1 /*
2 * VRT RULES
3 *
4 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
5 * Copyright (C) 2005-2013 Sourcefire, Inc.
6 *
7 * This file is autogenerated via rules2c, by Brian Caswell <bmc@sourcefire.com>
8 */
9
10
11 #ifdef HAVE_CONFIG_H
12 #include "config.h"
13 #endif
14
15 #include "pcre.h"
16 #include "sf_snort_plugin_api.h"
17 #include "sf_snort_packet.h"
18
19
20 /* declare detection functions */
21 int rule1902eval(void *p);
22
23 /* declare rule data structures */
24 /* precompile the stuff that needs pre-compiled */
25 /* flow:established, to_server; */
26 static FlowFlags rule1902flow0 =
27 {
28 FLOW_ESTABLISHED|FLOW_TO_SERVER
29 };
30
31 static RuleOption rule1902option0 =
32 {
33 OPTION_TYPE_FLOWFLAGS,
34 { &rule1902flow0 }
35 };
36 // content:"LSUB", nocase;
37 static ContentInfo rule1902content1 =
38 {
39 (u_int8_t *)"LSUB", /* pattern (now in snort content format) */
40 0, /* depth */
41 0, /* offset */
42 CONTENT_NOCASE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
43 NULL, /* holder for boyer/moore PTR */
44 NULL, /* more holder info - byteform */
45 0, /* byteform length */
46 0, /* increment length */
47 0, /* holder for fp offset */
48 0, /* holder for fp length */
49 0, /* holder for fp only */
50 NULL, // offset_refId
51 NULL, // depth_refId
52 NULL, // offset_location
53 NULL // depth_location
54 };
55
56 static RuleOption rule1902option1 =
57 {
58 OPTION_TYPE_CONTENT,
59 { &rule1902content1 }
60 };
61 // pcre:"\sLSUB\s[^\n]*?\s\{", dotall, multiline, nocase;
62 static PCREInfo rule1902pcre2 =
63 {
64 "\\sLSUB\\s[^\\n]*?\\s\\{", /* pattern */
65 NULL, /* holder for compiled pattern */
66 NULL, /* holder for compiled pattern flags */
67 PCRE_CASELESS|PCRE_DOTALL|PCRE_MULTILINE, /* compile flags */
68 CONTENT_BUF_NORMALIZED, /* content flags */
69 0 /* offset */
70 };
71
72 static RuleOption rule1902option2 =
73 {
74 OPTION_TYPE_PCRE,
75 { &rule1902pcre2 }
76 };
77 /* byte_test:size 5, value 256, operator >, relative, representation dec; */
78 static ByteData rule1902byte_test3 =
79 {
80 5, /* size */
81 CHECK_GT, /* operator */
82 256, /* value */
83 0, /* offset */
84 0, /*multiplier */
85 BYTE_BIG_ENDIAN|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED|EXTRACT_AS_DEC|EXTRACT_AS_STRING, /* flags */
86 0, /* offset */
87 NULL, // offset_location
88 NULL, // value_location
89 NULL, // offset_location
90 NULL // value_location
91 };
92
93 static RuleOption rule1902option3 =
94 {
95 OPTION_TYPE_BYTE_TEST,
96 { &rule1902byte_test3 }
97 };
98
99 /* references for sid 1902 */
100 /* reference: bugtraq "1110"; */
101 static RuleReference rule1902ref1 =
102 {
103 "bugtraq", /* type */
104 "1110" /* value */
105 };
106
107 /* reference: cve "2000-0284"; */
108 static RuleReference rule1902ref2 =
109 {
110 "cve", /* type */
111 "2000-0284" /* value */
112 };
113
114 /* reference: nessus "10374"; */
115 static RuleReference rule1902ref3 =
116 {
117 "nessus", /* type */
118 "10374" /* value */
119 };
120
121 static RuleReference *rule1902refs[] =
122 {
123 &rule1902ref1,
124 &rule1902ref2,
125 &rule1902ref3,
126 NULL
127 };
128 RuleOption *rule1902options[] =
129 {
130 &rule1902option0,
131 &rule1902option1,
132 &rule1902option2,
133 &rule1902option3,
134 NULL
135 };
136
137 Rule rule1902 = {
138
139 /* rule header, akin to => tcp any any -> any any */{
140 IPPROTO_TCP, /* proto */
141 "$EXTERNAL_NET", /* SRCIP */
142 "any", /* SRCPORT */
143 0, /* DIRECTION */
144 "$HOME_NET", /* DSTIP */
145 "143", /* DSTPORT */
146 },
147 /* metadata */
148 {
149 3, /* genid (HARDCODED!!!) */
150 1902, /* sigid */
151 9, /* revision */
152
153 "misc-attack", /* classification */
154 0, /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */
155 "IMAP lsub literal overflow attempt", /* message */
156 rule1902refs, /* ptr to references */
157 NULL /* Meta data */
158 },
159 rule1902options, /* ptr to rule options */
160 NULL, // &rule1902eval, /* use the built in detection function */
161 0, /* am I initialized yet? */
162 0, /* Rule option count, used internally */
163 0, /* Flag with no alert, used internally */
164 NULL /* ptr to internal data... setup during rule registration */
165 };
166
167
168 /* detection functions */
rule1902eval(void * p)169 int rule1902eval(void *p) {
170 //const u_int8_t *cursor_uri = 0;
171 //const u_int8_t *cursor_raw = 0;
172 const u_int8_t *cursor_normal = 0;
173
174
175 // flow:established, to_server;
176 if (checkFlow(p, rule1902options[0]->option_u.flowFlags) > 0 ) {
177 // content:"LSUB", nocase;
178 if (contentMatch(p, rule1902options[1]->option_u.content, &cursor_normal) > 0) {
179 // pcre:"\sLSUB\s[^\n]*?\s\{", dotall, multiline, nocase;
180 if (pcreMatch(p, rule1902options[2]->option_u.pcre, &cursor_normal)) {
181 // byte_test:size 5, value 256, operator >, relative, representation dec;
182 if (byteTest(p, rule1902options[3]->option_u.byte, cursor_normal) > 0) {
183 return RULE_MATCH;
184 }
185 }
186 }
187 }
188 return RULE_NOMATCH;
189 }
190