1 /*
2 * VRT RULES
3 *
4 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
5 * Copyright (C) 2005-2013 Sourcefire, Inc.
6 *
7 * This file is autogenerated via rules2c, by Brian Caswell <bmc@sourcefire.com>
8 */
9
10
11 #ifdef HAVE_CONFIG_H
12 #include "config.h"
13 #endif
14
15 #include "sf_snort_plugin_api.h"
16 #include "sf_snort_packet.h"
17
18
19 /* declare detection functions */
20 int rule2404eval(void *p);
21
22 /* declare rule data structures */
23 /* precompile the stuff that needs pre-compiled */
24 /* flow:established, to_server; */
25 static FlowFlags rule2404flow0 =
26 {
27 FLOW_ESTABLISHED|FLOW_TO_SERVER
28 };
29
30 static RuleOption rule2404option0 =
31 {
32 OPTION_TYPE_FLOWFLAGS,
33 { &rule2404flow0 }
34 };
35 // content:"|00 00|", relative;
36 static ContentInfo rule2404content1 =
37 {
38 (u_int8_t *)("|00 00|"), /* pattern (now in snort content format) */
39 0, /* depth */
40 0, /* offset */
41 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
42 NULL, /* holder for boyer/moore PTR */
43 NULL, /* more holder info - byteform */
44 0, /* byteform length */
45 0, /* increment length*/
46 0, /* holder for fp offset */
47 0, /* holder for fp length */
48 0, /* holder for fp only */
49 NULL, // offset_refId
50 NULL, // depth_refId
51 NULL, // offset_location
52 NULL // depth_location
53 };
54
55 static RuleOption rule2404option1 =
56 {
57 OPTION_TYPE_CONTENT,
58 { &rule2404content1 }
59 };
60 // content:"|00 00|", relative;
61 static ContentInfo rule2404content2 =
62 {
63 (u_int8_t *)("|00 00|"), /* pattern (now in snort content format) */
64 0, /* depth */
65 0, /* offset */
66 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
67 NULL, /* holder for boyer/moore PTR */
68 NULL, /* more holder info - byteform */
69 0, /* byteform length */
70 0, /* increment length*/
71 0, /* holder for fp offset */
72 0, /* holder for fp length */
73 0, /* holder for fp only */
74 NULL, // offset_refId
75 NULL, // depth_refId
76 NULL, // offset_location
77 NULL // depth_location
78 };
79
80 static RuleOption rule2404option2 =
81 {
82 OPTION_TYPE_CONTENT,
83 { &rule2404content2 }
84 };
85 // content:"|00|", depth 1;
86 static ContentInfo rule2404content3 =
87 {
88 (u_int8_t *)("|00|"), /* pattern (now in snort content format) */
89 1, /* depth */
90 0, /* offset */
91 CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
92 NULL, /* holder for boyer/moore PTR */
93 NULL, /* more holder info - byteform */
94 0, /* byteform length */
95 0, /* increment length*/
96 0, /* holder for fp offset */
97 0, /* holder for fp length */
98 0, /* holder for fp only */
99 NULL, // offset_refId
100 NULL, // depth_refId
101 NULL, // offset_location
102 NULL // depth_location
103 };
104
105 static RuleOption rule2404option3 =
106 {
107 OPTION_TYPE_CONTENT,
108 { &rule2404content3 }
109 };
110 /* byte_test:size 2, value 322, operator >, offset 2; */
111 static ByteData rule2404byte_test4 =
112 {
113 2, /* size */
114 CHECK_GT, /* operator */
115 322, /* value */
116 2, /* offset */
117 0, /*multiplier */
118 BYTE_BIG_ENDIAN|CONTENT_BUF_NORMALIZED|EXTRACT_AS_BYTE, /* flags */
119 0, /* post offset */
120 NULL, // offset_refId
121 NULL, // value_refId
122 NULL, // offset_location
123 NULL // value_location
124 };
125
126 static RuleOption rule2404option4 =
127 {
128 OPTION_TYPE_BYTE_TEST,
129 { &rule2404byte_test4 }
130 };
131 // content:"|FF|SMBs", offset 4, depth 5, nocase;
132 static ContentInfo rule2404content5 =
133 {
134 (u_int8_t *)("|FF|SMBs"), /* pattern (now in snort content format) */
135 5, /* depth */
136 4, /* offset */
137 CONTENT_NOCASE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
138 NULL, /* holder for boyer/moore PTR */
139 NULL, /* more holder info - byteform */
140 0, /* byteform length */
141 0, /* increment length*/
142 0, /* holder for fp offset */
143 0, /* holder for fp length */
144 0, /* holder for fp only */
145 NULL, // offset_refId
146 NULL, // depth_refId
147 NULL, // offset_location
148 NULL // depth_location
149 };
150
151 static RuleOption rule2404option5 =
152 {
153 OPTION_TYPE_CONTENT,
154 { &rule2404content5 }
155 };
156 /* byte_test:size 1, value 128, operator &, offset 6, relative; */
157 static ByteData rule2404byte_test6 =
158 {
159 1, /* size */
160 CHECK_AND, /* operator */
161 128, /* value */
162 6, /* offset */
163 0, /*multiplier */
164 BYTE_BIG_ENDIAN|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED|EXTRACT_AS_BYTE, /* flags */
165 0, /* post offset */
166 NULL, // offset_refId
167 NULL, // value_refId
168 NULL, // offset_location
169 NULL // value_location
170 };
171
172 static RuleOption rule2404option6 =
173 {
174 OPTION_TYPE_BYTE_TEST,
175 { &rule2404byte_test6 }
176 };
177 /* byte_test:size 2, value 255, operator >, offset 54, relative, endian little; */
178 static ByteData rule2404byte_test7 =
179 {
180 2, /* size */
181 CHECK_GT, /* operator */
182 255, /* value */
183 54, /* offset */
184 0, /*multiplier */
185 BYTE_LITTLE_ENDIAN|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED|EXTRACT_AS_BYTE, /* flags */
186 0, /* post offset */
187 NULL, // offset_refId
188 NULL, // value_refId
189 NULL, // offset_location
190 NULL // value_location
191 };
192
193 static RuleOption rule2404option7 =
194 {
195 OPTION_TYPE_BYTE_TEST,
196 { &rule2404byte_test7 }
197 };
198 // content:"|00|", offset 56, relative;
199 static ContentInfo rule2404content8 =
200 {
201 (u_int8_t *)("|00|"), /* pattern (now in snort content format) */
202 0, /* depth */
203 56, /* offset */
204 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
205 NULL, /* holder for boyer/moore PTR */
206 NULL, /* more holder info - byteform */
207 0, /* byteform length */
208 0, /* increment length*/
209 0, /* holder for fp offset */
210 0, /* holder for fp length */
211 0, /* holder for fp only */
212 NULL, // offset_refId
213 NULL, // depth_refId
214 NULL, // offset_location
215 NULL // depth_location
216 };
217
218 static RuleOption rule2404option8 =
219 {
220 OPTION_TYPE_CONTENT,
221 { &rule2404content8 }
222 };
223 // content:"|00 00|", offset 255, relative;
224 static ContentInfo rule2404content9 =
225 {
226 (u_int8_t *)("|00 00|"), /* pattern (now in snort content format) */
227 0, /* depth */
228 255, /* offset */
229 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
230 NULL, /* holder for boyer/moore PTR */
231 NULL, /* more holder info - byteform */
232 0, /* byteform length */
233 0, /* increment length*/
234 0, /* holder for fp offset */
235 0, /* holder for fp length */
236 0, /* holder for fp only */
237 NULL, // offset_refId
238 NULL, // depth_refId
239 NULL, // offset_location
240 NULL // depth_location
241 };
242
243 static RuleOption rule2404option9 =
244 {
245 OPTION_TYPE_CONTENT,
246 { &rule2404content9 }
247 };
248 // content:"|00 00|", relative;
249 static ContentInfo rule2404content10 =
250 {
251 (u_int8_t *)("|00 00|"), /* pattern (now in snort content format) */
252 0, /* depth */
253 0, /* offset */
254 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
255 NULL, /* holder for boyer/moore PTR */
256 NULL, /* more holder info - byteform */
257 0, /* byteform length */
258 0, /* increment length*/
259 0, /* holder for fp offset */
260 0, /* holder for fp length */
261 0, /* holder for fp only */
262 NULL, // offset_refId
263 NULL, // depth_refId
264 NULL, // offset_location
265 NULL // depth_location
266 };
267
268 static RuleOption rule2404option10 =
269 {
270 OPTION_TYPE_CONTENT,
271 { &rule2404content10 }
272 };
273
274 /* references for sid 2404 */
275 /* reference: bugtraq "9752"; */
276 static RuleReference rule2404ref1 =
277 {
278 "bugtraq", /* type */
279 "9752" /* value */
280 };
281
282 /* reference: url "www.eeye.com/html/Research/Advisories/AD20040226.html"; */
283 static RuleReference rule2404ref2 =
284 {
285 "url", /* type */
286 "www.eeye.com/html/Research/Advisories/AD20040226.html" /* value */
287 };
288
289 static RuleReference *rule2404refs[] =
290 {
291 &rule2404ref1,
292 &rule2404ref2,
293 NULL
294 };
295
296 static RuleMetaData rule2404meta1 =
297 {
298 "service netbios-ssn"
299 };
300
301 static RuleMetaData *rule2404meta[] =
302 {
303 &rule2404meta1,
304 NULL
305 };
306
307 RuleOption *rule2404options[] =
308 {
309 &rule2404option0,
310 &rule2404option1,
311 &rule2404option2,
312 &rule2404option3,
313 &rule2404option4,
314 &rule2404option5,
315 &rule2404option6,
316 &rule2404option7,
317 &rule2404option8,
318 &rule2404option9,
319 &rule2404option10,
320 NULL
321 };
322
323 Rule rule2404 = {
324
325 /* rule header, akin to => tcp any any -> any any */{
326 IPPROTO_TCP, /* proto */
327 "$EXTERNAL_NET", /* SRCIP */
328 "any", /* SRCPORT */
329 1, /* DIRECTION */
330 "$HOME_NET", /* DSTIP */
331 "445", /* DSTPORT */
332 },
333 /* metadata */
334 {
335 3, /* genid (HARDCODED!!!) */
336 2404, /* sigid */
337 5, /* revision */
338
339 "attempted-admin", /* classification */
340 0, /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */
341 "NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt", /* message */
342 rule2404refs, /* ptr to references */
343 rule2404meta, /* Meta data */
344 },
345 rule2404options, /* ptr to rule options */
346 &rule2404eval, /* use the built in detection function */
347 0, /* am I initialized yet? */
348 0, /* Rule option count, used internally */
349 0, /* Flag with no alert, used internally */
350 NULL /* ptr to internal data... setup during rule registration */
351 };
352
353
354 /* detection functions */
rule2404eval(void * p)355 int rule2404eval(void *p) {
356 //const u_int8_t *cursor_uri = 0;
357 //const u_int8_t *cursor_raw = 0;
358 const u_int8_t *cursor_normal = 0;
359
360
361 // flow:established, to_server;
362 if (checkFlow(p, rule2404options[0]->option_u.flowFlags) > 0 ) {
363 // content:"|00 00|", relative;
364 if (contentMatch(p, rule2404options[1]->option_u.content, &cursor_normal) > 0) {
365 // content:"|00 00|", relative;
366 if (contentMatch(p, rule2404options[2]->option_u.content, &cursor_normal) > 0) {
367 // content:"|00|", depth 1;
368 if (contentMatch(p, rule2404options[3]->option_u.content, &cursor_normal) > 0) {
369 // byte_test:size 2, value 322, operator >, offset 2;
370 if (byteTest(p, rule2404options[4]->option_u.byte, cursor_normal) > 0) {
371 // content:"|FF|SMBs", offset 4, depth 5, nocase;
372 if (contentMatch(p, rule2404options[5]->option_u.content, &cursor_normal) > 0) {
373 // byte_test:size 1, value 128, operator &, offset 6, relative;
374 if (byteTest(p, rule2404options[6]->option_u.byte, cursor_normal) > 0) {
375 // byte_test:size 2, value 255, operator >, offset 54, relative, endian little;
376 if (byteTest(p, rule2404options[7]->option_u.byte, cursor_normal) > 0) {
377 // content:"|00|", offset 56, relative;
378 if (contentMatch(p, rule2404options[8]->option_u.content, &cursor_normal) > 0) {
379 // content:"|00 00|", offset 255, relative;
380 if (contentMatch(p, rule2404options[9]->option_u.content, &cursor_normal) > 0) {
381 // content:"|00 00|", relative;
382 if (contentMatch(p, rule2404options[10]->option_u.content, &cursor_normal) > 0) {
383 return RULE_MATCH;
384 }
385 }
386 }
387 }
388 }
389 }
390 }
391 }
392 }
393 }
394 }
395 return RULE_NOMATCH;
396 }
397
398