detect/ja3: print error for one rule only

Use 'silent error' logic for any other rules using ja3 as well.
6 years ago · 0771eb1e0e
parent 4d44ca7739
commit 0771eb1e0e
5 changed files with 34 additions and 13 deletions
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@ -114,6 +114,7 @@ void DetectTlsJa3HashRegister(void)
 *
 * \retval 0  On success
 * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
 */
 static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
@ -127,8 +128,12 @@ static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const ch
    SSLEnableJA3();

    /* Check if JA3 is disabled */
-    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule"))
-        return -1;
+    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3_HASH)) {
+            SCLogError(SC_WARN_JA3_DISABLED, "ja3 support is not enabled");
+        }
+        return -2;
+    }

    return 0;
 }
--- a/src/detect-tls-ja3-string.c
+++ b/src/detect-tls-ja3-string.c
@ -117,8 +117,12 @@ static int DetectTlsJa3StringSetup(DetectEngineCtx *de_ctx, Signature *s, const
    SSLEnableJA3();

    /* Check if JA3 is disabled */
-    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule"))
-        return -1;
+    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3_STRING)) {
+            SCLogError(SC_WARN_JA3_DISABLED, "ja3(s) support is not enabled");
+        }
+        return -2;
+    }

    return 0;
 }
--- a/src/detect-tls-ja3s-hash.c
+++ b/src/detect-tls-ja3s-hash.c
@ -126,8 +126,12 @@ static int DetectTlsJa3SHashSetup(DetectEngineCtx *de_ctx, Signature *s, const c
    SSLEnableJA3();

    /* Check if JA3 is disabled */
-    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule"))
-        return -1;
+    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3S_HASH)) {
+            SCLogError(SC_WARN_JA3_DISABLED, "ja3(s) support is not enabled");
+        }
+        return -2;
+    }

    return 0;
 }
--- a/src/detect-tls-ja3s-string.c
+++ b/src/detect-tls-ja3s-string.c
@ -116,8 +116,12 @@ static int DetectTlsJa3SStringSetup(DetectEngineCtx *de_ctx, Signature *s, const
    SSLEnableJA3();

    /* Check if JA3 is disabled */
-    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule"))
-        return -1;
+    if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3S_STRING)) {
+            SCLogError(SC_WARN_JA3_DISABLED, "ja3(s) support is not enabled");
+        }
+        return -2;
+    }

    return 0;
 }
--- a/src/util-ja3.c
+++ b/src/util-ja3.c
@ -264,16 +264,20 @@ int Ja3IsDisabled(const char *type)
 {
    bool is_enabled = SSLJA3IsEnabled();
    if (is_enabled == 0) {
+        if (strcmp(type, "rule") != 0) {
            SCLogWarning(SC_WARN_JA3_DISABLED, "JA3 is disabled, skipping %s",
                    type);
+        }
        return 1;
    }

 #ifndef HAVE_NSS
    else {
+        if (strcmp(type, "rule") != 0) {
            SCLogWarning(SC_WARN_NO_JA3_SUPPORT,
                    "no MD5 calculation support built in (LibNSS), skipping %s",
                    type);
+        }
        return 1;
    }
 #endif /* HAVE_NSS */