Detect dynamic register keywords 4683 v4

configure.ac

@@ -324,6 +324,17 @@
         CFLAGS="$CFLAGS -std=gnu99"
     fi
 
+    # check if our target supports -Wl,--start-group
+    AC_MSG_CHECKING(for -Wl,--start-group support)
+    OLDFLAGS=$LDFLAGS
+    LDFLAGS="-Wl,--start-group,--end-group"
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[
+            have_linker_group_support=yes
+            AC_MSG_RESULT(yes)],
+            [AC_MSG_RESULT(no)])
+    LDFLAGS=$OLDFLAGS
+    AM_CONDITIONAL([LINKER_SUPPORTS_GROUP], [test "x$have_linker_group_support" = "xyes"])
+
     # check if our target supports thread local storage
     AC_MSG_CHECKING(for thread local storage gnu __thread support)
     AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdlib.h>]],
@@ -1419,7 +1430,7 @@
             exit 1
         fi
         CFLAGS="${CFLAGS} `pkg-config --cflags libdpdk`"
-        LIBS="${LIBS} -Wl,-R,`pkg-config --libs-only-L libdpdk | cut -c 3-` -lnuma `pkg-config --libs libdpdk`"
+        LIBS="${LIBS} -lnuma `pkg-config --libs libdpdk`"
 
         if test ! -z "$(ldconfig -p | grep librte_net_bond)"; then
             AC_DEFINE([HAVE_DPDK_BOND],[1],(DPDK Bond PMD support enabled))

doc/userguide/rules/snmp-keywords.rst

@@ -6,6 +6,8 @@ snmp.version
 
 SNMP protocol version (integer). Expected values are 1, 2 (for version 2c) or 3.
 
+snmp.version uses an, :ref:` unsigned 32-bits integer <rules-integer-keywords>`.
+
 Syntax::
 
  snmp.version:[op]<number>
@@ -69,6 +71,8 @@ snmp.pdu_type
 
 SNMP PDU type (integer).
 
+snmp.pdu_type uses an, :ref:` unsigned 32-bits integer <rules-integer-keywords>`.
+
 Common values are:
 
  - 0: GetRequest

examples/lib/simple/Makefile.am

@@ -5,7 +5,7 @@ simple_SOURCES = main.c
 AM_CPPFLAGS = -I$(top_srcdir)/src
 
 simple_LDFLAGS = $(all_libraries) $(SECLDFLAGS)
-simple_LDADD = $(top_builddir)/src/libsuricata_c.a ../../$(RUST_SURICATA_LIB) $(RUST_LDADD)
+simple_LDADD = "-Wl,--start-group,$(top_builddir)/src/libsuricata_c.a,../../$(RUST_SURICATA_LIB),--end-group" $(RUST_LDADD)
 if HTP_LDADD
 simple_LDADD += ../../$(HTP_LDADD)
 endif

rust/cbindgen.toml

@@ -82,6 +82,7 @@ include = [
     "QuicState",
     "QuicTransaction",
     "FtpEvent",
+    "SCSigTableElmt",
 ]
 
 # A list of items to not include in the generated bindings

rust/src/applayer.rs

@@ -58,6 +58,9 @@ impl StreamSlice {
         self.input_len
     }
     pub fn as_slice(&self) -> &[u8] {
+        if self.input.is_null() && self.input_len == 0 {
+            return &[];
+        }
         unsafe { std::slice::from_raw_parts(self.input, self.input_len as usize) }
     }
     pub fn is_empty(&self) -> bool {

rust/src/detect/mod.rs

@@ -27,6 +27,9 @@ pub mod uri;
 pub mod requires;
 pub mod tojson;
 
+use crate::core::AppProto;
+use std::os::raw::{c_int, c_void};
+
 /// EnumString trait that will be implemented on enums that
 /// derive StringEnum.
 pub trait EnumString<T> {
@@ -43,6 +46,64 @@ pub trait EnumString<T> {
     fn from_str(s: &str) -> Option<Self> where Self: Sized;
 }
 
+#[repr(C)]
+#[allow(non_snake_case)]
+pub struct SCSigTableElmt {
+    pub name: *const libc::c_char,
+    pub desc: *const libc::c_char,
+    pub url: *const libc::c_char,
+    pub flags: u16,
+    pub Setup: unsafe extern "C" fn(
+        de: *mut c_void,
+        s: *mut c_void,
+        raw: *const std::os::raw::c_char,
+    ) -> c_int,
+    pub Free: Option<unsafe extern "C" fn(de: *mut c_void, ptr: *mut c_void)>,
+    pub AppLayerTxMatch: Option<
+        unsafe extern "C" fn(
+            de: *mut c_void,
+            f: *mut c_void,
+            flags: u8,
+            state: *mut c_void,
+            tx: *mut c_void,
+            sig: *const c_void,
+            ctx: *const c_void,
+        ) -> c_int,
+    >,
+}
+
+pub(crate) const SIGMATCH_NOOPT: u16 = 1; // BIT_U16(0) in detect.h
+pub(crate) const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; // BIT_U16(9)
+
+extern {
+    pub fn DetectBufferSetActiveList(de: *mut c_void, s: *mut c_void, bufid: c_int) -> c_int;
+    pub fn DetectHelperGetData(
+        de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
+        tx: *const c_void, list_id: c_int,
+        get_buf: unsafe extern "C" fn(*const c_void, u8, *mut *const u8, *mut u32) -> bool,
+    ) -> *mut c_void;
+    pub fn DetectHelperBufferMpmRegister(
+        name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, toclient: bool,
+        toserver: bool,
+        get_data: unsafe extern "C" fn(
+            *mut c_void,
+            *const c_void,
+            *const c_void,
+            u8,
+            *const c_void,
+            i32,
+        ) -> *mut c_void,
+    ) -> c_int;
+    pub fn DetectHelperKeywordRegister(kw: *const SCSigTableElmt) -> c_int;
+    pub fn DetectHelperBufferRegister(
+        name: *const libc::c_char, alproto: AppProto, toclient: bool, toserver: bool,
+    ) -> c_int;
+    pub fn DetectSignatureSetAppProto(s: *mut c_void, alproto: AppProto) -> c_int;
+    pub fn SigMatchAppendSMToList(
+        de: *mut c_void, s: *mut c_void, kwid: c_int, ctx: *const c_void, bufid: c_int,
+    ) -> *mut c_void;
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

rust/src/detect/uint.rs

@@ -398,9 +398,9 @@ pub unsafe extern "C" fn rs_detect_u64_match(
 }
 
 #[no_mangle]
-pub unsafe extern "C" fn rs_detect_u64_free(ctx: *mut std::os::raw::c_void) {
+pub unsafe extern "C" fn rs_detect_u64_free(ctx: &mut DetectUintData<u64>) {
     // Just unbox...
-    std::mem::drop(Box::from_raw(ctx as *mut DetectUintData<u64>));
+    std::mem::drop(Box::from_raw(ctx));
 }
 
 #[no_mangle]

rust/src/dhcp/detect.rs

@@ -16,51 +16,208 @@
  */
 
 use super::dhcp::{
-    DHCPTransaction, DHCP_OPT_ADDRESS_TIME, DHCP_OPT_REBINDING_TIME, DHCP_OPT_RENEWAL_TIME,
+    DHCPTransaction, ALPROTO_DHCP, DHCP_OPT_ADDRESS_TIME, DHCP_OPT_REBINDING_TIME,
+    DHCP_OPT_RENEWAL_TIME,
 };
 use super::parser::DHCPOptionWrapper;
+use crate::detect::uint::{
+    rs_detect_u64_free, rs_detect_u64_match, rs_detect_u64_parse, DetectUintData,
+};
+use crate::detect::{
+    DetectHelperBufferRegister, DetectHelperKeywordRegister, DetectSignatureSetAppProto,
+    SCSigTableElmt, SigMatchAppendSMToList,
+};
+use std::os::raw::{c_int, c_void};
 
-#[no_mangle]
-pub unsafe extern "C" fn rs_dhcp_tx_get_leasetime(
-    tx: &mut DHCPTransaction, leasetime: *mut u64,
-) -> u8 {
+fn rs_dhcp_tx_get_time(tx: &DHCPTransaction, code: u8) -> Option<u64> {
     for option in &tx.message.options {
-        if option.code == DHCP_OPT_ADDRESS_TIME {
+        if option.code == code {
             if let DHCPOptionWrapper::TimeValue(ref time_value) = option.option {
-                *leasetime = time_value.seconds as u64;
-                return 1;
+                return Some(time_value.seconds as u64);
             }
         }
     }
+    return None;
+}
+
+static mut G_DHCP_LEASE_TIME_KW_ID: c_int = 0;
+static mut G_DHCP_LEASE_TIME_BUFFER_ID: c_int = 0;
+static mut G_DHCP_REBINDING_TIME_KW_ID: c_int = 0;
+static mut G_DHCP_REBINDING_TIME_BUFFER_ID: c_int = 0;
+static mut G_DHCP_RENEWAL_TIME_KW_ID: c_int = 0;
+static mut G_DHCP_RENEWAL_TIME_BUFFER_ID: c_int = 0;
+
+unsafe extern "C" fn dhcp_detect_leasetime_setup(
+    de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
+) -> c_int {
+    if DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0 {
+        return -1;
+    }
+    let ctx = rs_detect_u64_parse(raw) as *mut c_void;
+    if ctx.is_null() {
+        return -1;
+    }
+    if SigMatchAppendSMToList(
+        de,
+        s,
+        G_DHCP_LEASE_TIME_KW_ID,
+        ctx,
+        G_DHCP_LEASE_TIME_BUFFER_ID,
+    )
+    .is_null()
+    {
+        dhcp_detect_time_free(std::ptr::null_mut(), ctx);
+        return -1;
+    }
     return 0;
 }
 
-#[no_mangle]
-pub unsafe extern "C" fn rs_dhcp_tx_get_rebinding_time(
-    tx: &mut DHCPTransaction, res: *mut u64,
-) -> u8 {
-    for option in &tx.message.options {
-        if option.code == DHCP_OPT_REBINDING_TIME {
-            if let DHCPOptionWrapper::TimeValue(ref time_value) = option.option {
-                *res = time_value.seconds as u64;
-                return 1;
-            }
-        }
+unsafe extern "C" fn dhcp_detect_leasetime_match(
+    _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
+    _sig: *const c_void, ctx: *const c_void,
+) -> c_int {
+    let tx = cast_pointer!(tx, DHCPTransaction);
+    let ctx = cast_pointer!(ctx, DetectUintData<u64>);
+    if let Some(val) = rs_dhcp_tx_get_time(tx, DHCP_OPT_ADDRESS_TIME) {
+        return rs_detect_u64_match(val, ctx);
     }
     return 0;
 }
 
-#[no_mangle]
-pub unsafe extern "C" fn rs_dhcp_tx_get_renewal_time(
-    tx: &mut DHCPTransaction, res: *mut u64,
-) -> u8 {
-    for option in &tx.message.options {
-        if option.code == DHCP_OPT_RENEWAL_TIME {
-            if let DHCPOptionWrapper::TimeValue(ref time_value) = option.option {
-                *res = time_value.seconds as u64;
-                return 1;
-            }
-        }
+unsafe extern "C" fn dhcp_detect_time_free(_de: *mut c_void, ctx: *mut c_void) {
+    // Just unbox...
+    let ctx = cast_pointer!(ctx, DetectUintData<u64>);
+    rs_detect_u64_free(ctx);
+}
+
+unsafe extern "C" fn dhcp_detect_rebindingtime_setup(
+    de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
+) -> c_int {
+    if DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0 {
+        return -1;
+    }
+    let ctx = rs_detect_u64_parse(raw) as *mut c_void;
+    if ctx.is_null() {
+        return -1;
+    }
+    if SigMatchAppendSMToList(
+        de,
+        s,
+        G_DHCP_REBINDING_TIME_KW_ID,
+        ctx,
+        G_DHCP_REBINDING_TIME_BUFFER_ID,
+    )
+    .is_null()
+    {
+        dhcp_detect_time_free(std::ptr::null_mut(), ctx);
+        return -1;
+    }
+    return 0;
+}
+
+unsafe extern "C" fn dhcp_detect_rebindingtime_match(
+    _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
+    _sig: *const c_void, ctx: *const c_void,
+) -> c_int {
+    let tx = cast_pointer!(tx, DHCPTransaction);
+    let ctx = cast_pointer!(ctx, DetectUintData<u64>);
+    if let Some(val) = rs_dhcp_tx_get_time(tx, DHCP_OPT_REBINDING_TIME) {
+        return rs_detect_u64_match(val, ctx);
+    }
+    return 0;
+}
+
+unsafe extern "C" fn dhcp_detect_renewaltime_setup(
+    de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
+) -> c_int {
+    if DetectSignatureSetAppProto(s, ALPROTO_DHCP) != 0 {
+        return -1;
+    }
+    let ctx = rs_detect_u64_parse(raw) as *mut c_void;
+    if ctx.is_null() {
+        return -1;
+    }
+    if SigMatchAppendSMToList(
+        de,
+        s,
+        G_DHCP_RENEWAL_TIME_KW_ID,
+        ctx,
+        G_DHCP_RENEWAL_TIME_BUFFER_ID,
+    )
+    .is_null()
+    {
+        dhcp_detect_time_free(std::ptr::null_mut(), ctx);
+        return -1;
     }
     return 0;
 }
+
+unsafe extern "C" fn dhcp_detect_renewaltime_match(
+    _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
+    _sig: *const c_void, ctx: *const c_void,
+) -> c_int {
+    let tx = cast_pointer!(tx, DHCPTransaction);
+    let ctx = cast_pointer!(ctx, DetectUintData<u64>);
+    if let Some(val) = rs_dhcp_tx_get_time(tx, DHCP_OPT_RENEWAL_TIME) {
+        return rs_detect_u64_match(val, ctx);
+    }
+    return 0;
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn ScDetectDHCPRegister() {
+    let kw = SCSigTableElmt {
+        name: b"dhcp.leasetime\0".as_ptr() as *const libc::c_char,
+        desc: b"match DHCP leasetime\0".as_ptr() as *const libc::c_char,
+        url: b"/rules/dhcp-keywords.html#dhcp-leasetime\0".as_ptr() as *const libc::c_char,
+        AppLayerTxMatch: Some(dhcp_detect_leasetime_match),
+        Setup: dhcp_detect_leasetime_setup,
+        Free: Some(dhcp_detect_time_free),
+        flags: 0,
+    };
+    unsafe {
+        G_DHCP_LEASE_TIME_KW_ID = DetectHelperKeywordRegister(&kw);
+        G_DHCP_LEASE_TIME_BUFFER_ID = DetectHelperBufferRegister(
+            b"dhcp.leasetime\0".as_ptr() as *const libc::c_char,
+            ALPROTO_DHCP,
+            true,
+            true,
+        );
+    }
+    let kw = SCSigTableElmt {
+        name: b"dhcp.rebinding_time\0".as_ptr() as *const libc::c_char,
+        desc: b"match DHCP rebinding time\0".as_ptr() as *const libc::c_char,
+        url: b"/rules/dhcp-keywords.html#dhcp-rebinding-time\0".as_ptr() as *const libc::c_char,
+        AppLayerTxMatch: Some(dhcp_detect_rebindingtime_match),
+        Setup: dhcp_detect_rebindingtime_setup,
+        Free: Some(dhcp_detect_time_free),
+        flags: 0,
+    };
+    unsafe {
+        G_DHCP_REBINDING_TIME_KW_ID = DetectHelperKeywordRegister(&kw);
+        G_DHCP_REBINDING_TIME_BUFFER_ID = DetectHelperBufferRegister(
+            b"dhcp.rebinding-time\0".as_ptr() as *const libc::c_char,
+            ALPROTO_DHCP,
+            true,
+            true,
+        );
+    }
+    let kw = SCSigTableElmt {
+        name: b"dhcp.renewal_time\0".as_ptr() as *const libc::c_char,
+        desc: b"match DHCP renewal time\0".as_ptr() as *const libc::c_char,
+        url: b"/rules/dhcp-keywords.html#dhcp-renewal-time\0".as_ptr() as *const libc::c_char,
+        AppLayerTxMatch: Some(dhcp_detect_renewaltime_match),
+        Setup: dhcp_detect_renewaltime_setup,
+        Free: Some(dhcp_detect_time_free),
+        flags: 0,
+    };
+    unsafe {
+        G_DHCP_RENEWAL_TIME_KW_ID = DetectHelperKeywordRegister(&kw);
+        G_DHCP_RENEWAL_TIME_BUFFER_ID = DetectHelperBufferRegister(
+            b"dhcp.renewal-time\0".as_ptr() as *const libc::c_char,
+            ALPROTO_DHCP,
+            true,
+            true,
+        );
+    }
+}