1 /*
2 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 ** Copyright (C) 1998-2013 Sourcefire, Inc.
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation. You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 */
20
21 /* sp_pkt_data
22 *
23 */
24
25 #ifdef HAVE_CONFIG_H
26 #include "config.h"
27 #endif
28
29 #include <sys/types.h>
30 #include <stdlib.h>
31 #include <ctype.h>
32 #ifdef HAVE_STRINGS_H
33 #include <strings.h>
34 #endif
35 #include <errno.h>
36
37 #include "sf_types.h"
38 #include "snort_bounds.h"
39 #include "rules.h"
40 #include "decode.h"
41 #include "plugbase.h"
42 #include "parser.h"
43 #include "snort_debug.h"
44 #include "util.h"
45 #include "mstring.h"
46
47 #include "snort.h"
48 #include "profiler.h"
49 #include "sp_pkt_data.h"
50 #ifdef PERF_PROFILING
51 PreprocStats pktDataPerfStats;
52 extern PreprocStats ruleOTNEvalPerfStats;
53 #endif
54
55 #include "detection_options.h"
56 #include "detection_util.h"
57
58 extern char *file_name; /* this is the file name from rules.c, generally used
59 for error messages */
60
61 extern int file_line; /* this is the file line number from rules.c that is
62 used to indicate file lines for error messages */
63
64 static void PktDataInit(struct _SnortConfig *, char *, OptTreeNode *, int);
65 void PktDataParse(char *, OptTreeNode *);
66 int PktDataEval(void *option_data, Packet *p);
67
68 /****************************************************************************
69 *
70 * Function: SetupPktData()
71 *
72 * Purpose: Load 'er up
73 *
74 * Arguments: None.
75 *
76 * Returns: void function
77 *
78 ****************************************************************************/
SetupPktData(void)79 void SetupPktData(void)
80 {
81 /* map the keyword to an initialization/processing function */
82 RegisterRuleOption("pkt_data", PktDataInit, NULL, OPT_TYPE_DETECTION, NULL);
83 #ifdef PERF_PROFILING
84 RegisterPreprocessorProfile("pkt_data", &pktDataPerfStats, 3, &ruleOTNEvalPerfStats, NULL);
85 #endif
86
87 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: pkt_data Setup\n"););
88 }
89
90
91 /****************************************************************************
92 *
93 * Function: PktDataInit(struct _SnortConfig *, char *, OptTreeNode *, int protocol)
94 *
95 * Purpose: Generic rule configuration function. Handles parsing the rule
96 * information and attaching the associated detection function to
97 * the OTN.
98 *
99 * Arguments: data => rule arguments/data
100 * otn => pointer to the current rule option list node
101 * protocol => protocol the rule is on (we don't care in this case)
102 *
103 * Returns: void function
104 *
105 ****************************************************************************/
PktDataInit(struct _SnortConfig * sc,char * data,OptTreeNode * otn,int protocol)106 static void PktDataInit(struct _SnortConfig *sc, char *data, OptTreeNode *otn, int protocol)
107 {
108 OptFpList *fpl;
109
110 PktDataParse(data, otn);
111
112 fpl = AddOptFuncToList(PktDataEval, otn);
113 fpl->type = RULE_OPTION_TYPE_PKT_DATA;
114
115 }
116
117
118
119 /****************************************************************************
120 *
121 * Function: PktDataParse(char *, OptTreeNode *)
122 *
123 * Purpose: This is the function that is used to process the option keyword's
124 * arguments and attach them to the rule's data structures.
125 *
126 * Arguments: data => argument data
127 * otn => pointer to the current rule's OTN
128 *
129 * Returns: void function
130 *
131 ****************************************************************************/
PktDataParse(char * data,OptTreeNode * otn)132 void PktDataParse(char *data, OptTreeNode *otn)
133 {
134 if (!IsEmptyStr(data))
135 {
136 FatalError("%s(%d): pkt_data takes no arguments\n",
137 file_name, file_line);
138 }
139
140 }
141
142
143 /****************************************************************************
144 *
145 * Function: PktDataEval(char *, OptTreeNode *, OptFpList *)
146 *
147 * Purpose: Use this function to perform the particular detection routine
148 * that this rule keyword is supposed to encompass.
149 *
150 * Arguments: p => pointer to the decoded packet
151 * otn => pointer to the current rule's OTN
152 * fp_list => pointer to the function pointer list
153 *
154 * Returns: If the detection test fails, this function *must* return a zero!
155 * On success, it calls the next function in the detection list
156 *
157 ****************************************************************************/
PktDataEval(void * option_data,Packet * p)158 int PktDataEval(void *option_data, Packet *p)
159 {
160 int rval = DETECTION_OPTION_MATCH;
161 PROFILE_VARS;
162
163 PREPROC_PROFILE_START(pktDataPerfStats);
164
165 SetDoePtr(NULL, DOE_BUF_STD);
166 DetectFlag_Disable(FLAG_ALT_DETECT);
167
168 PREPROC_PROFILE_END(pktDataPerfStats);
169 return rval;
170 }
171