aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: mpm prefilter engines

Browse Source
pull/2310/head
Victor Julien 9 years ago
parent 7acdc66061
commit 08407b6d47
6 changed files with 81 additions and 162 deletions
Show Stats Download Patch File Download Diff File

10
src/detect-engine-mpm.c
Unescape Escape View File

@ -64,6 +64,7 @@
#include "detect-engine-hsbd.h" #include "detect-engine-hsbd.h"
#include "detect-engine-dns.h" #include "detect-engine-dns.h"
#include "detect-engine-filedata-smtp.h" #include "detect-engine-filedata-smtp.h"
#include "detect-engine-tls.h"
#include "stream.h" #include "stream.h"
@ -143,9 +144,12 @@ AppLayerMpms app_mpms[] = {
{ "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH,
SIG_GROUP_HEAD_MPM_DNSQUERY, PrefilterTxDnsQueryRegister, 17}, SIG_GROUP_HEAD_MPM_DNSQUERY, PrefilterTxDnsQueryRegister, 17},
{ "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, NULL, 18}, { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH,
{ "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, NULL, 19}, SIG_GROUP_HEAD_MPM_TLSSNI, PrefilterTxTlsSniRegister, 18},
{ "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, SIG_GROUP_HEAD_MPM_TLSSUBJECT, NULL, 20}, { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH,
SIG_GROUP_HEAD_MPM_TLSISSUER, PrefilterTxTlsIssuerRegister, 19},
{ "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH,
SIG_GROUP_HEAD_MPM_TLSSUBJECT, PrefilterTxTlsSubjectRegister, 20},
{ NULL, 0, 0, 0, 0, NULL, 0, } { NULL, 0, 0, 0, 0, NULL, 0, }
}; };

198
src/detect-engine-tls.c
Unescape Escape View File

@ -30,6 +30,7 @@
#include "detect-parse.h" #include "detect-parse.h"
#include "detect-engine-state.h" #include "detect-engine-state.h"
#include "detect-engine-content-inspection.h" #include "detect-engine-content-inspection.h"
#include "detect-engine-prefilter.h"
#include "flow-util.h" #include "flow-util.h"
#include "util-debug.h" #include "util-debug.h"
@ -45,63 +46,42 @@
#include "util-unittest-helper.h" #include "util-unittest-helper.h"
#include "util-validate.h" #include "util-validate.h"
/** /** \brief TLS SNI Mpm prefilter callback
* \brief TLS sni match -- searches for one pattern per signature.
* *
* \param det_ctx Detection engine thread ctx * \param det_ctx detection engine thread ctx
* \param hrh Buffer to inspect * \param p packet to inspect
* \param hrh_len Buffer length * \param f flow to inspect
* \param flags Flags * \param txv tx to inspect
* * \param pectx inspection context
* \retval ret Number of matches
*/ */
static inline uint32_t TlsSniPatternSearch(DetectEngineThreadCtx *det_ctx, static void PrefilterTxTlsSni(DetectEngineThreadCtx *det_ctx, const void *pectx,
const uint8_t *buffer, Packet *p, Flow *f, void *txv,
const uint32_t buffer_len) const uint64_t idx, const uint8_t flags)
{ {
SCEnter(); SCEnter();
uint32_t ret = 0; const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
SSLState *ssl_state = f->alstate;
if (ssl_state->client_connp.sni == NULL)
return;
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlssni_ctx_ts == NULL); const uint8_t *buffer = (uint8_t *)ssl_state->client_connp.sni;
const uint32_t buffer_len = strlen(ssl_state->client_connp.sni);
if (buffer_len >= det_ctx->sgh->mpm_tlssni_ctx_ts->minlen) { if (buffer_len >= mpm_ctx->minlen) {
ret = mpm_table[det_ctx->sgh->mpm_tlssni_ctx_ts->mpm_type]. (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
Search(det_ctx->sgh->mpm_tlssni_ctx_ts, &det_ctx->mtcu, &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
&det_ctx->pmq, buffer, buffer_len);
} }
SCReturnUInt(ret);
} }
/** int PrefilterTxTlsSniRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
* \brief Run the pattern matcher against the SNI buffer
*
* \param det_ctx Detection engine thread ctx
* \param f Locked flow
* \param dns_state Initialized dns state
* \param flags Flags
*
* \retval cnt Number of matches
*/
uint32_t DetectTlsSniInspectMpm(DetectEngineThreadCtx *det_ctx,
SSLState *ssl_state)
{ {
SCEnter(); SCEnter();
uint8_t *buffer; return PrefilterAppendTxEngine(sgh, PrefilterTxTlsSni,
uint32_t buffer_len; ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add
uint32_t cnt = 0; mpm_ctx, NULL);
if (ssl_state->client_connp.sni == NULL)
return 0;
buffer = (uint8_t *)ssl_state->client_connp.sni;
buffer_len = strlen(ssl_state->client_connp.sni);
cnt = TlsSniPatternSearch(det_ctx, buffer, buffer_len);
SCReturnUInt(cnt);
} }
/** \brief Do the content inspection and validation for a signature /** \brief Do the content inspection and validation for a signature
@ -142,61 +122,42 @@ int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx,
return cnt; return cnt;
} }
/** /** \brief TLS Issuer Mpm prefilter callback
* \brief TLS issuer match -- searches for one pattern per signature.
* *
* \param det_ctx Detection engine thread ctx * \param det_ctx detection engine thread ctx
* \param buffer Buffer to inspect * \param p packet to inspect
* \param buffer_len Buffer length * \param f flow to inspect
* * \param txv tx to inspect
* \retval ret Number of matches * \param pectx inspection context
*/ */
static inline uint32_t TlsIssuerPatternSearch(DetectEngineThreadCtx *det_ctx, static void PrefilterTxTlsIssuer(DetectEngineThreadCtx *det_ctx, const void *pectx,
const uint8_t *buffer, Packet *p, Flow *f, void *txv,
const uint32_t buffer_len) const uint64_t idx, const uint8_t flags)
{ {
SCEnter(); SCEnter();
uint32_t ret = 0; const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
SSLState *ssl_state = f->alstate;
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlsissuer_ctx_ts == NULL); if (ssl_state->server_connp.cert0_issuerdn == NULL)
return;
if (buffer_len >= det_ctx->sgh->mpm_tlsissuer_ctx_ts->minlen) { const uint8_t *buffer = (const uint8_t *)ssl_state->server_connp.cert0_issuerdn;
ret = mpm_table[det_ctx->sgh->mpm_tlsissuer_ctx_ts->mpm_type]. const uint32_t buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn);
Search(det_ctx->sgh->mpm_tlsissuer_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, buffer, buffer_len);
}
SCReturnUInt(ret); if (buffer_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
}
} }
/** int PrefilterTxTlsIssuerRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
* \brief Run the pattern matcher against the TLS issuer buffer
*
* \param det_ctx Detection engine thread ctx
* \param f Locked flow
* \param ssl_state Initialized ssl state
*
* \retval cnt Number of matches
*/
uint32_t DetectTlsIssuerInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
SSLState *ssl_state)
{ {
SCEnter(); SCEnter();
uint8_t *buffer; return PrefilterAppendTxEngine(sgh, PrefilterTxTlsIssuer,
uint32_t buffer_len; ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add
uint32_t cnt = 0; mpm_ctx, NULL);
if (ssl_state->server_connp.cert0_issuerdn == NULL)
return 0;
buffer = (uint8_t *)ssl_state->server_connp.cert0_issuerdn;
buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn);
cnt = TlsIssuerPatternSearch(det_ctx, buffer, buffer_len);
SCReturnUInt(cnt);
} }
/** \brief Do the content inspection and validation for a signature /** \brief Do the content inspection and validation for a signature
@ -237,61 +198,42 @@ int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx,
return cnt; return cnt;
} }
/** /** \brief TLS Subject Mpm prefilter callback
* \brief TLS subject match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx
* \param buffer Buffer to inspect
* \param buffer_len Buffer length
* *
* \retval ret Number of matches * \param det_ctx detection engine thread ctx
* \param p packet to inspect
* \param f flow to inspect
* \param txv tx to inspect
* \param pectx inspection context
*/ */
static inline uint32_t TlsSubjectPatternSearch(DetectEngineThreadCtx *det_ctx, static void PrefilterTxTlsSubject(DetectEngineThreadCtx *det_ctx, const void *pectx,
const uint8_t *buffer, Packet *p, Flow *f, void *txv,
const uint32_t buffer_len) const uint64_t idx, const uint8_t flags)
{ {
SCEnter(); SCEnter();
uint32_t ret = 0; const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
SSLState *ssl_state = f->alstate;
if (ssl_state->server_connp.cert0_issuerdn == NULL)
return;
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlssubject_ctx_ts == NULL); const uint8_t *buffer = (const uint8_t *)ssl_state->server_connp.cert0_subject;
const uint32_t buffer_len = strlen(ssl_state->server_connp.cert0_subject);
if (buffer_len >= det_ctx->sgh->mpm_tlssubject_ctx_ts->minlen) { if (buffer_len >= mpm_ctx->minlen) {
ret = mpm_table[det_ctx->sgh->mpm_tlssubject_ctx_ts->mpm_type]. (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
Search(det_ctx->sgh->mpm_tlssubject_ctx_ts, &det_ctx->mtcu, &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
&det_ctx->pmq, buffer, buffer_len);
} }
SCReturnUInt(ret);
} }
/** int PrefilterTxTlsSubjectRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
* \brief Run the pattern matcher against the TLS subject buffer
*
* \param det_ctx Detection engine thread ctx
* \param f Locked flow
* \param ssl_state Initialized ssl state
*
* \retval cnt Number of matches
*/
uint32_t DetectTlsSubjectInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
SSLState *ssl_state)
{ {
SCEnter(); SCEnter();
uint8_t *buffer; return PrefilterAppendTxEngine(sgh, PrefilterTxTlsSubject,
uint32_t buffer_len; ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add
uint32_t cnt = 0; mpm_ctx, NULL);
if (ssl_state->server_connp.cert0_subject == NULL)
return 0;
buffer = (uint8_t *)ssl_state->server_connp.cert0_subject;
buffer_len = strlen(ssl_state->server_connp.cert0_subject);
cnt = TlsSubjectPatternSearch(det_ctx, buffer, buffer_len);
SCReturnUInt(cnt);
} }
/** \brief Do the content inspection and validation for a signature /** \brief Do the content inspection and validation for a signature

4
src/detect-engine-tls.h
Unescape Escape View File

@ -23,6 +23,10 @@
#ifndef __DETECT_ENGINE_TLS_H__ #ifndef __DETECT_ENGINE_TLS_H__
#define __DETECT_ENGINE_TLS_H__ #define __DETECT_ENGINE_TLS_H__
int PrefilterTxTlsSniRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx);
int PrefilterTxTlsIssuerRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx);
int PrefilterTxTlsSubjectRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx);
int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx, int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags, Signature *s, Flow *f, uint8_t flags,

2
src/detect-tls-cert-issuer.h
Unescape Escape View File

@ -27,7 +27,5 @@
#include "app-layer-ssl.h" #include "app-layer-ssl.h"
void DetectTlsIssuerRegister(void); void DetectTlsIssuerRegister(void);
uint32_t DetectTlsIssuerInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
SSLState *ssl_state);
#endif /* __DETECT_TLS_ISSUER_H__ */ #endif /* __DETECT_TLS_ISSUER_H__ */

2
src/detect-tls-cert-subject.h
Unescape Escape View File

@ -27,7 +27,5 @@
#include "app-layer-ssl.h" #include "app-layer-ssl.h"
void DetectTlsSubjectRegister(void); void DetectTlsSubjectRegister(void);
uint32_t DetectTlsSubjectInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
SSLState *ssl_state);
#endif /* __DETECT_TLS_SUBJECT_H__ */ #endif /* __DETECT_TLS_SUBJECT_H__ */

27
src/detect.c
Unescape Escape View File

@ -876,33 +876,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
/* have a look at the reassembled stream (if any) */ /* have a look at the reassembled stream (if any) */
if (p->flowflags & FLOW_PKT_ESTABLISHED) { if (p->flowflags & FLOW_PKT_ESTABLISHED) {
SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED"); SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
if (alproto == ALPROTO_TLS && has_state) {
void *alstate = FlowGetAppState(p->flow);
if (alstate == NULL) {
SCLogDebug("no alstate");
return;
}
if (p->flowflags & FLOW_PKT_TOSERVER) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSSNI) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSSNI);
DetectTlsSniInspectMpm(det_ctx, alstate);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSNI);
}
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSISSUER) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSISSUER);
DetectTlsIssuerInspectMpm(det_ctx, p->flow, alstate);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSISSUER);
}
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSSUBJECT) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSSUBJECT);
DetectTlsSubjectInspectMpm(det_ctx, p->flow, alstate);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSUBJECT);
}
}
}
} else { } else {
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED"); SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
} }

Write Preview
Loading…
Cancel
Save