suricata 8.0.5

Suricata Rust components
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

/* Copyright (C) 2023 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

use nom7::bytes::streaming::take;
use nom7::combinator::cond;
use nom7::number::streaming::{be_u16, be_u32, be_u64, be_u8};
use nom7::IResult;
use suricata_derive::EnumStringU8;

#[derive(Clone, Debug, Default, EnumStringU8)]
#[repr(u8)]
pub enum WebSocketOpcode {
    #[default]
    Continuation = 0,
    Text = 1,
    Binary = 2,
    Close = 8,
    Ping = 9,
    Pong = 10,
}

#[derive(Clone, Debug, Default)]
pub struct WebSocketPdu {
    pub flags: u8,
    pub fin: bool,
    pub compress: bool,
    pub opcode: u8,
    pub mask: Option<u32>,
    pub payload: Vec<u8>,
    pub to_skip: u64,
}

// cf rfc6455#section-5.2
pub fn parse_message(i: &[u8], max_pl_size: u32) -> IResult<&[u8], WebSocketPdu> {
    let (i, flags_op) = be_u8(i)?;
    let fin = (flags_op & 0x80) != 0;
    let compress = (flags_op & 0x40) != 0;
    let flags = flags_op & 0xF0;
    let opcode = flags_op & 0xF;
    let (i, mask_plen) = be_u8(i)?;
    let mask_flag = (mask_plen & 0x80) != 0;
    let (i, payload_len) = match mask_plen & 0x7F {
        126 => {
            let (i, val) = be_u16(i)?;
            Ok((i, val.into()))
        }
        127 => be_u64(i),
        _ => Ok((i, (mask_plen & 0x7F).into())),
    }?;
    let (i, xormask) = cond(mask_flag, take(4usize))(i)?;
    let mask = if mask_flag {
        let (_, m) = be_u32(xormask.unwrap())?;
        Some(m)
    } else {
        None
    };
    // we limit payload_len to u32, so as to build on 32-bit system
    // where we cannot take(usize) with a u64
    let (to_skip, payload_len) = if payload_len < u64::from(max_pl_size) {
        (0, payload_len as u32)
    } else {
        (payload_len - (max_pl_size as u64), max_pl_size)
    };
    let (i, payload_raw) = take(payload_len)(i)?;
    let mut payload = payload_raw.to_vec();
    if let Some(xorkey) = xormask {
        for i in 0..payload.len() {
            payload[i] ^= xorkey[i % 4];
        }
    }
    Ok((
        i,
        WebSocketPdu {
            flags,
            fin,
            compress,
            opcode,
            mask,
            payload,
            to_skip,
        },
    ))
}