From 48a5ea9df05861c75a49a79b76e64be93e23f12b Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Fri, 23 Mar 2018 15:53:08 +0100
Subject: [PATCH] detect-tls-cert-serial: add content validation callback

Validate that the content that follows the 'tls_cert_serial' keyword
is on the correct form. If it's longer than two bytes it should be
separated by colons.
---
 src/detect-tls-cert-serial.c | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c
index 6208d5b91e..6514ac5ef0 100644
--- a/src/detect-tls-cert-serial.c
+++ b/src/detect-tls-cert-serial.c
@@ -60,6 +60,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms,
         Flow *_f, const uint8_t _flow_flags,
         void *txv, const int list_id);
+static _Bool DetectTlsSerialValidateCallback(const Signature *s,
+        const char **sigerror);
 static int g_tls_cert_serial_buffer_id = 0;
 
 /**
@@ -88,6 +90,9 @@ void DetectTlsSerialRegister(void)
     DetectBufferTypeSetDescriptionByName("tls_cert_serial",
             "TLS certificate serial number");
 
+    DetectBufferTypeRegisterValidateCallback("tls_cert_serial",
+            DetectTlsSerialValidateCallback);
+
     g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls_cert_serial");
 }
 
@@ -134,6 +139,37 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
     return buffer;
 }
 
+static _Bool DetectTlsSerialValidateCallback(const Signature *s,
+                                             const char **sigerror)
+{
+    const SigMatch *sm = s->init_data->smlists[g_tls_cert_serial_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        /* no need to worry about this if the content is short enough */
+        if (cd->content_len <= 2)
+            return TRUE;
+
+        uint32_t u;
+        for (u = 0; u < cd->content_len; u++)
+            if (cd->content[u] == ':')
+                return TRUE;
+
+        *sigerror = "No colon delimiters ':' detected in content after "
+                    "tls_cert_serial. This rule will therefore never "
+                    "match.";
+        SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
 #ifdef UNITTESTS
 
 /**