[Oisf-devel] [PATCH 1/3] Add support for 'set_mark' keyword
Eric Leblond
eric at regit.org
Mon Mar 7 10:59:51 UTC 2011
This patch introduces 'set_mark' which is new rules option. If a packet
matches a rule using set_mark in NFQ mode, it is marked with the mark/mask
specified in the option during the verdict.
It is thus possible to trigger different behaviour on the packet inside
Linux/Netfilter.
---
src/Makefile.am | 1 +
src/decode.h | 1 +
src/detect-mark.c | 312 +++++++++++++++++++++++++++++++++++++++++++++++++++++
src/detect-mark.h | 61 +++++++++++
src/detect.c | 3 +
src/detect.h | 7 ++
6 files changed, 385 insertions(+), 0 deletions(-)
create mode 100644 src/detect-mark.c
create mode 100644 src/detect-mark.h
diff --git a/src/Makefile.am b/src/Makefile.am
index dd0392e..66c1864 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -111,6 +111,7 @@ detect-flags.c detect-flags.h \
detect-fragbits.c detect-fragbits.h \
detect-fragoffset.c detect-fragoffset.h \
detect-gid.c detect-gid.h \
+detect-mark.c detect-mark.h \
detect-noalert.c detect-noalert.h \
detect-csum.c detect-csum.h \
detect-ttl.c detect-ttl.h \
diff --git a/src/decode.h b/src/decode.h
index 525065b..75ffaf9 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -805,6 +805,7 @@ void AddressDebugPrint(Address *);
#define PKT_HAS_FLOW 0x0080
#define PKT_PSEUDO_STREAM_END 0x0100 /**< Pseudo packet to end the stream */
#define PKT_STREAM_MODIFIED 0x0200 /**< Packet is modified by the stream engine, we need to recalc the csum and reinject/replace */
+#define PKT_MARK_MODIFIED 0x0400 /**< Packet mark is modified */
/** \brief return 1 if the packet is a pseudo packet */
#define PKT_IS_PSEUDOPKT(p) ((p)->flags & PKT_PSEUDO_STREAM_END)
diff --git a/src/detect-mark.c b/src/detect-mark.c
new file mode 100644
index 0000000..771faae
--- /dev/null
+++ b/src/detect-mark.c
@@ -0,0 +1,312 @@
+/* Copyright (C) 2011 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Eric Leblond <eric at regit.org>
+ *
+ * Implements the mark keyword. Based on detect-gid
+ * by Breno Silva <breno.silva at gmail.com>
+ */
+
+#include "suricata-common.h"
+#include "suricata.h"
+#include "decode.h"
+#include "detect.h"
+#include "flow-var.h"
+#include "decode-events.h"
+
+#include "detect-mark.h"
+#include "util-unittest.h"
+#include "util-debug.h"
+
+#define PARSE_REGEX "([0x]*[0-9a-f]+)/([0x]*[0-9a-f]+)"
+
+static pcre *parse_regex;
+static pcre_extra *parse_regex_study;
+
+static int DetectMarkSetup (DetectEngineCtx *, Signature *, char *);
+
+/**
+ * \brief Registration function for set_mark: keyword
+ */
+
+void DetectMarkRegister (void) {
+ sigmatch_table[DETECT_MARK].name = "set_mark";
+ sigmatch_table[DETECT_MARK].Match = NULL;
+ sigmatch_table[DETECT_MARK].Setup = DetectMarkSetup;
+ sigmatch_table[DETECT_MARK].Free = NULL;
+ sigmatch_table[DETECT_MARK].RegisterTests = MarkRegisterTests;
+
+ const char *eb;
+ int opts = 0;
+ int eo;
+
+ parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
+ if(parse_regex == NULL)
+ {
+ SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb);
+ goto error;
+ }
+
+ parse_regex_study = pcre_study(parse_regex, 0, &eb);
+ if(eb != NULL)
+ {
+ SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
+ goto error;
+ }
+
+error:
+ return;
+
+}
+
+#ifdef NFQ
+/**
+ * \internal
+ * \brief This function is used to parse mark options passed via mark: keyword
+ *
+ * \param rawstr Pointer to the user provided mark options
+ *
+ * \retval 0 on success
+ * \retval < 0 on failure
+ */
+static uint32_t DetectMarkParse (char *rawstr, DetectMarkData *nf_data)
+{
+ int ret = 0, res = 0;
+#define MAX_SUBSTRINGS 30
+ int ov[MAX_SUBSTRINGS];
+ const char *str_ptr = NULL;
+ char *ptr = NULL;
+ char *endptr = NULL;
+
+ ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
+ if (ret < 1) {
+ SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
+ return -1;
+ }
+
+ res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
+ return -1;
+ }
+
+ ptr = (char *)str_ptr;
+
+ if (ptr == NULL)
+ return -1;
+
+ errno = 0;
+ nf_data->mark = strtoul(ptr, &endptr, 0);
+ if (errno == ERANGE) {
+ SCLogError(SC_ERR_NUMERIC_VALUE_ERANGE, "Numeric value out of range");
+ SCFree(ptr);
+ return -1;
+ } /* If there is no numeric value in the given string then strtoull(), makes
+ endptr equals to ptr and return 0 as result */
+ else if (endptr == ptr && nf_data->mark == 0) {
+ SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "No numeric value");
+ SCFree(ptr);
+ return -1;
+ } else if (endptr == ptr) {
+ SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "Invalid numeric value");
+ SCFree(ptr);
+ return -1;
+ }
+
+ res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
+ return -1;
+ }
+
+ SCFree(ptr);
+ ptr = (char *)str_ptr;
+
+ if (ptr == NULL) {
+ nf_data->mask = 0xffff;
+ return 0;
+ }
+
+ errno = 0;
+ nf_data->mask = strtoul(ptr, &endptr, 0);
+ if (errno == ERANGE) {
+ SCLogError(SC_ERR_NUMERIC_VALUE_ERANGE, "Numeric value out of range");
+ SCFree(ptr);
+ return -1;
+ } /* If there is no numeric value in the given string then strtoull(), makes
+ endptr equals to ptr and return 0 as result */
+ else if (endptr == ptr && nf_data->mask == 0) {
+ SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "No numeric value");
+ SCFree(ptr);
+ return -1;
+ }
+ else if (endptr == ptr) {
+ SCLogError(SC_ERR_INVALID_NUMERIC_VALUE, "Invalid numeric value");
+ SCFree(ptr);
+ return -1;
+ }
+
+ SCLogDebug("Rule will set mark 0x%x with mask 0x%x", nf_data->mark, nf_data->mask);
+ SCFree(ptr);
+ return 0;
+}
+
+#endif /* NFQ */
+
+/**
+ * \internal
+ * \brief this function is used to add the parsed mark into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param rawstr pointer to the user provided mark options
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+static int DetectMarkSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
+{
+#ifdef NFQ
+ int ret = DetectMarkParse(rawstr, &(s->nf_data));
+
+ if (ret < 0) {
+ return -1;
+ } else {
+ return 0;
+ }
+#else
+ return 0;
+#endif
+}
+
+int DetectMarkPacket(void *pp, void *ps)
+{
+#ifdef NFQ
+ Packet *p = (Packet *)pp;
+ Signature *s = (Signature *) ps;
+ if (s->nf_data.mask) {
+ p->nfq_v.mark = (s->nf_data.mark & s->nf_data.mask)
+ | (p->nfq_v.mark & ~(s->nf_data.mask));
+ p->flags |= PKT_MARK_MODIFIED;
+ }
+#endif
+ return 0;
+}
+
+/*
+ * ONLY TESTS BELOW THIS COMMENT
+ */
+
+#if defined UNITTESTS && defined NFQ
+/**
+ * \test MarkTestParse01 is a test for a valid mark value
+ *
+ * \retval 1 on succces
+ * \retval 0 on failure
+ */
+static int MarkTestParse01 (void) {
+
+ int ret = 0;
+ DetectMarkData data;
+
+ ret = DetectMarkParse("1/1", &data);
+
+ if (ret == 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/**
+ * \test MarkTestParse02 is a test for an invalid mark value
+ *
+ * \retval 1 on succces
+ * \retval 0 on failure
+ */
+static int MarkTestParse02 (void) {
+
+ int ret = 0;
+ DetectMarkData data;
+
+ ret = DetectMarkParse("4", &data);
+
+ if (ret == 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/**
+ * \test MarkTestParse03 is a test for a valid mark value
+ *
+ * \retval 1 on succces
+ * \retval 0 on failure
+ */
+static int MarkTestParse03 (void) {
+
+ int ret = 0;
+ DetectMarkData data;
+
+ ret = DetectMarkParse("0x10/0xff", &data);
+
+ if (ret == 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/**
+ * \test MarkTestParse04 is a test for a invalid mark value
+ *
+ * \retval 1 on succces
+ * \retval 0 on failure
+ */
+static int MarkTestParse04 (void) {
+
+ int ret = 0;
+ DetectMarkData data;
+
+ ret = DetectMarkParse("0x1g/0xff", &data);
+
+ if (ret == 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+
+
+#endif /* UNITTESTS */
+
+/**
+ * \brief this function registers unit tests for Mark
+ */
+void MarkRegisterTests(void) {
+#if defined UNITTESTS && defined NFQ
+ UtRegisterTest("MarkTestParse01", MarkTestParse01, 1);
+ UtRegisterTest("MarkTestParse02", MarkTestParse02, 0);
+ UtRegisterTest("MarkTestParse03", MarkTestParse03, 1);
+ UtRegisterTest("MarkTestParse04", MarkTestParse04, 0);
+#endif /* UNITTESTS */
+}
diff --git a/src/detect-mark.h b/src/detect-mark.h
new file mode 100644
index 0000000..bb5417a
--- /dev/null
+++ b/src/detect-mark.h
@@ -0,0 +1,61 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Breno Silva <breno.silva at gmail.com>
+ *
+ * Implements the gid keyword
+ */
+
+#ifndef __DETECT_MARK_H__
+#define __DETECT_MARK_H__
+
+#include "decode.h"
+#include "detect.h"
+
+/**
+ * \struct DetectMarkData_
+ * DetectMarkData_ is used to store set_mark: input value
+ */
+
+/**
+ * \typedef DetectMarkData
+ * A typedef for DetectMarkData_
+ */
+
+typedef struct DetectMarkData_ {
+ uint32_t mark; /**< Rule mark */
+ uint32_t mask; /**< Rule mask */
+} DetectMarkData;
+
+/**
+ * Registration function for set_mark: keyword
+ */
+
+void DetectMarkRegister (void);
+
+int DetectMarkPacket(void *p, void *s);
+
+/**
+ * This function registers unit tests for Mark
+ */
+
+void MarkRegisterTests(void);
+
+#endif /*__DETECT_MARK_H__ */
diff --git a/src/detect.c b/src/detect.c
index 7ec0ef2..e163168 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1423,6 +1423,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
SCLogDebug("signature matched without sigmatches");
fmatch = 1;
+ DetectMarkPacket(p, s);
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, alert_flags);
}
@@ -1448,6 +1449,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
rmatch = fmatch = 1;
+ DetectMarkPacket(p, s);
recursion_cnt++;
}
} else {
@@ -1476,6 +1478,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
/* only if the last matched as well, we have a hit */
if (sm == NULL) {
fmatch = 1;
+ DetectMarkPacket(p, s);
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, alert_flags);
}
diff --git a/src/detect.h b/src/detect.h
index eadbf75..8a61bd4 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -40,6 +40,7 @@
#include "util-radix-tree.h"
#include "detect-threshold.h"
+#include "detect-mark.h"
//#include "detect-engine-tag.h"
#define COUNTER_DETECT_ALERTS 1
@@ -446,6 +447,11 @@ typedef struct Signature_ {
/** Reference */
DetectReference *references;
+#ifdef NFQ
+ /** Data for mark */
+ DetectMarkData nf_data;
+#endif
+
/* Be careful, this pointer is only valid while parsing the sig,
* to warn the user about any possible problem */
char *sig_str;
@@ -969,6 +975,7 @@ enum {
DETECT_FRAGBITS,
DETECT_FRAGOFFSET,
DETECT_GID,
+ DETECT_MARK,
DETECT_AL_TLS_VERSION,
DETECT_AL_HTTP_COOKIE,
--
1.7.4.1
More information about the Oisf-devel
mailing list