Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

transform: luaxform transform script #12141

Closed
wants to merge 7 commits into from
Closed
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions rust/src/detect/transforms/casechange.rs
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ fn tolower_transform_do(input: &[u8], output: &mut [u8]) {
}

#[no_mangle]
unsafe extern "C" fn tolower_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn tolower_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down Expand Up @@ -106,7 +106,7 @@ fn toupper_transform_do(input: &[u8], output: &mut [u8]) {
}

#[no_mangle]
unsafe extern "C" fn toupper_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn toupper_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
2 changes: 1 addition & 1 deletion rust/src/detect/transforms/compress_whitespace.rs
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ fn compress_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
}

#[no_mangle]
unsafe extern "C" fn compress_whitespace_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn compress_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
2 changes: 1 addition & 1 deletion rust/src/detect/transforms/dotprefix.rs
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ fn dot_prefix_transform_do(input: &[u8], output: &mut [u8]) {
}

#[no_mangle]
unsafe extern "C" fn dot_prefix_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn dot_prefix_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
6 changes: 3 additions & 3 deletions rust/src/detect/transforms/hash.rs
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ fn md5_transform_do(input: &[u8], output: &mut [u8]) {
}

#[no_mangle]
unsafe extern "C" fn md5_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn md5_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down Expand Up @@ -107,7 +107,7 @@ fn sha1_transform_do(input: &[u8], output: &mut [u8]) {
}

#[no_mangle]
unsafe extern "C" fn sha1_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn sha1_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down Expand Up @@ -163,7 +163,7 @@ fn sha256_transform_do(input: &[u8], output: &mut [u8]) {
}

#[no_mangle]
unsafe extern "C" fn sha256_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn sha256_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
4 changes: 2 additions & 2 deletions rust/src/detect/transforms/http_headers.rs
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ fn header_lowertransform_do(input: &[u8], output: &mut [u8]) {
}

#[no_mangle]
unsafe extern "C" fn header_lowertransform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn header_lowertransform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down Expand Up @@ -113,7 +113,7 @@ fn strip_pseudo_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
}

#[no_mangle]
unsafe extern "C" fn strip_pseudo_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn strip_pseudo_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
2 changes: 1 addition & 1 deletion rust/src/detect/transforms/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ pub struct SCTransformTableElmt {
pub flags: u16,
pub Setup: unsafe extern "C" fn(de: *mut c_void, s: *mut c_void, raw: *const c_char) -> c_int,
pub Free: Option<unsafe extern "C" fn(de: *mut c_void, ptr: *mut c_void)>,
pub Transform: unsafe extern "C" fn(inspect_buf: *mut c_void, options: *mut c_void),
pub Transform: unsafe extern "C" fn(det: *mut c_void, inspect_buf: *mut c_void, options: *mut c_void),
pub TransformValidate:
Option<unsafe extern "C" fn(content: *const u8, len: u16, context: *mut c_void) -> bool>,
}
Expand Down
2 changes: 1 addition & 1 deletion rust/src/detect/transforms/strip_whitespace.rs
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ fn strip_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
}

#[no_mangle]
unsafe extern "C" fn strip_whitespace_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn strip_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
2 changes: 1 addition & 1 deletion rust/src/detect/transforms/urldecode.rs
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ fn url_decode_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
}

#[no_mangle]
unsafe extern "C" fn url_decode_transform(buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn url_decode_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
2 changes: 1 addition & 1 deletion rust/src/detect/transforms/xor.rs
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ fn xor_transform_do(input: &[u8], output: &mut [u8], ctx: &DetectTransformXorDat
}

#[no_mangle]
unsafe extern "C" fn xor_transform(buffer: *mut c_void, ctx: *mut c_void) {
unsafe extern "C" fn xor_transform(_det: *mut c_void, buffer: *mut c_void, ctx: *mut c_void) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
Expand Down
2 changes: 2 additions & 0 deletions src/Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,7 @@ noinst_HEADERS = \
detect-tls-random.h \
detect-tos.h \
detect-transform-base64.h \
detect-transform-luaxform.h \
detect-transform-pcrexform.h \
detect-ttl.h \
detect-udphdr.h \
Expand Down Expand Up @@ -867,6 +868,7 @@ libsuricata_c_a_SOURCES = \
detect-tls-random.c \
detect-tos.c \
detect-transform-base64.c \
detect-transform-luaxform.c \
detect-transform-pcrexform.c \
detect-ttl.c \
detect-udphdr.c \
Expand Down
4 changes: 2 additions & 2 deletions src/detect-dce-stub-data.c
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
SCLogDebug("have data!");

InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
InspectionBufferApplyTransforms(buffer, transforms);
InspectionBufferApplyTransforms(det_ctx, buffer, transforms);
}
return buffer;
}
Expand All @@ -106,7 +106,7 @@ static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
}
InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
InspectionBufferApplyTransforms(buffer, transforms);
InspectionBufferApplyTransforms(det_ctx, buffer, transforms);
}
return buffer;
}
Expand Down
2 changes: 1 addition & 1 deletion src/detect-dnp3.c
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx,

SCLogDebug("tx %p data %p data_len %u", tx, tx->buffer, tx->buffer_len);
InspectionBufferSetup(det_ctx, list_id, buffer, tx->buffer, tx->buffer_len);
InspectionBufferApplyTransforms(buffer, transforms);
InspectionBufferApplyTransforms(det_ctx, buffer, transforms);
}
return buffer;
}
Expand Down
2 changes: 1 addition & 1 deletion src/detect-dns-answer-name.c
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(buffer, transforms, data, data_len);
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
}
Expand Down
2 changes: 1 addition & 1 deletion src/detect-dns-query-name.c
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(buffer, transforms, data, data_len);
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
}
Expand Down
2 changes: 1 addition & 1 deletion src/detect-dns-query.c
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx,
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(buffer, transforms, data, data_len);
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;

SCReturnPtr(buffer, "InspectionBuffer");
Expand Down
16 changes: 8 additions & 8 deletions src/detect-engine-frame.c
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ static bool SetupStreamCallbackData(struct FrameStreamData *dst, const TcpSessio

static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, const uint8_t *input,
const uint32_t input_len, const uint64_t input_offset);
static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p,
const DetectEngineTransforms *transforms);
static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer,
const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms);

void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p,
const Frames *frames, const Frame *frame, const AppProto alproto)
Expand Down Expand Up @@ -159,7 +159,7 @@ static void PrefilterMpmFrame(DetectEngineThreadCtx *det_ctx, const void *pectx,
if (frame->offset >= p->payload_len)
return;

BufferSetupUdp(buffer, frame, p, ctx->transforms);
BufferSetupUdp(det_ctx, buffer, frame, p, ctx->transforms);
const uint32_t data_len = buffer->inspect_len;
const uint8_t *data = buffer->inspect;

Expand Down Expand Up @@ -251,8 +251,8 @@ bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, c
return false;
}

static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p,
const DetectEngineTransforms *transforms)
static void BufferSetupUdp(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer,
const Frame *frame, const Packet *p, const DetectEngineTransforms *transforms)
{
uint8_t ci_flags = DETECT_CI_FLAGS_START;
uint32_t frame_len;
Expand All @@ -275,7 +275,7 @@ static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const P
AppLayerParserGetFrameNameById(p->flow->proto, p->flow->alproto, frame->type),
frame->offset, frame->type, frame->len);

InspectionBufferSetupMulti(buffer, transforms, data, data_len);
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->inspect_offset = 0;
buffer->flags = ci_flags;
}
Expand All @@ -301,7 +301,7 @@ static int DetectFrameInspectUdp(DetectEngineThreadCtx *det_ctx,
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

if (!buffer->initialized)
BufferSetupUdp(buffer, frame, p, transforms);
BufferSetupUdp(det_ctx, buffer, frame, p, transforms);
DEBUG_VALIDATE_BUG_ON(!buffer->initialized);
if (buffer->inspect == NULL)
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
Expand Down Expand Up @@ -387,7 +387,7 @@ static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, c
}
// PrintRawDataFp(stdout, data, data_len);
SCLogDebug("fsd->transforms %p", fsd->transforms);
InspectionBufferSetupMulti(buffer, fsd->transforms, data, data_len);
InspectionBufferSetupMulti(fsd->det_ctx, buffer, fsd->transforms, data, data_len);
SCLogDebug("inspect_offset %" PRIu64, fo_inspect_offset);
buffer->inspect_offset = fo_inspect_offset;
buffer->flags = ci_flags;
Expand Down
9 changes: 5 additions & 4 deletions src/detect-engine-helper.c
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx,
return NULL;

InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
InspectionBufferApplyTransforms(buffer, transforms);
InspectionBufferApplyTransforms(det_ctx, buffer, transforms);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you not want to generalize usage of DetectHelperGetData so that changing the prototype of InspectionBufferApplyTransforms affects less files ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good suggestion, but it will affect many source modules.

Can we consider that an optimization to follow this PR?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR affects many source modules :-p

It would affect less and be more focused if this code factorization happened first ;-)

}
return buffer;
}
Expand Down Expand Up @@ -137,8 +137,9 @@ int DetectHelperTransformRegister(const SCTransformTableElmt *kw)
sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc;
sigmatch_table[DETECT_TBLSIZE_IDX].url = kw->url;
sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags;
sigmatch_table[DETECT_TBLSIZE_IDX].Transform =
(void (*)(InspectionBuffer * buffer, void *options)) kw->Transform;
sigmatch_table[DETECT_TBLSIZE_IDX].Transform = (void (*)(
struct DetectEngineThreadCtx_ * det_ctx, InspectionBuffer * buffer, void *options))
kw->Transform;
sigmatch_table[DETECT_TBLSIZE_IDX].TransformValidate = (bool (*)(
const uint8_t *content, uint16_t content_len, void *context))kw->TransformValidate;
sigmatch_table[DETECT_TBLSIZE_IDX].Setup =
Expand Down Expand Up @@ -167,7 +168,7 @@ InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ct
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(buffer, transforms, data, data_len);
InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
buffer->flags = DETECT_CI_FLAGS_SINGLE;
return buffer;
}
Expand Down
2 changes: 2 additions & 0 deletions src/detect-engine-register.c
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,7 @@

#include "detect-transform-pcrexform.h"
#include "detect-transform-base64.h"
#include "detect-transform-luaxform.h"

#include "util-rule-vars.h"

Expand Down Expand Up @@ -674,6 +675,7 @@ void SigTableSetup(void)
DetectTransformToUpperRegister();
DetectTransformHeaderLowercaseRegister();
DetectTransformFromBase64DecodeRegister();
DetectTransformLuaxformRegister();

DetectFileHandlerRegister();

Expand Down
1 change: 1 addition & 0 deletions src/detect-engine-register.h
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,7 @@ enum DetectKeywordId {
DETECT_TRANSFORM_TOUPPER,
DETECT_TRANSFORM_HEADER_LOWERCASE,
DETECT_TRANSFORM_FROM_BASE64,
DETECT_TRANSFORM_LUAXFORM,

DETECT_AL_IKE_EXCH_TYPE,
DETECT_AL_IKE_SPI_INITIATOR,
Expand Down
Loading