1 /*
2 * VRT RULES
3 *
4 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
5 * Copyright (C) 2005-2013 Sourcefire, Inc.
6 *
7 * This file is autogenerated via rules2c, by Brian Caswell <bmc@sourcefire.com>
8 */
9
10
11 #ifdef HAVE_CONFIG_H
12 #include "config.h"
13 #endif
14
15 #include "sf_snort_plugin_api.h"
16 #include "sf_snort_packet.h"
17
18
19 /* declare detection functions */
20 int rule3052eval(void *p);
21
22 /* declare rule data structures */
23 /* precompile the stuff that needs pre-compiled */
24 // content:"|00|", depth 1;
25 static ContentInfo rule3052content0 =
26 {
27 (u_int8_t *)("|00|"), /* pattern (now in snort content format) */
28 1, /* depth */
29 0, /* offset */
30 CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
31 NULL, /* holder for boyer/moore PTR */
32 NULL, /* more holder info - byteform */
33 0, /* byteform length */
34 0, /* increment length*/
35 0, /* holder for fp offset */
36 0, /* holder for fp length */
37 0, /* holder for fp only */
38 NULL, // offset_refId
39 NULL, // depth_refId
40 NULL, // offset_location
41 NULL // depth_location
42 };
43
44 static RuleOption rule3052option0 =
45 {
46 OPTION_TYPE_CONTENT,
47 { &rule3052content0 }
48 };
49 // content:"|FF|SMB|A0|", offset 3, depth 5, relative;
50 static ContentInfo rule3052content1 =
51 {
52 (u_int8_t *)("|FF|SMB|A0|"), /* pattern (now in snort content format) */
53 5, /* depth */
54 3, /* offset */
55 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
56 NULL, /* holder for boyer/moore PTR */
57 NULL, /* more holder info - byteform */
58 0, /* byteform length */
59 0, /* increment length*/
60 0, /* holder for fp offset */
61 0, /* holder for fp length */
62 0, /* holder for fp only */
63 NULL, // offset_refId
64 NULL, // depth_refId
65 NULL, // offset_location
66 NULL // depth_location
67 };
68
69 static RuleOption rule3052option1 =
70 {
71 OPTION_TYPE_CONTENT,
72 { &rule3052content1 }
73 };
74 /* byte_test:size 1, value 128, operator &, offset 6, relative; */
75 static ByteData rule3052byte_test2 =
76 {
77 1, /* size */
78 CHECK_AND, /* operator */
79 128, /* value */
80 6, /* offset */
81 0, /*multiplier */
82 BYTE_BIG_ENDIAN|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED|EXTRACT_AS_BYTE, /* flags */
83 0, /* post offset */
84 NULL, // offset_refId
85 NULL, // value_refId
86 NULL, // offset_location
87 NULL // value_location
88 };
89
90 static RuleOption rule3052option2 =
91 {
92 OPTION_TYPE_BYTE_TEST,
93 { &rule3052byte_test2 }
94 };
95 // pcre:"^.{27}", relative;
96 static PCREInfo rule3052pcre3 =
97 {
98 "^.{27}", /* pattern */
99 NULL, /* holder for compiled pattern */
100 NULL, /* holder for compiled pattern flags */
101 0, /* compile flags */
102 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* content flags */
103 0 /* offset */
104 };
105
106 static RuleOption rule3052option3 =
107 {
108 OPTION_TYPE_PCRE,
109 { &rule3052pcre3 }
110 };
111 // content:"|01 00|", offset 37, depth 2, relative;
112 static ContentInfo rule3052content4 =
113 {
114 (u_int8_t *)("|01 00|"), /* pattern (now in snort content format) */
115 2, /* depth */
116 37, /* offset */
117 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
118 NULL, /* holder for boyer/moore PTR */
119 NULL, /* more holder info - byteform */
120 0, /* byteform length */
121 0, /* increment length*/
122 0, /* holder for fp offset */
123 0, /* holder for fp length */
124 0, /* holder for fp only */
125 NULL, // offset_refId
126 NULL, // depth_refId
127 NULL, // offset_location
128 NULL // depth_location
129 };
130
131 static RuleOption rule3052option4 =
132 {
133 OPTION_TYPE_CONTENT,
134 { &rule3052content4 }
135 };
136 /* byte_jump:size 4, offset -7, relative, endian little; */
137 static ByteData rule3052byte_jump5 =
138 {
139 4, /* size */
140 0, /* operator, byte_jump doesn't use operator! */
141 0, /* value, byte_jump doesn't use value! */
142 -7, /* offset */
143 0, /* multiplier */
144 BYTE_LITTLE_ENDIAN|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED|EXTRACT_AS_BYTE|JUMP_FROM_BEGINNING, /* flags */
145 0, /* post offset */
146 NULL, // offset_refId
147 NULL, // value_refId
148 NULL, // offset_location
149 NULL // value_location
150 };
151
152 static RuleOption rule3052option5 =
153 {
154 OPTION_TYPE_BYTE_JUMP,
155 { &rule3052byte_jump5 }
156 };
157 // pcre:"^.{4}", relative;
158 static PCREInfo rule3052pcre6 =
159 {
160 "^.{4}", /* pattern */
161 NULL, /* holder for compiled pattern */
162 NULL, /* holder for compiled pattern flags */
163 0, /* compile flags */
164 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* content flags */
165 0 /* offset */
166 };
167
168 static RuleOption rule3052option6 =
169 {
170 OPTION_TYPE_PCRE,
171 { &rule3052pcre6 }
172 };
173 // content:"|00 00 00 00|", offset 16, depth 4, relative;
174 static ContentInfo rule3052content7 =
175 {
176 (u_int8_t *)("|00 00 00 00|"), /* pattern (now in snort content format) */
177 4, /* depth */
178 16, /* offset */
179 NOT_FLAG|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
180 NULL, /* holder for boyer/moore PTR */
181 NULL, /* more holder info - byteform */
182 0, /* byteform length */
183 0, /* increment length*/
184 0, /* holder for fp offset */
185 0, /* holder for fp length */
186 0, /* holder for fp only */
187 NULL, // offset_refId
188 NULL, // depth_refId
189 NULL, // offset_location
190 NULL // depth_location
191 };
192
193 static RuleOption rule3052option7 =
194 {
195 OPTION_TYPE_CONTENT,
196 { &rule3052content7 }
197 };
198 /* byte_jump:size 4, offset 16, relative, endian little; */
199 static ByteData rule3052byte_jump8 =
200 {
201 4, /* size */
202 0, /* operator, byte_jump doesn't use operator! */
203 0, /* value, byte_jump doesn't use value! */
204 16, /* offset */
205 0, /* multiplier */
206 BYTE_LITTLE_ENDIAN|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED|EXTRACT_AS_BYTE, /* flags */
207 0, /* post offset */
208 NULL, // offset_refId
209 NULL, // value_refId
210 NULL, // offset_location
211 NULL // value_location
212 };
213
214 static RuleOption rule3052option8 =
215 {
216 OPTION_TYPE_BYTE_JUMP,
217 { &rule3052byte_jump8 }
218 };
219 // content:"|00 00|", offset -10, depth 2, relative;
220 static ContentInfo rule3052content9 =
221 {
222 (u_int8_t *)("|00 00|"), /* pattern (now in snort content format) */
223 2, /* depth */
224 -10, /* offset */
225 CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
226 NULL, /* holder for boyer/moore PTR */
227 NULL, /* more holder info - byteform */
228 0, /* byteform length */
229 0, /* increment length*/
230 0, /* holder for fp offset */
231 0, /* holder for fp length */
232 0, /* holder for fp only */
233 NULL, // offset_refId
234 NULL, // depth_refId
235 NULL, // offset_location
236 NULL // depth_location
237 };
238
239 static RuleOption rule3052option9 =
240 {
241 OPTION_TYPE_CONTENT,
242 { &rule3052content9 }
243 };
244
245 /* references for sid 3052 */
246 static RuleReference *rule3052refs[] =
247 {
248 NULL
249 };
250 RuleOption *rule3052options[] =
251 {
252 &rule3052option0,
253 &rule3052option1,
254 &rule3052option2,
255 &rule3052option3,
256 &rule3052option4,
257 &rule3052option5,
258 &rule3052option6,
259 &rule3052option7,
260 &rule3052option8,
261 &rule3052option9,
262 NULL
263 };
264
265 Rule rule3052 = {
266
267 /* rule header, akin to => tcp any any -> any any */{
268 IPPROTO_TCP, /* proto */
269 "$EXTERNAL_NET", /* SRCIP */
270 "any", /* SRCPORT */
271 1, /* DIRECTION */
272 "$HOME_NET", /* DSTIP */
273 "139", /* DSTPORT */
274 },
275 /* metadata */
276 {
277 3, /* genid (HARDCODED!!!) */
278 3052, /* sigid */
279 2, /* revision */
280
281 "protocol-command-decode", /* classification */
282 0, /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */
283 "!! Dynamic !! NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt", /* message */
284 rule3052refs, /* ptr to references */
285 NULL /* Meta data */
286 },
287 rule3052options, /* ptr to rule options */
288 NULL, //&rule3052eval, /* use the built in detection function */
289 0, /* am I initialized yet? */
290 0, /* Rule option count, used internally */
291 0, /* Flag with no alert, used internally */
292 NULL /* ptr to internal data... setup during rule registration */
293 };
294
295
296 /* detection functions */
rule3052eval(void * p)297 int rule3052eval(void *p) {
298 //const u_int8_t *cursor_uri = 0;
299 //const u_int8_t *cursor_raw = 0;
300 const u_int8_t *cursor_normal = 0;
301
302
303 // content:"|00|", depth 1;
304 if (contentMatch(p, rule3052options[0]->option_u.content, &cursor_normal) > 0) {
305 // content:"|FF|SMB|A0|", offset 3, depth 5, relative;
306 if (contentMatch(p, rule3052options[1]->option_u.content, &cursor_normal) > 0) {
307 // byte_test:size 1, value 128, operator &, offset 6, relative;
308 if (byteTest(p, rule3052options[2]->option_u.byte, cursor_normal) > 0) {
309 // pcre:"^.{27}", relative;
310 if (pcreMatch(p, rule3052options[3]->option_u.pcre, &cursor_normal)) {
311 // content:"|01 00|", offset 37, depth 2, relative;
312 if (contentMatch(p, rule3052options[4]->option_u.content, &cursor_normal) > 0) {
313 // byte_jump:size 4, offset -7, relative, endian little;
314 if (byteJump(p, rule3052options[5]->option_u.byte, &cursor_normal) > 0) {
315 // pcre:"^.{4}", relative;
316 if (pcreMatch(p, rule3052options[6]->option_u.pcre, &cursor_normal)) {
317 // content:"|00 00 00 00|", offset 16, depth 4, relative;
318 if (!(contentMatch(p, rule3052options[7]->option_u.content, &cursor_normal) > 0)) {
319 // byte_jump:size 4, offset 16, relative, endian little;
320 if (byteJump(p, rule3052options[8]->option_u.byte, &cursor_normal) > 0) {
321 // content:"|00 00|", offset -10, depth 2, relative;
322 if (contentMatch(p, rule3052options[9]->option_u.content, &cursor_normal) > 0) {
323 return RULE_MATCH;
324 }
325 }
326 }
327 }
328 }
329 }
330 }
331 }
332 }
333 }
334 return RULE_NOMATCH;
335 }
336
337