aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c587e90ebc'
${ noResults }
suricata/src/detect-tls-cert-fingerprint.c

245 lines
8.6 KiB
C
Raw Normal View History Unescape Escape

detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
/* Copyright (C) 2017-2022 Open Information Security Foundation
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
* Implements support for tls_cert_fingerprint keyword.
*/
#include "suricata-common.h"
#include "threads.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
#include "detect-engine-prefilter.h"
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-tls-cert-fingerprint.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "util-debug.h"
#include "util-spm.h"
#include "util-print.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-ssl.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
static int DetectTlsFingerprintSetup(DetectEngineCtx *, Signature *, const char *);
detect-tls-cert-fingerprint: move unittests to tests/
6 years ago
#ifdef UNITTESTS
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
static void DetectTlsFingerprintRegisterTests(void);
detect-tls-cert-fingerprint: move unittests to tests/
6 years ago
#endif
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
detect-tls: remove confusing underscores from variables Remove confusing underscore prefix from variables in GetData() for all tls keywords.
6 years ago
Flow *f, const uint8_t flow_flags,
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
void *txv, const int list_id);
detect-tls-cert-fingerprint: add setup callback to lowercase content Add setup callback that lowercase the content that follows 'tls_cert_fingerprint'.
7 years ago
static void DetectTlsFingerprintSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s);
general: Convert _Bool to bool This commit addresses task 3167 and changes usages of '_Bool` to `bool`. The latter is included from `suricata-common.h`
6 years ago
static bool DetectTlsFingerprintValidateCallback(const Signature *s,
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
const char **sigerror);
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
static int g_tls_cert_fingerprint_buffer_id = 0;
/**
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
* \brief Registration function for keyword: tls.cert_fingerprint
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
*/
void DetectTlsFingerprintRegister(void)
{
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].name = "tls.cert_fingerprint";
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].alias = "tls_cert_fingerprint";
detect/tls: fix descriptions Most keywords were presented as content modifiers when they were in fact sticky buffers.
3 years ago
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].desc =
detect: spelling
2 years ago
"sticky buffer to match the TLS cert fingerprint buffer";
detect/keywords: dynamic version part of doc URL
5 years ago
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].url = "/rules/tls-keywords.html#tls-cert-fingerprint";
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
detect-tls-cert-fingerprint: move unittests to tests/
6 years ago
#ifdef UNITTESTS
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].RegisterTests = DetectTlsFingerprintRegisterTests;
detect-tls-cert-fingerprint: move unittests to tests/
6 years ago
#endif
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT;
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
detect: rename DetectAppLayerInspectEngineRegister2 Rename DetectAppLayerInspectEngineRegister2 to DetectAppLayerInspectEngineRegister as there is no other variant of this function, and the versioning with lack of supporting documentation can lead to confusion.
2 years ago
DetectAppLayerInspectEngineRegister("tls.cert_fingerprint", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
detect: rename DetectAppLayerMpmRegister2 to DetectAppLayerMpmRegister The old DetectAppLayerMpmRegister has not been around since 4.1.x. Rename the v2 of this function to a versionless function as there is no documentation referring to what the 2 means.
2 years ago
DetectAppLayerMpmRegister("tls.cert_fingerprint", SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY);
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
detect: rename DetectAppLayerInspectEngineRegister2 Rename DetectAppLayerInspectEngineRegister2 to DetectAppLayerInspectEngineRegister as there is no other variant of this function, and the versioning with lack of supporting documentation can lead to confusion.
2 years ago
DetectAppLayerInspectEngineRegister("tls.cert_fingerprint", ALPROTO_TLS, SIG_FLAG_TOSERVER,
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
detect: rename DetectAppLayerMpmRegister2 to DetectAppLayerMpmRegister The old DetectAppLayerMpmRegister has not been around since 4.1.x. Rename the v2 of this function to a versionless function as there is no documentation referring to what the 2 means.
2 years ago
DetectAppLayerMpmRegister("tls.cert_fingerprint", SIG_FLAG_TOSERVER, 2,
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY);
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectBufferTypeSetDescriptionByName("tls.cert_fingerprint",
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
"TLS certificate fingerprint");
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectBufferTypeRegisterSetupCallback("tls.cert_fingerprint",
detect-tls-cert-fingerprint: add setup callback to lowercase content Add setup callback that lowercase the content that follows 'tls_cert_fingerprint'.
7 years ago
DetectTlsFingerprintSetupCallback);
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
DetectBufferTypeRegisterValidateCallback("tls.cert_fingerprint",
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
DetectTlsFingerprintValidateCallback);
detect: Modernize TLS keywords This changeset adds keywords for "tls.<name>" and moves the existing value of "tls_<name>" to an alias.
6 years ago
g_tls_cert_fingerprint_buffer_id = DetectBufferTypeGetByName("tls.cert_fingerprint");
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
}
/**
* \brief this function setup the tls_cert_fingerprint modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
detect-tls: check return values of functions on setup Check the return values of DetectBufferSetActiveList() and DetectSignatureSetAppProto().
6 years ago
* \retval 0 On success
* \retval -1 On failure
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
*/
static int DetectTlsFingerprintSetup(DetectEngineCtx *de_ctx, Signature *s,
const char *str)
{
detect: pass de_ctx to DetectBufferSetActiveList
2 years ago
if (DetectBufferSetActiveList(de_ctx, s, g_tls_cert_fingerprint_buffer_id) < 0)
detect-tls: check return values of functions on setup Check the return values of DetectBufferSetActiveList() and DetectSignatureSetAppProto().
6 years ago
return -1;
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
detect-tls: check return values of functions on setup Check the return values of DetectBufferSetActiveList() and DetectSignatureSetAppProto().
6 years ago
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0)
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
return -1;
return 0;
}
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
detect-tls: remove confusing underscores from variables Remove confusing underscore prefix from variables in GetData() for all tls keywords.
6 years ago
const DetectEngineTransforms *transforms, Flow *f,
const uint8_t flow_flags, void *txv, const int list_id)
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
{
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
if (buffer->inspect == NULL) {
detect-tls: declare ssl_state as const in GetData()
6 years ago
const SSLState *ssl_state = (SSLState *)f->alstate;
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
const SSLStateConnp *connp;
if (flow_flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
if (connp->cert0_fingerprint == NULL) {
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
return NULL;
}
detect/cert: Use client side certs Issue: 5516 This commit modifies the detect logic to choose the certificate based on the flow direction -- to server or to client.
3 years ago
const uint32_t data_len = strlen(connp->cert0_fingerprint);
const uint8_t *data = (uint8_t *)connp->cert0_fingerprint;
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
detect: fix heap overflow issue with buffer setup In some cases, the InspectionBufferGet function would be followed by a failure to set the buffer up, for example due to a HTTP body limit not yet being reached. Yet each call to InspectionBufferGet would lead to the matching list_id to be added to the DetectEngineThreadCtx::inspect.to_clear_queue. This array is sized to add each list only once, but in this case the same id could be added multiple times, potentially overflowing the array.
5 years ago
InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
detect-tls-cert-fingerprint: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_cert_fingerprint' detection keyword.
7 years ago
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
general: Convert _Bool to bool This commit addresses task 3167 and changes usages of '_Bool` to `bool`. The latter is included from `suricata-common.h`
6 years ago
static bool DetectTlsFingerprintValidateCallback(const Signature *s,
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
const char **sigerror)
{
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
if (s->init_data->buffers[x].id != (uint32_t)g_tls_cert_fingerprint_buffer_id)
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
continue;
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
const SigMatch *sm = s->init_data->buffers[x].head;
for (; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->content_len != 59) {
*sigerror = "Invalid length of the specified fingerprint. "
"This rule will therefore never match.";
SCLogWarning("rule %u: %s", s->id, *sigerror);
return false;
}
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
bool have_delimiters = false;
uint32_t u;
for (u = 0; u < cd->content_len; u++) {
if (cd->content[u] == ':') {
have_delimiters = true;
break;
}
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
}
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
if (!have_delimiters) {
*sigerror = "No colon delimiters ':' detected in content after "
"tls.cert_fingerprint. This rule will therefore "
"never match.";
SCLogWarning("rule %u: %s", s->id, *sigerror);
return false;
}
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
if (cd->flags & DETECT_CONTENT_NOCASE) {
*sigerror = "tls.cert_fingerprint should not be used together "
"with nocase, since the rule is automatically "
"lowercased anyway which makes nocase redundant.";
SCLogWarning("rule %u: %s", s->id, *sigerror);
}
detect-tls-cert-fingerprint: add warning if nocase is used
7 years ago
}
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
}
general: Cleanup bool usage
4 years ago
return true;
detect-tls-cert-fingerprint: add content validation callback Validate that the content that follows the 'tls_cert_fingerprint' keyword is on the correct form and has the correct length.
7 years ago
}
detect-tls-cert-fingerprint: add setup callback to lowercase content Add setup callback that lowercase the content that follows 'tls_cert_fingerprint'.
7 years ago
static void DetectTlsFingerprintSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s)
{
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
if (s->init_data->buffers[x].id != (uint32_t)g_tls_cert_fingerprint_buffer_id)
detect-tls-cert-fingerprint: add setup callback to lowercase content Add setup callback that lowercase the content that follows 'tls_cert_fingerprint'.
7 years ago
continue;
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
SigMatch *sm = s->init_data->buffers[x].head;
for (; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
bool changed = false;
uint32_t u;
for (u = 0; u < cd->content_len; u++) {
if (isupper(cd->content[u])) {
cd->content[u] = u8_tolower(cd->content[u]);
changed = true;
}
detect-tls-cert-fingerprint: add setup callback to lowercase content Add setup callback that lowercase the content that follows 'tls_cert_fingerprint'.
7 years ago
}
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
/* recreate the context if changes were made */
if (changed) {
SpmDestroyCtx(cd->spm_ctx);
cd->spm_ctx =
SpmInitCtx(cd->content, cd->content_len, 1, de_ctx->spm_global_thread_ctx);
}
detect-tls-cert-fingerprint: add setup callback to lowercase content Add setup callback that lowercase the content that follows 'tls_cert_fingerprint'.
7 years ago
}
}
}
detect: add (mpm) keyword tls_cert_fingerprint Reimplement keyword to match on SHA-1 fingerprint of TLS certificate as a mpm keyword. alert tls any any -> any (msg:"TLS cert fingerprint test"; tls_cert_fingerprint; content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; sid:12345;)
8 years ago
#ifdef UNITTESTS
unittest: fix unneeded includes as per cppclean Especially because there is conditional inclusion from a header
3 years ago
#include "detect-engine-alert.h"
detect-tls-cert-fingerprint: move unittests to tests/
6 years ago
#include "tests/detect-tls-cert-fingerprint.c"
#endif