From 08407b6d47606f625bf4f0c502df254659fa9843 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 9 Jul 2016 09:05:58 +0200 Subject: [PATCH] tls: mpm prefilter engines --- src/detect-engine-mpm.c | 10 +- src/detect-engine-tls.c | 198 ++++++++++++---------------------- src/detect-engine-tls.h | 4 + src/detect-tls-cert-issuer.h | 2 - src/detect-tls-cert-subject.h | 2 - src/detect.c | 27 ----- 6 files changed, 81 insertions(+), 162 deletions(-) diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 71ebe93530..6c94e7a4a8 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -64,6 +64,7 @@ #include "detect-engine-hsbd.h" #include "detect-engine-dns.h" #include "detect-engine-filedata-smtp.h" +#include "detect-engine-tls.h" #include "stream.h" @@ -143,9 +144,12 @@ AppLayerMpms app_mpms[] = { { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, PrefilterTxDnsQueryRegister, 17}, - { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, NULL, 18}, - { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, NULL, 19}, - { "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, SIG_GROUP_HEAD_MPM_TLSSUBJECT, NULL, 20}, + { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, + SIG_GROUP_HEAD_MPM_TLSSNI, PrefilterTxTlsSniRegister, 18}, + { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, + SIG_GROUP_HEAD_MPM_TLSISSUER, PrefilterTxTlsIssuerRegister, 19}, + { "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, + SIG_GROUP_HEAD_MPM_TLSSUBJECT, PrefilterTxTlsSubjectRegister, 20}, { NULL, 0, 0, 0, 0, NULL, 0, } }; diff --git a/src/detect-engine-tls.c b/src/detect-engine-tls.c index 940833106c..a4ce75caf3 100644 --- a/src/detect-engine-tls.c +++ b/src/detect-engine-tls.c @@ -30,6 +30,7 @@ #include "detect-parse.h" #include "detect-engine-state.h" #include "detect-engine-content-inspection.h" +#include "detect-engine-prefilter.h" #include "flow-util.h" #include "util-debug.h" @@ -45,63 +46,42 @@ #include "util-unittest-helper.h" #include "util-validate.h" -/** - * \brief TLS sni match -- searches for one pattern per signature. +/** \brief TLS SNI Mpm prefilter callback * - * \param det_ctx Detection engine thread ctx - * \param hrh Buffer to inspect - * \param hrh_len Buffer length - * \param flags Flags - * - * \retval ret Number of matches + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context */ -static inline uint32_t TlsSniPatternSearch(DetectEngineThreadCtx *det_ctx, - const uint8_t *buffer, - const uint32_t buffer_len) +static void PrefilterTxTlsSni(DetectEngineThreadCtx *det_ctx, const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) { SCEnter(); - uint32_t ret = 0; + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + SSLState *ssl_state = f->alstate; + + if (ssl_state->client_connp.sni == NULL) + return; - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlssni_ctx_ts == NULL); + const uint8_t *buffer = (uint8_t *)ssl_state->client_connp.sni; + const uint32_t buffer_len = strlen(ssl_state->client_connp.sni); - if (buffer_len >= det_ctx->sgh->mpm_tlssni_ctx_ts->minlen) { - ret = mpm_table[det_ctx->sgh->mpm_tlssni_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_tlssni_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); + if (buffer_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); } - - SCReturnUInt(ret); } -/** - * \brief Run the pattern matcher against the SNI buffer - * - * \param det_ctx Detection engine thread ctx - * \param f Locked flow - * \param dns_state Initialized dns state - * \param flags Flags - * - * \retval cnt Number of matches - */ -uint32_t DetectTlsSniInspectMpm(DetectEngineThreadCtx *det_ctx, - SSLState *ssl_state) +int PrefilterTxTlsSniRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) { SCEnter(); - uint8_t *buffer; - uint32_t buffer_len; - uint32_t cnt = 0; - - if (ssl_state->client_connp.sni == NULL) - return 0; - - buffer = (uint8_t *)ssl_state->client_connp.sni; - buffer_len = strlen(ssl_state->client_connp.sni); - - cnt = TlsSniPatternSearch(det_ctx, buffer, buffer_len); - - SCReturnUInt(cnt); + return PrefilterAppendTxEngine(sgh, PrefilterTxTlsSni, + ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add + mpm_ctx, NULL); } /** \brief Do the content inspection and validation for a signature @@ -142,61 +122,42 @@ int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx, return cnt; } -/** - * \brief TLS issuer match -- searches for one pattern per signature. +/** \brief TLS Issuer Mpm prefilter callback * - * \param det_ctx Detection engine thread ctx - * \param buffer Buffer to inspect - * \param buffer_len Buffer length - * - * \retval ret Number of matches + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context */ -static inline uint32_t TlsIssuerPatternSearch(DetectEngineThreadCtx *det_ctx, - const uint8_t *buffer, - const uint32_t buffer_len) +static void PrefilterTxTlsIssuer(DetectEngineThreadCtx *det_ctx, const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) { SCEnter(); - uint32_t ret = 0; + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + SSLState *ssl_state = f->alstate; - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlsissuer_ctx_ts == NULL); + if (ssl_state->server_connp.cert0_issuerdn == NULL) + return; - if (buffer_len >= det_ctx->sgh->mpm_tlsissuer_ctx_ts->minlen) { - ret = mpm_table[det_ctx->sgh->mpm_tlsissuer_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_tlsissuer_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); - } + const uint8_t *buffer = (const uint8_t *)ssl_state->server_connp.cert0_issuerdn; + const uint32_t buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn); - SCReturnUInt(ret); + if (buffer_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); + } } -/** - * \brief Run the pattern matcher against the TLS issuer buffer - * - * \param det_ctx Detection engine thread ctx - * \param f Locked flow - * \param ssl_state Initialized ssl state - * - * \retval cnt Number of matches - */ -uint32_t DetectTlsIssuerInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - SSLState *ssl_state) +int PrefilterTxTlsIssuerRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) { SCEnter(); - uint8_t *buffer; - uint32_t buffer_len; - uint32_t cnt = 0; - - if (ssl_state->server_connp.cert0_issuerdn == NULL) - return 0; - - buffer = (uint8_t *)ssl_state->server_connp.cert0_issuerdn; - buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn); - - cnt = TlsIssuerPatternSearch(det_ctx, buffer, buffer_len); - - SCReturnUInt(cnt); + return PrefilterAppendTxEngine(sgh, PrefilterTxTlsIssuer, + ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add + mpm_ctx, NULL); } /** \brief Do the content inspection and validation for a signature @@ -237,61 +198,42 @@ int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx, return cnt; } -/** - * \brief TLS subject match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx - * \param buffer Buffer to inspect - * \param buffer_len Buffer length +/** \brief TLS Subject Mpm prefilter callback * - * \retval ret Number of matches + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context */ -static inline uint32_t TlsSubjectPatternSearch(DetectEngineThreadCtx *det_ctx, - const uint8_t *buffer, - const uint32_t buffer_len) +static void PrefilterTxTlsSubject(DetectEngineThreadCtx *det_ctx, const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) { SCEnter(); - uint32_t ret = 0; + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + SSLState *ssl_state = f->alstate; + + if (ssl_state->server_connp.cert0_issuerdn == NULL) + return; - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlssubject_ctx_ts == NULL); + const uint8_t *buffer = (const uint8_t *)ssl_state->server_connp.cert0_subject; + const uint32_t buffer_len = strlen(ssl_state->server_connp.cert0_subject); - if (buffer_len >= det_ctx->sgh->mpm_tlssubject_ctx_ts->minlen) { - ret = mpm_table[det_ctx->sgh->mpm_tlssubject_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_tlssubject_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); + if (buffer_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); } - - SCReturnUInt(ret); } -/** - * \brief Run the pattern matcher against the TLS subject buffer - * - * \param det_ctx Detection engine thread ctx - * \param f Locked flow - * \param ssl_state Initialized ssl state - * - * \retval cnt Number of matches - */ -uint32_t DetectTlsSubjectInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - SSLState *ssl_state) +int PrefilterTxTlsSubjectRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) { SCEnter(); - uint8_t *buffer; - uint32_t buffer_len; - uint32_t cnt = 0; - - if (ssl_state->server_connp.cert0_subject == NULL) - return 0; - - buffer = (uint8_t *)ssl_state->server_connp.cert0_subject; - buffer_len = strlen(ssl_state->server_connp.cert0_subject); - - cnt = TlsSubjectPatternSearch(det_ctx, buffer, buffer_len); - - SCReturnUInt(cnt); + return PrefilterAppendTxEngine(sgh, PrefilterTxTlsSubject, + ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add + mpm_ctx, NULL); } /** \brief Do the content inspection and validation for a signature diff --git a/src/detect-engine-tls.h b/src/detect-engine-tls.h index efcc111f7b..56bb63172d 100644 --- a/src/detect-engine-tls.h +++ b/src/detect-engine-tls.h @@ -23,6 +23,10 @@ #ifndef __DETECT_ENGINE_TLS_H__ #define __DETECT_ENGINE_TLS_H__ +int PrefilterTxTlsSniRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx); +int PrefilterTxTlsIssuerRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx); +int PrefilterTxTlsSubjectRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx); + int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, diff --git a/src/detect-tls-cert-issuer.h b/src/detect-tls-cert-issuer.h index a0b0846f7e..8e26cb7596 100644 --- a/src/detect-tls-cert-issuer.h +++ b/src/detect-tls-cert-issuer.h @@ -27,7 +27,5 @@ #include "app-layer-ssl.h" void DetectTlsIssuerRegister(void); -uint32_t DetectTlsIssuerInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - SSLState *ssl_state); #endif /* __DETECT_TLS_ISSUER_H__ */ diff --git a/src/detect-tls-cert-subject.h b/src/detect-tls-cert-subject.h index 2edce96c86..8d037275e3 100644 --- a/src/detect-tls-cert-subject.h +++ b/src/detect-tls-cert-subject.h @@ -27,7 +27,5 @@ #include "app-layer-ssl.h" void DetectTlsSubjectRegister(void); -uint32_t DetectTlsSubjectInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - SSLState *ssl_state); #endif /* __DETECT_TLS_SUBJECT_H__ */ diff --git a/src/detect.c b/src/detect.c index 3aad7940ac..62e959986f 100644 --- a/src/detect.c +++ b/src/detect.c @@ -876,33 +876,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, /* have a look at the reassembled stream (if any) */ if (p->flowflags & FLOW_PKT_ESTABLISHED) { SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED"); - - if (alproto == ALPROTO_TLS && has_state) { - void *alstate = FlowGetAppState(p->flow); - if (alstate == NULL) { - SCLogDebug("no alstate"); - return; - } - - if (p->flowflags & FLOW_PKT_TOSERVER) { - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSSNI) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSSNI); - DetectTlsSniInspectMpm(det_ctx, alstate); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSNI); - } - } else if (p->flowflags & FLOW_PKT_TOCLIENT) { - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSISSUER) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSISSUER); - DetectTlsIssuerInspectMpm(det_ctx, p->flow, alstate); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSISSUER); - } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSSUBJECT) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSSUBJECT); - DetectTlsSubjectInspectMpm(det_ctx, p->flow, alstate); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSUBJECT); - } - } - } } else { SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED"); }