OISF / suricata / 23374838686

/* Copyright (C) 2007-2025 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */

/**

 * \file

 *

 * \author Anoop Saldanha <anoopsaldanha@gmail.com>

 */

#include "suricata-common.h"

#include "detect-engine.h"

#include "detect-engine-build.h"

#include "detect-engine-prefilter.h"

#include "detect-engine-prefilter-common.h"

#include "detect-parse.h"

#include "detect-app-layer-protocol.h"

#include "app-layer.h"

#include "app-layer-parser.h"

#include "util-debug.h"

#include "util-unittest.h"

#include "util-unittest-helper.h"

#ifdef UNITTESTS

static void DetectAppLayerProtocolRegisterTests(void);

#endif

enum {

    DETECT_ALPROTO_DIRECTION = 0,

    DETECT_ALPROTO_FINAL = 1,

    DETECT_ALPROTO_EITHER = 2,

    DETECT_ALPROTO_TOSERVER = 3,

    DETECT_ALPROTO_TOCLIENT = 4,

    DETECT_ALPROTO_ORIG = 5,

};

typedef struct DetectAppLayerProtocolData_ {

    AppProto alproto;

    uint8_t negated;

    uint8_t mode;

} DetectAppLayerProtocolData;

static int DetectAppLayerProtocolPacketMatch(

        DetectEngineThreadCtx *det_ctx,

        Packet *p, const Signature *s, const SigMatchCtx *ctx)

    /* if the sig is PD-only we only match when PD packet flags are set */

static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)

static bool HasConflicts(const DetectAppLayerProtocolData *us,

                          const DetectAppLayerProtocolData *them)

    /* mixing negated and non negated is illegal */

    /* multiple non-negated is illegal */

    /* duplicate option */

    /* all good */

static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,

        Signature *s, const char *arg)

static void DetectAppLayerProtocolFree(DetectEngineCtx *de_ctx, void *ptr)

/** \internal

 *  \brief prefilter function for protocol detect matching

 */

static void

PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)

            // check if either protocol toclient or toserver matches

            // the one in the signature ctx

            // We return right away to avoid calling PrefilterAddSids again

static void

PrefilterPacketAppProtoSet(PrefilterPacketHeaderValue *v, void *smctx)

static bool

PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)

static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)

static bool PrefilterAppProtoIsPrefilterable(const Signature *s)

void DetectAppLayerProtocolRegister(void)

#ifdef UNITTESTS

    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].RegisterTests = DetectAppLayerProtocolRegisterTests;

#endif

/**********************************Unittests***********************************/

#ifdef UNITTESTS

static int DetectAppLayerProtocolTest01(void)

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", false);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated != 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

static int DetectAppLayerProtocolTest02(void)

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", true);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated == 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

static int DetectAppLayerProtocolTest03(void)

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest04(void)

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:!http; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF(s->flags & SIG_FLAG_APPLAYER);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated == 0);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest05(void)

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:!http; app-layer-protocol:!smtp; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF(s->flags & SIG_FLAG_APPLAYER);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated == 0);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->next->ctx;

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_SMTP);

    FAIL_IF(data->negated == 0);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest06(void)

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "

            "(app-layer-protocol:smtp; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest07(void)

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "

            "(app-layer-protocol:!smtp; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest08(void)

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:!smtp; app-layer-protocol:http; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest09(void)

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; app-layer-protocol:!smtp; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest10(void)

{

    Signature *s = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:smtp; app-layer-protocol:!http; sid:1;)");

    FAIL_IF_NOT_NULL(s);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest11(void)

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", false);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_FAILED);

    FAIL_IF(data->negated != 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

static int DetectAppLayerProtocolTest12(void)

{

    DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", true);

    FAIL_IF_NULL(data);

    FAIL_IF(data->alproto != ALPROTO_FAILED);

    FAIL_IF(data->negated == 0);

    DetectAppLayerProtocolFree(NULL, data);

    PASS;

}

static int DetectAppLayerProtocolTest13(void)

{

    Signature *s = NULL;

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:failed; sid:1;)");

    FAIL_IF_NULL(s);

    FAIL_IF(s->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_FAILED);

    FAIL_IF(data->negated);

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static int DetectAppLayerProtocolTest14(void)

{

    DetectAppLayerProtocolData *data = NULL;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();

    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;

    Signature *s1 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; flowbits:set,blah; sid:1;)");

    FAIL_IF_NULL(s1);

    FAIL_IF(s1->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s1->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s1->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s1->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    Signature *s2 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; flow:to_client; sid:2;)");

    FAIL_IF_NULL(s2);

    FAIL_IF(s2->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s2->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s2->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s2->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    /* flow:established and other options not supported for PD-only */

    Signature *s3 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "

            "(app-layer-protocol:http; flow:to_client,established; sid:3;)");

    FAIL_IF_NULL(s3);

    FAIL_IF(s3->alproto != ALPROTO_UNKNOWN);

    FAIL_IF_NULL(s3->init_data->smlists[DETECT_SM_LIST_MATCH]);

    FAIL_IF_NULL(s3->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx);

    data = (DetectAppLayerProtocolData *)s3->init_data->smlists[DETECT_SM_LIST_MATCH]->ctx;

    FAIL_IF(data->alproto != ALPROTO_HTTP);

    FAIL_IF(data->negated);

    SigGroupBuild(de_ctx);

    FAIL_IF_NOT(s1->type == SIG_TYPE_PDONLY);

    FAIL_IF_NOT(s2->type == SIG_TYPE_PDONLY);

    FAIL_IF(s3->type == SIG_TYPE_PDONLY); // failure now

    DetectEngineCtxFree(de_ctx);

    PASS;

}

static void DetectAppLayerProtocolRegisterTests(void)

{

    UtRegisterTest("DetectAppLayerProtocolTest01",

                   DetectAppLayerProtocolTest01);

    UtRegisterTest("DetectAppLayerProtocolTest02",

                   DetectAppLayerProtocolTest02);

    UtRegisterTest("DetectAppLayerProtocolTest03",

                   DetectAppLayerProtocolTest03);

    UtRegisterTest("DetectAppLayerProtocolTest04",

                   DetectAppLayerProtocolTest04);

    UtRegisterTest("DetectAppLayerProtocolTest05",

                   DetectAppLayerProtocolTest05);

    UtRegisterTest("DetectAppLayerProtocolTest06",

                   DetectAppLayerProtocolTest06);

    UtRegisterTest("DetectAppLayerProtocolTest07",

                   DetectAppLayerProtocolTest07);

    UtRegisterTest("DetectAppLayerProtocolTest08",

                   DetectAppLayerProtocolTest08);

    UtRegisterTest("DetectAppLayerProtocolTest09",

                   DetectAppLayerProtocolTest09);

    UtRegisterTest("DetectAppLayerProtocolTest10",

                   DetectAppLayerProtocolTest10);

    UtRegisterTest("DetectAppLayerProtocolTest11",

                   DetectAppLayerProtocolTest11);

    UtRegisterTest("DetectAppLayerProtocolTest12",

                   DetectAppLayerProtocolTest12);

    UtRegisterTest("DetectAppLayerProtocolTest13",

                   DetectAppLayerProtocolTest13);

    UtRegisterTest("DetectAppLayerProtocolTest14",

                   DetectAppLayerProtocolTest14);

}

#endif /* UNITTESTS */