aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4a02a14df1'
${ noResults }
suricata/src/detect-tls-cert-serial.c

237 lines
8.0 KiB
C
Raw Normal View History Unescape Escape

detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
/* Copyright (C) 2017-2022 Open Information Security Foundation
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
* Implements support for tls.cert_serial keyword.
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
*/
#include "suricata-common.h"
#include "threads.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
#include "detect-engine-prefilter.h"
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
#include "detect-content.h"
#include "detect-pcre.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "util-debug.h"
#include "util-spm.h"
#include "util-print.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-ssl.h"
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
#include "detect-tls-cert-serial.h"
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
#include "util-unittest.h"
#include "util-unittest-helper.h"
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectTlsSerialSetup(DetectEngineCtx *, Signature *, const char *);
detect-tls-cert-serial: move unittests to tests/
6 years ago
#ifdef UNITTESTS
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
static void DetectTlsSerialRegisterTests(void);
detect-tls-cert-serial: move unittests to tests/
6 years ago
#endif
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
detect-tls: remove confusing underscores from variables Remove confusing underscore prefix from variables in GetData() for all tls keywords.
6 years ago
Flow *f, const uint8_t flow_flags,
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
void *txv, const int list_id);
detect-tls-cert-serial: add setup callback to uppercase content Add setup callback that uppercase the content that follows 'tls_cert_serial'.
8 years ago
static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s);
general: Convert _Bool to bool This commit addresses task 3167 and changes usages of '_Bool` to `bool`. The latter is included from `suricata-common.h`
6 years ago
static bool DetectTlsSerialValidateCallback(const Signature *s,
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
const char **sigerror);
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
static int g_tls_cert_serial_buffer_id = 0;
/**
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
* \brief Registration function for keyword: tls.cert_serial
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
*/
void DetectTlsSerialRegister(void)
{
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls.cert_serial";
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].alias = "tls_cert_serial";
detect/tls: fix descriptions Most keywords were presented as content modifiers when they were in fact sticky buffers.
3 years ago
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].desc =
"sticky buffer to match the TLS cert serial buffer";
detect/keywords: dynamic version part of doc URL
5 years ago
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].url = "/rules/tls-keywords.html#tls-cert-serial";
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].Setup = DetectTlsSerialSetup;
detect-tls-cert-serial: move unittests to tests/
6 years ago
#ifdef UNITTESTS
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests;
detect-tls-cert-serial: move unittests to tests/
6 years ago
#endif
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT;
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER;
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectAppLayerInspectEngineRegister2("tls.cert_serial", ALPROTO_TLS,
detect: register progress in inspect engines Register required progress so we can stop inspecting as soon as the progress isn't far enough yet.
8 years ago
SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
DetectEngineInspectBufferGeneric, GetData);
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectAppLayerMpmRegister2("tls.cert_serial", SIG_FLAG_TOCLIENT, 2,
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
TLS_STATE_CERT_READY);
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
DetectAppLayerInspectEngineRegister2("tls.cert_serial", ALPROTO_TLS, SIG_FLAG_TOSERVER,
TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerMpmRegister2("tls.cert_serial", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
GetData, ALPROTO_TLS, TLS_STATE_CERT_READY);
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectBufferTypeSetDescriptionByName("tls.cert_serial",
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
"TLS certificate serial number");
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectBufferTypeRegisterSetupCallback("tls.cert_serial",
detect-tls-cert-serial: add setup callback to uppercase content Add setup callback that uppercase the content that follows 'tls_cert_serial'.
8 years ago
DetectTlsSerialSetupCallback);
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectBufferTypeRegisterValidateCallback("tls.cert_serial",
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
DetectTlsSerialValidateCallback);
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls.cert_serial");
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
}
/**
* \brief this function setup the tls_cert_serial modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
detect-tls: check return values of functions on setup Check the return values of DetectBufferSetActiveList() and DetectSignatureSetAppProto().
6 years ago
* \retval 0 On success
* \retval -1 On failure
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
*/
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectTlsSerialSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
{
detect: pass de_ctx to DetectBufferSetActiveList
2 years ago
if (DetectBufferSetActiveList(de_ctx, s, g_tls_cert_serial_buffer_id) < 0)
detect-tls: check return values of functions on setup Check the return values of DetectBufferSetActiveList() and DetectSignatureSetAppProto().
6 years ago
return -1;
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
detect-tls: check return values of functions on setup Check the return values of DetectBufferSetActiveList() and DetectSignatureSetAppProto().
6 years ago
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0)
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
return -1;
return 0;
}
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
detect-tls: remove confusing underscores from variables Remove confusing underscore prefix from variables in GetData() for all tls keywords.
6 years ago
const DetectEngineTransforms *transforms, Flow *f,
const uint8_t flow_flags, void *txv, const int list_id)
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
{
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
if (buffer->inspect == NULL) {
detect-tls: declare ssl_state as const in GetData()
6 years ago
const SSLState *ssl_state = (SSLState *)f->alstate;
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
const SSLStateConnp *connp;
if (flow_flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
if (connp->cert0_serial == NULL) {
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
return NULL;
}
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
const uint32_t data_len = strlen(connp->cert0_serial);
const uint8_t *data = (uint8_t *)connp->cert0_serial;
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
detect: fix heap overflow issue with buffer setup In some cases, the InspectionBufferGet function would be followed by a failure to set the buffer up, for example due to a HTTP body limit not yet being reached. Yet each call to InspectionBufferGet would lead to the matching list_id to be added to the DetectEngineThreadCtx::inspect.to_clear_queue. This array is sized to add each list only once, but in this case the same id could be added multiple times, potentially overflowing the array.
5 years ago
InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
detect-tls-cert-serial: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_serial' detection keyword.
8 years ago
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
general: Convert _Bool to bool This commit addresses task 3167 and changes usages of '_Bool` to `bool`. The latter is included from `suricata-common.h`
6 years ago
static bool DetectTlsSerialValidateCallback(const Signature *s,
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
const char **sigerror)
{
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
if (s->init_data->buffers[x].id != (uint32_t)g_tls_cert_serial_buffer_id)
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
continue;
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
const SigMatch *sm = s->init_data->buffers[x].head;
for (; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NOCASE) {
*sigerror = "tls.cert_serial should not be used together "
"with nocase, since the rule is automatically "
"uppercased anyway which makes nocase redundant.";
SCLogWarning("rule %u: %s", s->id, *sigerror);
}
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
/* no need to worry about this if the content is short enough */
if (cd->content_len <= 2)
general: Cleanup bool usage
4 years ago
return true;
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
uint32_t u;
for (u = 0; u < cd->content_len; u++)
if (cd->content[u] == ':')
return true;
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
*sigerror = "No colon delimiters ':' detected in content after "
"tls.cert_serial. This rule will therefore never "
"match.";
SCLogWarning("rule %u: %s", s->id, *sigerror);
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
return false;
}
}
general: Cleanup bool usage
4 years ago
return true;
detect-tls-cert-serial: add content validation callback Validate that the content that follows the 'tls_cert_serial' keyword is on the correct form. If it's longer than two bytes it should be separated by colons.
8 years ago
}
detect-tls-cert-serial: add setup callback to uppercase content Add setup callback that uppercase the content that follows 'tls_cert_serial'.
8 years ago
static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s)
{
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
if (s->init_data->buffers[x].id != (uint32_t)g_tls_cert_serial_buffer_id)
detect-tls-cert-serial: add setup callback to uppercase content Add setup callback that uppercase the content that follows 'tls_cert_serial'.
8 years ago
continue;
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
SigMatch *sm = s->init_data->buffers[x].head;
for (; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
bool changed = false;
uint32_t u;
for (u = 0; u < cd->content_len; u++) {
if (islower(cd->content[u])) {
cd->content[u] = u8_toupper(cd->content[u]);
changed = true;
}
detect-tls-cert-serial: add setup callback to uppercase content Add setup callback that uppercase the content that follows 'tls_cert_serial'.
8 years ago
}
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
/* recreate the context if changes were made */
if (changed) {
SpmDestroyCtx(cd->spm_ctx);
cd->spm_ctx =
SpmInitCtx(cd->content, cd->content_len, 1, de_ctx->spm_global_thread_ctx);
}
detect-tls-cert-serial: add setup callback to uppercase content Add setup callback that uppercase the content that follows 'tls_cert_serial'.
8 years ago
}
}
}
detect: add (mpm) keyword tls_cert_serial Match on TLS certificate serial number using tls_cert_serial keyword, e.g.: alert tls any any -> any any (msg:"TLS cert serial test"; tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:12345;)
9 years ago
#ifdef UNITTESTS
detect-tls-cert-serial: move unittests to tests/
6 years ago
#include "tests/detect-tls-cert-serial.c"
#endif