_copy_bynumber failed");
        goto error;
    }
    SCLogDebug("Arg1 \"%s\"", arg1);

    ftpcommandd = SCMalloc(sizeof (DetectFtpdataData));
    if (unlikely(ftpcommandd == NULL))
        goto error;
    if (!strcmp(arg1, "stor")) {
        ftpcommandd->command = FTP_COMMAND_STOR;
    } else if (!strcmp(arg1, "retr")) {
        ftpcommandd->command = FTP_COMMAND_RETR;
    } else {
        SCLogError("Invalid command value");
        goto error;
    }

    pcre2_match_data_free(match);
    return ftpcommandd;

error:
    if (match) {
        pcre2_match_data_free(match);
    }
    if (ftpcommandd)
        SCFree(ftpcommandd);
    return NULL;
}

/**
 * \brief parse the options from the 'ftpcommand' keyword in the rule into
 *        the Signature data structure.
 *
 * \param de_ctx pointer to the Detection Engine Context
 * \param s pointer to the Current Signature
 * \param str pointer to the user provided ftpcommand options
 *
 * \retval 0 on Success
 * \retval -1 on Failure
 */
static int DetectFtpdataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectSignatureSetAppProto(s, ALPROTO_FTPDATA) != 0)
        return -1;

    DetectFtpdataData *ftpcommandd = DetectFtpdataParse(str);
    if (ftpcommandd == NULL)
        return -1;

    if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_FTPDATA, (SigMatchCtx *)ftpcommandd,
                g_ftpdata_buffer_id) == NULL) {
        DetectFtpdataFree(de_ctx, ftpcommandd);
        return -1;
    }
    return 0;
}

/**
 * \brief this function will free memory associated with DetectFtpdataData
 *
 * \param ptr pointer to DetectFtpdataData
 */
static void DetectFtpdataFree(DetectEngineCtx *de_ctx, void *ptr) {
    DetectFtpdataData *ftpcommandd = (DetectFtpdataData *)ptr;

    /* do more specific cleanup here, if needed */

    SCFree(ftpcommandd);
}

#ifdef UNITTESTS

static int DetectFtpdataParseTest01(void)
{
    DetectFtpdataData *ftpcommandd = DetectFtpdataParse("stor");
    FAIL_IF_NULL(ftpcommandd);
    FAIL_IF(!(ftpcommandd->command == FTP_COMMAND_STOR));
    DetectFtpdataFree(NULL, ftpcommandd);
    PASS;
}

static int DetectFtpdataSignatureTest01(void)
{
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    Signature *sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:stor; sid:1; rev:1;)");
    FAIL_IF_NULL(sig);
    sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:retr; sid:2; rev:1;)");
    FAIL_IF_NULL(sig);
    sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:xxx; sid:3; rev:1;)");
    FAIL_IF_NOT_NULL(sig);

    DetectEngineCtxFree(de_ctx);
    PASS;
}

/**
 * \brief this function registers unit tests for DetectFtpdata
 */
static void DetectFtpdataRegisterTests(void)
{
    UtRegisterTest("DetectFtpdataParseTest01", DetectFtpdataParseTest01);
    UtRegisterTest("DetectFtpdataSignatureTest01",
                   DetectFtpdataSignatureTest01);
}
#endif /* UNITTESTS */

1	/* Copyright (C) 2017-2020 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	* \file
20	*
21	* \author Eric Leblond <eric@regit.org>
22	*
23	* Match on ftp command used to trigger a ftp data transfer
24	*/
25
26	#include "suricata-common.h"
27	#include "util-unittest.h"
28
29	#include "detect-parse.h"
30	#include "detect-engine.h"
31	#include "detect-engine-state.h"
32
33	#include "app-layer-ftp.h"
34
35	#include "detect-ftpdata.h"
36
37	/**
38	* \brief Regex for parsing our keyword options
39	*/
40	#define PARSE_REGEX "^\\s(stor\|retr)\\s$"	2,193✔
41	static DetectParseRegex parse_regex;
42
43	/* Prototypes of functions registered in DetectFtpdataRegister below */
44	static int DetectFtpdataMatch(DetectEngineThreadCtx *,
45	Flow , uint8_t, void , void *,
46	const Signature , const SigMatchCtx );
47	static int DetectFtpdataSetup (DetectEngineCtx , Signature , const char *);
48	static void DetectFtpdataFree (DetectEngineCtx , void );
49	#ifdef UNITTESTS
50	static void DetectFtpdataRegisterTests (void);
51	#endif
52	static int g_ftpdata_buffer_id = 0;
53
54	/**
55	* \brief Registration function for ftpcommand: keyword
56	*
57	* This function is called once in the 'lifetime' of the engine.
58	*/
59	void DetectFtpdataRegister(void) {	2,193✔
60	/* keyword name: this is how the keyword is used in a rule */
61	sigmatch_table[DETECT_FTPDATA].name = "ftpdata_command";	2,193✔
62	/* description: listed in "suricata --list-keywords=all" */
63	sigmatch_table[DETECT_FTPDATA].desc = "match FTP command triggering a FTP data channel";	2,193✔
64	sigmatch_table[DETECT_FTPDATA].url = "/rules/ftp-keywords.html#ftpdata-command";	2,193✔
65	sigmatch_table[DETECT_FTPDATA].AppLayerTxMatch = DetectFtpdataMatch;	2,193✔
66	/* setup function is called during signature parsing, when the ftpcommand
67	* keyword is encountered in the rule */
68	sigmatch_table[DETECT_FTPDATA].Setup = DetectFtpdataSetup;	2,193✔
69	/* free function is called when the detect engine is freed. Normally at
70	* shutdown, but also during rule reloads. */
71	sigmatch_table[DETECT_FTPDATA].Free = DetectFtpdataFree;	2,193✔
72	/* registers unittests into the system */
73	#ifdef UNITTESTS	3✔
74	sigmatch_table[DETECT_FTPDATA].RegisterTests = DetectFtpdataRegisterTests;	3✔
75	#endif	3✔
76	DetectAppLayerInspectEngineRegister("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0,	2,193✔
77	DetectEngineInspectGenericList, NULL);	2,193✔
78
79	DetectAppLayerInspectEngineRegister("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0,	2,193✔
80	DetectEngineInspectGenericList, NULL);	2,193✔
81	g_ftpdata_buffer_id = DetectBufferTypeGetByName("ftpdata_command");	2,193✔
82
83	/* set up the PCRE for keyword parsing */
84	DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);	2,193✔
85	}	2,193✔
86
87	/**
88	* \brief This function is used to check matches from the FTP App Layer Parser
89	*
90	* \param t pointer to thread vars
91	* \param det_ctx pointer to the pattern matcher thread
92	* \param p pointer to the current packet
93	* \param m pointer to the sigmatch
94	* \retval 0 no match
95	* \retval 1 match
96	*/
97	static int DetectFtpdataMatch(DetectEngineThreadCtx *det_ctx,
98	Flow *f, uint8_t flags,
99	void state, void txv,
100	const Signature s, const SigMatchCtx m)
101	{	×
102	const DetectFtpdataData ftpcommandd = (const DetectFtpdataData ) m;	×
103	const FtpDataState ftp_state = (const FtpDataState )state;	×
104
105	if (ftp_state == NULL)	×
106	return 0;	×
107
108	if (ftpcommandd->command == ftp_state->command) {	×
109	/* Only match if the flow is in the good direction */
110	if ((flags & STREAM_TOSERVER) && (ftpcommandd->command == FTP_COMMAND_RETR)) {	×
111	return 0;	×
112	} else if ((flags & STREAM_TOCLIENT) && (ftpcommandd->command == FTP_COMMAND_STOR)) {	×
113	return 0;	×
114	}	×
115	return 1;	×
116	}	×
117
118	return 0;	×
119	}	×
120
121	/**
122	* \brief This function is used to parse ftpcommand options passed via ftpcommand: keyword
123	*
124	* \param ftpcommandstr Pointer to the user provided ftpcommand options
125	*
126	* \retval ftpcommandd pointer to DetectFtpdataData on success
127	* \retval NULL on failure
128	*/
129	static DetectFtpdataData DetectFtpdataParse(const char ftpcommandstr)
130	{	4✔
131	DetectFtpdataData *ftpcommandd = NULL;	4✔
132	char arg1[5] = "";	4✔
133	size_t pcre2len;	4✔
134	pcre2_match_data *match = NULL;	4✔
135
136	int ret = DetectParsePcreExec(&parse_regex, &match, ftpcommandstr, 0, 0);	4✔
137	if (ret != 2) {	4✔
138	SCLogError("parse error, ret %" PRId32 "", ret);	1✔
139	goto error;	1✔
140	}	1✔
141
142	pcre2len = sizeof(arg1);	3✔
143	int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);	3✔
144	if (res < 0) {	3✔
145	SCLogError("pcre2_substring_copy_bynumber failed");	×
146	goto error;	×
147	}	×
148	SCLogDebug("Arg1 \"%s\"", arg1);	3✔
149
150	ftpcommandd = SCMalloc(sizeof (DetectFtpdataData));	3✔
151	if (unlikely(ftpcommandd == NULL))	3✔
152	goto error;	×
153	if (!strcmp(arg1, "stor")) {	3✔
154	ftpcommandd->command = FTP_COMMAND_STOR;	2✔
155	} else if (!strcmp(arg1, "retr")) {	2✔
156	ftpcommandd->command = FTP_COMMAND_RETR;	1✔
157	} else {	1✔
158	SCLogError("Invalid command value");	×
159	goto error;	×
160	}	×
161
162	pcre2_match_data_free(match);	3✔
163	return ftpcommandd;	3✔
164
165	error:	1✔
166	if (match) {	1✔
167	pcre2_match_data_free(match);	1✔
168	}	1✔
169	if (ftpcommandd)	1✔
170	SCFree(ftpcommandd);	×
171	return NULL;	1✔
172	}	3✔
173
174	/**
175	* \brief parse the options from the 'ftpcommand' keyword in the rule into
176	* the Signature data structure.
177	*
178	* \param de_ctx pointer to the Detection Engine Context
179	* \param s pointer to the Current Signature
180	* \param str pointer to the user provided ftpcommand options
181	*
182	* \retval 0 on Success
183	* \retval -1 on Failure
184	*/
185	static int DetectFtpdataSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
186	{	3✔
187	if (SCDetectSignatureSetAppProto(s, ALPROTO_FTPDATA) != 0)	3✔
188	return -1;	×
189
190	DetectFtpdataData *ftpcommandd = DetectFtpdataParse(str);	3✔
191	if (ftpcommandd == NULL)	3✔
192	return -1;	1✔
193
194	if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_FTPDATA, (SigMatchCtx *)ftpcommandd,	2✔
195	g_ftpdata_buffer_id) == NULL) {	2✔
196	DetectFtpdataFree(de_ctx, ftpcommandd);	×
197	return -1;	×
198	}	×
199	return 0;	2✔
200	}	2✔
201
202	/**
203	* \brief this function will free memory associated with DetectFtpdataData
204	*
205	* \param ptr pointer to DetectFtpdataData
206	*/
207	static void DetectFtpdataFree(DetectEngineCtx de_ctx, void ptr) {	3✔
208	DetectFtpdataData ftpcommandd = (DetectFtpdataData )ptr;	3✔
209
210	/* do more specific cleanup here, if needed */
211
212	SCFree(ftpcommandd);	3✔
213	}	3✔
214
215	#ifdef UNITTESTS
216
217	static int DetectFtpdataParseTest01(void)
218	{	1✔
219	DetectFtpdataData *ftpcommandd = DetectFtpdataParse("stor");	1✔
220	FAIL_IF_NULL(ftpcommandd);	1✔
221	FAIL_IF(!(ftpcommandd->command == FTP_COMMAND_STOR));	1✔
222	DetectFtpdataFree(NULL, ftpcommandd);	1✔
223	PASS;	1✔
224	}	1✔
225
226	static int DetectFtpdataSignatureTest01(void)
227	{	1✔
228	DetectEngineCtx *de_ctx = DetectEngineCtxInit();	1✔
229	FAIL_IF_NULL(de_ctx);	1✔
230
231	Signature *sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:stor; sid:1; rev:1;)");	1✔
232	FAIL_IF_NULL(sig);	1✔
233	sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:retr; sid:2; rev:1;)");	1✔
234	FAIL_IF_NULL(sig);	1✔
235	sig = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any (ftpdata_command:xxx; sid:3; rev:1;)");	1✔
236	FAIL_IF_NOT_NULL(sig);	1✔
237
238	DetectEngineCtxFree(de_ctx);	1✔
239	PASS;	1✔
240	}	1✔
241
242	/**
243	* \brief this function registers unit tests for DetectFtpdata
244	*/
245	static void DetectFtpdataRegisterTests(void)
246	{	1✔
247	UtRegisterTest("DetectFtpdataParseTest01", DetectFtpdataParseTest01);	1✔
248	UtRegisterTest("DetectFtpdataSignatureTest01",	1✔
249	DetectFtpdataSignatureTest01);	1✔
250	}	1✔
251	#endif /* UNITTESTS */

jasonish / suricata / 22802647571

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous