diff --git a/src/Makefile.am b/src/Makefile.am index 37a134cd1f..b941a09e91 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -89,6 +89,7 @@ detect-distance.c detect-distance.h \ detect-dns-query.c detect-dns-query.h \ detect-tls-sni.c detect-tls-sni.h \ detect-tls-cert-issuer.c detect-tls-cert-issuer.h \ +detect-tls-cert-subject.c detect-tls-cert-subject.h \ detect-dsize.c detect-dsize.h \ detect-engine-address.c detect-engine-address.h \ detect-engine-address-ipv4.c detect-engine-address-ipv4.h \ diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index b6bbc86140..2933c0a6d2 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -482,6 +482,8 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "tls sni extension content"); else if (list_type == DETECT_SM_LIST_TLSISSUER_MATCH) fprintf(rule_engine_analysis_FD, "tls issuer content"); + else if (list_type == DETECT_SM_LIST_TLSSUBJECT_MATCH) + fprintf(rule_engine_analysis_FD, "tls subject content"); fprintf(rule_engine_analysis_FD, "\" buffer.\n"); diff --git a/src/detect-engine-content-inspection.h b/src/detect-engine-content-inspection.h index 9402a66fd8..3fc4b451e9 100644 --- a/src/detect-engine-content-inspection.h +++ b/src/detect-engine-content-inspection.h @@ -51,6 +51,7 @@ enum { DETECT_ENGINE_CONTENT_INSPECTION_MODE_DNSQUERY, DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSNI, DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSISSUER, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSUBJECT, DETECT_ENGINE_CONTENT_INSPECTION_MODE_FD_SMTP, DETECT_ENGINE_CONTENT_INSPECTION_MODE_BASE64, DETECT_ENGINE_CONTENT_INSPECTION_MODE_TEMPLATE_BUFFER, diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index aadb359941..f078d6d1e3 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -108,6 +108,7 @@ AppLayerMpms app_mpms[] = { { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, 18}, { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, 19}, + { "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, SIG_GROUP_HEAD_MPM_TLSSUBJECT, 20}, { NULL, 0, 0, 0, 0, 0, } }; @@ -1222,8 +1223,9 @@ void MpmStoreFixup(SigGroupHead *sgh) SET_TS(sgh, sgh->mpm_tlssni_ctx_ts); SET_TC(sgh, sgh->mpm_tlsissuer_ctx_ts); + SET_TC(sgh, sgh->mpm_tlssubject_ctx_ts); - BUG_ON(APP_MPMS_MAX != 20 || i != 20); + BUG_ON(APP_MPMS_MAX != 21 || i != 21); #undef SET_TS #undef SET_TC diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index 903920b353..7757ce8953 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -89,8 +89,9 @@ #define DE_STATE_FLAG_DNSRESPONSE_INSPECT BIT_U32(23) #define DE_STATE_FLAG_TLSSNI_INSPECT BIT_U32(24) #define DE_STATE_FLAG_TLSISSUER_INSPECT BIT_U32(25) -#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(26) -#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(27) +#define DE_STATE_FLAG_TLSSUBJECT_INSPECT BIT_U32(26) +#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(27) +#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(28) /* state flags */ #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 diff --git a/src/detect-engine-tls.c b/src/detect-engine-tls.c index 91e3ed2004..1d3e8641b9 100644 --- a/src/detect-engine-tls.c +++ b/src/detect-engine-tls.c @@ -242,3 +242,102 @@ int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx, return cnt; } + +/** + * \brief TLS subject match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx + * \param hrh Buffer to inspect + * \param hrh_len Buffer length + * \param flags Flags + * + * \retval ret Number of matches + */ +static inline uint32_t TlsSubjectPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *buffer, + const uint32_t buffer_len, + const uint8_t flags) +{ + SCEnter(); + + uint32_t ret = 0; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOSERVER); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlssubject_ctx_ts == NULL); + + if (buffer_len >= det_ctx->sgh->mpm_tlssubject_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_tlssubject_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_tlssubject_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, buffer, buffer_len); + } + + SCReturnUInt(ret); +} + +/** + * \brief Run the pattern matcher against the TLS subject buffer + * + * \param det_ctx Detection engine thread ctx + * \param f Locked flow + * \param dns_state Initialized dns state + * \param flags Flags + * + * \retval cnt Number of matches + */ +uint32_t DetectTlsSubjectInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + SSLState *ssl_state, uint8_t flags) +{ + SCEnter(); + + uint8_t *buffer; + uint32_t buffer_len; + uint32_t cnt = 0; + + if (ssl_state->server_connp.cert0_subject == NULL) + return 0; + + buffer = (uint8_t *)ssl_state->server_connp.cert0_subject; + buffer_len = strlen(ssl_state->server_connp.cert0_subject); + + cnt = TlsSubjectPatternSearch(det_ctx, buffer, buffer_len, flags); + + SCReturnUInt(cnt); +} + +/** \brief Do the content inspection and validation for a signature + * + * \param de_ctx Detection engine context + * \param det_ctx Detection engine thread context + * \param s Signature to inspect + * \param sm SigMatch to inspect + * \param f Flow + * \param flags App layer flags + * \param state App layer state + * + * \retval 0 No match + * \retval 1 Match + */ +int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Signature *s, + Flow *f, uint8_t flags, void *alstate, void *txv, + uint64_t tx_id) +{ + uint8_t *buffer; + uint16_t buffer_len; + int cnt = 0; + + SSLState *ssl_state = (SSLState *)alstate; + + if (ssl_state->server_connp.cert0_subject == NULL) + return 0; + + buffer = (uint8_t *)ssl_state->server_connp.cert0_subject; + buffer_len = strlen(ssl_state->server_connp.cert0_subject); + + cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, + s->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH], + f, buffer, buffer_len, 0, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSUBJECT, NULL); + + return cnt; +} diff --git a/src/detect-engine-tls.h b/src/detect-engine-tls.h index b10d2a4000..547b637613 100644 --- a/src/detect-engine-tls.h +++ b/src/detect-engine-tls.h @@ -33,4 +33,9 @@ int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx, Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id); +int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id); + #endif /* __DETECT_ENGINE_TLS_H__ */ diff --git a/src/detect-engine.c b/src/detect-engine.c index 1b2cd0c9c0..a6fefbd155 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -371,6 +371,12 @@ void DetectEngineRegisterAppInspectionEngines(void) DE_STATE_FLAG_TLSISSUER_INSPECT, 1, DetectEngineInspectTlsIssuer }, + { IPPROTO_TCP, + ALPROTO_TLS, + DETECT_SM_LIST_TLSSUBJECT_MATCH, + DE_STATE_FLAG_TLSSUBJECT_INSPECT, + 1, + DetectEngineInspectTlsSubject }, /* specifically for UDP, register again * allows us to use the alproto w/o translation * in the detection engine */ @@ -2750,6 +2756,8 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "tls sni extension"; case DETECT_SM_LIST_TLSISSUER_MATCH: return "tls issuer"; + case DETECT_SM_LIST_TLSSUBJECT_MATCH: + return "tls subject"; case DETECT_SM_LIST_MODBUS_MATCH: return "modbus"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 55ceb6fa0c..b2e5694167 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -138,6 +138,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchList(DETECT_SM_LIST_TLSSNI_MATCH, 2); SupportFastPatternForSigMatchList(DETECT_SM_LIST_TLSISSUER_MATCH, 2); + SupportFastPatternForSigMatchList(DETECT_SM_LIST_TLSSUBJECT_MATCH, 2); #if 0 SCFPSupportSMList *tmp = sm_fp_support_smlist_list; @@ -207,15 +208,16 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL && s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL && s->sm_lists_tail[DETECT_SM_LIST_TLSSNI_MATCH] == NULL && - s->sm_lists_tail[DETECT_SM_LIST_TLSISSUER_MATCH] == NULL) { + s->sm_lists_tail[DETECT_SM_LIST_TLSISSUER_MATCH] == NULL && + s->sm_lists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH] == NULL) { SCLogWarning(SC_WARN_COMPATIBILITY, "fast_pattern found inside the " "rule, without a preceding content based keyword. " "Currently we provide fast_pattern support for content, " "uricontent, http_client_body, http_server_body, http_header, " "http_raw_header, http_method, http_cookie, " "http_raw_uri, http_stat_msg, http_stat_code, " - "http_user_agent, http_host, http_raw_host, " - "dns_query, tls_sni or tls_cert_issuer option"); + "http_user_agent, http_host, http_raw_host, dns_query, " + "tls_sni, tls_cert_issuer or tls_cert_subject option"); return -1; } @@ -236,7 +238,8 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_TLSSNI_MATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_TLSISSUER_MATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_TLSISSUER_MATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH]); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside " "the rule, without a content context. Please use a " diff --git a/src/detect-parse.c b/src/detect-parse.c index 8b8158b5c5..1427565ecf 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -166,6 +166,7 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_DNSQUERYNAME_MATCH, "dns_query"); CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni"); CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer"); + CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject"); CASE_CODE_STRING(DETECT_SM_LIST_MODBUS_MATCH, "modbus"); CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template"); CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch"); @@ -208,6 +209,7 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_DNSQUERYNAME_MATCH); CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH); CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH); + CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH); CASE_CODE(DETECT_SM_LIST_MODBUS_MATCH); CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH); CASE_CODE(DETECT_SM_LIST_POSTMATCH); @@ -1563,6 +1565,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_TLSISSUER_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + if (sig->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH]) + sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_MODBUS_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c new file mode 100644 index 0000000000..63ad00d44f --- /dev/null +++ b/src/detect-tls-cert-subject.c @@ -0,0 +1,100 @@ +/* Copyright (C) 2007-2016 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Mats Klepsland + * + * Implements support for tls_cert_subject keyword. + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" +#include "detect.h" + +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-content.h" +#include "detect-pcre.h" + +#include "flow.h" +#include "flow-util.h" +#include "flow-var.h" + +#include "util-debug.h" +#include "util-unittest.h" +#include "util-spm.h" +#include "util-print.h" + +#include "stream-tcp.h" + +#include "app-layer.h" +#include "app-layer-ssl.h" + +#include "util-unittest.h" +#include "util-unittest-helper.h" + +static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, char *); +static void DetectTlsSubjectRegisterTests(void); + +/** + * \brief Registration function for keyword: tls_cert_issuer + */ +void DetectTlsSubjectRegister(void) +{ + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls_cert_subject"; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = "content modifier to match specifically and only on the TLS cert subject buffer"; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Match = NULL; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].AppLayerMatch = NULL; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Free = NULL; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; + + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_PAYLOAD; +} + +/** + * \brief this function setup the tls_cert_subject modifier keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) +{ + s->list = DETECT_SM_LIST_TLSSUBJECT_MATCH; + s->alproto = ALPROTO_TLS; + return 0; +} + +#ifdef UNITTESTS + /* TODO add unit tests */ +#endif + +static void DetectTlsSubjectRegisterTests(void) +{ +#ifdef UNITTESTS + /* TODO add unit tests */ +#endif +} diff --git a/src/detect-tls-cert-subject.h b/src/detect-tls-cert-subject.h new file mode 100644 index 0000000000..e8fd1d3f99 --- /dev/null +++ b/src/detect-tls-cert-subject.h @@ -0,0 +1,33 @@ +/* Copyright (C) 2016 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Mats Klepsland + */ + +#ifndef __DETECT_TLS_SUBJECT_H__ +#define __DETECT_TLS_SUBJECT_H__ + +#include "app-layer-ssl.h" + +void DetectTlsSubjectRegister(void); +uint32_t DetectTlsSubjectInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + SSLState *ssl_state, uint8_t flags); + +#endif /* __DETECT_TLS_SUBJECT_H__ */ diff --git a/src/detect.c b/src/detect.c index 1c0640dc7a..c2ad76245a 100644 --- a/src/detect.c +++ b/src/detect.c @@ -50,6 +50,7 @@ #include "detect-dns-query.h" #include "detect-tls-sni.h" #include "detect-tls-cert-issuer.h" +#include "detect-tls-cert-subject.h" #include "detect-engine-state.h" #include "detect-engine-analyzer.h" #include "detect-engine-filedata-smtp.h" @@ -1028,30 +1029,29 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } } } else if (alproto == ALPROTO_TLS && has_state) { + void *alstate = FlowGetAppState(p->flow); + if (alstate == NULL) { + SCLogDebug("no alstate"); + return; + } + if (p->flowflags & FLOW_PKT_TOSERVER) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSSNI) { - void *alstate = FlowGetAppState(p->flow); - if (alstate == NULL) { - SCLogDebug("no alstate"); - return; - } - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSSNI); DetectTlsSniInspectMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSNI); } } else if (p->flowflags & FLOW_PKT_TOCLIENT) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSISSUER) { - void *alstate = FlowGetAppState(p->flow); - if (alstate == NULL) { - SCLogDebug("no alstate"); - return; - } - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSISSUER); DetectTlsIssuerInspectMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSISSUER); } + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSSUBJECT) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSSUBJECT); + DetectTlsSubjectInspectMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSUBJECT); + } } } else if (alproto == ALPROTO_SMTP && has_state) { if (p->flowflags & FLOW_PKT_TOSERVER) { @@ -4388,6 +4388,7 @@ void SigTableSetup(void) DetectDnsQueryRegister(); DetectTlsSniRegister(); DetectTlsIssuerRegister(); + DetectTlsSubjectRegister(); DetectModbusRegister(); DetectAppLayerProtocolRegister(); DetectBase64DecodeRegister(); diff --git a/src/detect.h b/src/detect.h index 09d5bac6f1..d5562ba534 100644 --- a/src/detect.h +++ b/src/detect.h @@ -126,6 +126,7 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_TLSSNI_MATCH, DETECT_SM_LIST_TLSISSUER_MATCH, + DETECT_SM_LIST_TLSSUBJECT_MATCH, DETECT_SM_LIST_MODBUS_MATCH, @@ -938,9 +939,10 @@ typedef struct SigTableElmt_ { #define SIG_GROUP_HEAD_MPM_DNSQUERY (1 << 23) #define SIG_GROUP_HEAD_MPM_TLSSNI (1 << 24) #define SIG_GROUP_HEAD_MPM_TLSISSUER (1 << 25) -#define SIG_GROUP_HEAD_MPM_FD_SMTP (1 << 26) +#define SIG_GROUP_HEAD_MPM_TLSSUBJECT (1 << 26) +#define SIG_GROUP_HEAD_MPM_FD_SMTP (1 << 27) -#define APP_MPMS_MAX 20 +#define APP_MPMS_MAX 21 enum MpmBuiltinBuffers { MPMB_TCP_PKT_TS, @@ -1020,6 +1022,7 @@ typedef struct SigGroupHead_ { const MpmCtx *mpm_dnsquery_ctx_ts; const MpmCtx *mpm_tlssni_ctx_ts; const MpmCtx *mpm_tlsissuer_ctx_ts; + const MpmCtx *mpm_tlssubject_ctx_ts; const MpmCtx *mpm_smtp_filedata_ctx_ts; }; struct { diff --git a/src/suricata-common.h b/src/suricata-common.h index 4b6ec9694b..09887df58e 100644 --- a/src/suricata-common.h +++ b/src/suricata-common.h @@ -329,6 +329,7 @@ typedef enum PacketProfileDetectId_ { PROF_DETECT_MPM_DNSQUERY, PROF_DETECT_MPM_TLSSNI, PROF_DETECT_MPM_TLSISSUER, + PROF_DETECT_MPM_TLSSUBJECT, PROF_DETECT_IPONLY, PROF_DETECT_RULES, PROF_DETECT_STATEFUL, diff --git a/src/util-profiling.c b/src/util-profiling.c index ec09cbdc48..8ee1fcb1c4 100644 --- a/src/util-profiling.c +++ b/src/util-profiling.c @@ -1227,6 +1227,7 @@ const char * PacketProfileDetectIdToString(PacketProfileDetectId id) CASE_CODE (PROF_DETECT_MPM_DNSQUERY); CASE_CODE (PROF_DETECT_MPM_TLSSNI); CASE_CODE (PROF_DETECT_MPM_TLSISSUER); + CASE_CODE (PROF_DETECT_MPM_TLSSUBJECT); CASE_CODE (PROF_DETECT_IPONLY); CASE_CODE (PROF_DETECT_RULES); CASE_CODE (PROF_DETECT_PREFILTER);