1 /*
2  * VRT RULES
3  *
4  * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
5  * Copyright (C) 2005-2013 Sourcefire, Inc.
6  *
7  * This file is autogenerated via rules2c, by Brian Caswell <bmc@sourcefire.com>
8  */
9 
10 
11 #ifdef HAVE_CONFIG_H
12 #include "config.h"
13 #endif
14 
15 #include "pcre.h"
16 #include "sf_snort_plugin_api.h"
17 #include "sf_snort_packet.h"
18 
19 
20 /* declare detection functions */
21 int rule1902eval(void *p);
22 
23 /* declare rule data structures */
24 /* precompile the stuff that needs pre-compiled */
25 /* flow:established, to_server; */
26 static FlowFlags rule1902flow0 =
27 {
28     FLOW_ESTABLISHED|FLOW_TO_SERVER
29 };
30 
31 static RuleOption rule1902option0 =
32 {
33     OPTION_TYPE_FLOWFLAGS,
34     { &rule1902flow0 }
35 };
36 // content:"LSUB", nocase;
37 static ContentInfo rule1902content1 =
38 {
39     (u_int8_t *)"LSUB", /* pattern (now in snort content format) */
40     0, /* depth */
41     0, /* offset */
42     CONTENT_NOCASE|CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
43     NULL, /* holder for boyer/moore PTR */
44     NULL, /* more holder info - byteform */
45     0, /* byteform length */
46     0, /* increment length */
47     0,                      /* holder for fp offset */
48     0,                      /* holder for fp length */
49     0,                      /* holder for fp only */
50     NULL, // offset_refId
51     NULL, // depth_refId
52     NULL, // offset_location
53     NULL  // depth_location
54 };
55 
56 static RuleOption rule1902option1 =
57 {
58     OPTION_TYPE_CONTENT,
59     { &rule1902content1 }
60 };
61 // pcre:"\sLSUB\s[^\n]*?\s\{", dotall, multiline, nocase;
62 static PCREInfo rule1902pcre2 =
63 {
64     "\\sLSUB\\s[^\\n]*?\\s\\{", /* pattern */
65     NULL,                               /* holder for compiled pattern */
66     NULL,                               /* holder for compiled pattern flags */
67     PCRE_CASELESS|PCRE_DOTALL|PCRE_MULTILINE,     /* compile flags */
68     CONTENT_BUF_NORMALIZED,     /* content flags */
69     0 /* offset */
70 };
71 
72 static RuleOption rule1902option2 =
73 {
74     OPTION_TYPE_PCRE,
75     { &rule1902pcre2 }
76 };
77 /* byte_test:size 5, value 256, operator >, relative, representation dec; */
78 static ByteData rule1902byte_test3 =
79 {
80     5, /* size */
81     CHECK_GT, /* operator */
82     256, /* value */
83     0, /* offset */
84     0, /*multiplier */
85     BYTE_BIG_ENDIAN|CONTENT_RELATIVE|CONTENT_BUF_NORMALIZED|EXTRACT_AS_DEC|EXTRACT_AS_STRING, /* flags */
86     0, /* offset */
87     NULL, // offset_location
88     NULL, // value_location
89     NULL, // offset_location
90     NULL  // value_location
91 };
92 
93 static RuleOption rule1902option3 =
94 {
95     OPTION_TYPE_BYTE_TEST,
96     { &rule1902byte_test3 }
97 };
98 
99 /* references for sid 1902 */
100 /* reference: bugtraq "1110"; */
101 static RuleReference rule1902ref1 =
102 {
103     "bugtraq", /* type */
104     "1110" /* value */
105 };
106 
107 /* reference: cve "2000-0284"; */
108 static RuleReference rule1902ref2 =
109 {
110     "cve", /* type */
111     "2000-0284" /* value */
112 };
113 
114 /* reference: nessus "10374"; */
115 static RuleReference rule1902ref3 =
116 {
117     "nessus", /* type */
118     "10374" /* value */
119 };
120 
121 static RuleReference *rule1902refs[] =
122 {
123     &rule1902ref1,
124     &rule1902ref2,
125     &rule1902ref3,
126     NULL
127 };
128 RuleOption *rule1902options[] =
129 {
130     &rule1902option0,
131     &rule1902option1,
132     &rule1902option2,
133     &rule1902option3,
134     NULL
135 };
136 
137 Rule rule1902 = {
138 
139    /* rule header, akin to => tcp any any -> any any               */{
140        IPPROTO_TCP, /* proto */
141        "$EXTERNAL_NET", /* SRCIP     */
142        "any", /* SRCPORT   */
143        0, /* DIRECTION */
144        "$HOME_NET", /* DSTIP     */
145        "143", /* DSTPORT   */
146    },
147    /* metadata */
148    {
149        3,  /* genid (HARDCODED!!!) */
150        1902, /* sigid */
151        9, /* revision */
152 
153        "misc-attack", /* classification */
154        0,  /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */
155        "IMAP lsub literal overflow attempt",     /* message */
156        rule1902refs, /* ptr to references */
157        NULL /* Meta data */
158    },
159    rule1902options, /* ptr to rule options */
160    NULL, // &rule1902eval, /* use the built in detection function */
161    0, /* am I initialized yet? */
162    0,                                  /* Rule option count, used internally */
163    0,                                  /* Flag with no alert, used internally */
164    NULL /* ptr to internal data... setup during rule registration */
165 };
166 
167 
168 /* detection functions */
rule1902eval(void * p)169 int rule1902eval(void *p) {
170     //const u_int8_t *cursor_uri = 0;
171     //const u_int8_t *cursor_raw = 0;
172     const u_int8_t *cursor_normal = 0;
173 
174 
175     // flow:established, to_server;
176     if (checkFlow(p, rule1902options[0]->option_u.flowFlags) > 0 ) {
177         // content:"LSUB", nocase;
178         if (contentMatch(p, rule1902options[1]->option_u.content, &cursor_normal) > 0) {
179             // pcre:"\sLSUB\s[^\n]*?\s\{", dotall, multiline, nocase;
180             if (pcreMatch(p, rule1902options[2]->option_u.pcre, &cursor_normal)) {
181                 // byte_test:size 5, value 256, operator >, relative, representation dec;
182                 if (byteTest(p, rule1902options[3]->option_u.byte, cursor_normal) > 0) {
183                     return RULE_MATCH;
184                 }
185             }
186         }
187     }
188     return RULE_NOMATCH;
189 }
190