|
|
|
@ -75,22 +75,22 @@ static pcre *fingerprint_parse_regex;
|
|
|
|
|
static pcre_extra *fingerprint_parse_regex_study;
|
|
|
|
|
|
|
|
|
|
static int DetectTlsSubjectMatch (ThreadVars *, DetectEngineThreadCtx *,
|
|
|
|
|
Flow *, uint8_t, void *,
|
|
|
|
|
const Signature *, const SigMatchData *);
|
|
|
|
|
Flow *, uint8_t, void *, void *,
|
|
|
|
|
const Signature *, const SigMatchCtx *);
|
|
|
|
|
static int DetectTlsSubjectSetup (DetectEngineCtx *, Signature *, char *);
|
|
|
|
|
static void DetectTlsSubjectRegisterTests(void);
|
|
|
|
|
static void DetectTlsSubjectFree(void *);
|
|
|
|
|
|
|
|
|
|
static int DetectTlsIssuerDNMatch (ThreadVars *, DetectEngineThreadCtx *,
|
|
|
|
|
Flow *, uint8_t, void *,
|
|
|
|
|
const Signature *, const SigMatchData *);
|
|
|
|
|
Flow *, uint8_t, void *, void *,
|
|
|
|
|
const Signature *, const SigMatchCtx *);
|
|
|
|
|
static int DetectTlsIssuerDNSetup (DetectEngineCtx *, Signature *, char *);
|
|
|
|
|
static void DetectTlsIssuerDNRegisterTests(void);
|
|
|
|
|
static void DetectTlsIssuerDNFree(void *);
|
|
|
|
|
|
|
|
|
|
static int DetectTlsFingerprintMatch (ThreadVars *, DetectEngineThreadCtx *,
|
|
|
|
|
Flow *, uint8_t, void *,
|
|
|
|
|
const Signature *, const SigMatchData *);
|
|
|
|
|
Flow *, uint8_t, void *, void *,
|
|
|
|
|
const Signature *, const SigMatchCtx *);
|
|
|
|
|
static int DetectTlsFingerprintSetup (DetectEngineCtx *, Signature *, char *);
|
|
|
|
|
static void DetectTlsFingerprintFree(void *);
|
|
|
|
|
|
|
|
|
@ -98,6 +98,18 @@ static int DetectTlsStoreSetup (DetectEngineCtx *, Signature *, char *);
|
|
|
|
|
static int DetectTlsStorePostMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
Packet *, const Signature *s, const SigMatchCtx *unused);
|
|
|
|
|
|
|
|
|
|
static int g_tls_cert_list_id = 0;
|
|
|
|
|
|
|
|
|
|
static int InspectTlsCert(ThreadVars *tv,
|
|
|
|
|
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
const Signature *s, const SigMatchData *smd,
|
|
|
|
|
Flow *f, uint8_t flags, void *alstate,
|
|
|
|
|
void *txv, uint64_t tx_id)
|
|
|
|
|
{
|
|
|
|
|
return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
|
|
|
|
|
f, flags, alstate, txv, tx_id);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Registration function for keyword: tls.version
|
|
|
|
|
*/
|
|
|
|
@ -106,8 +118,7 @@ void DetectTlsRegister (void)
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlssubject";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].Match = NULL;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerMatch = DetectTlsSubjectMatch;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
|
|
|
|
@ -115,8 +126,7 @@ void DetectTlsRegister (void)
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsissuerdn";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Match = NULL;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerMatch = DetectTlsIssuerDNMatch;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests;
|
|
|
|
@ -124,8 +134,7 @@ void DetectTlsRegister (void)
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsfingerprint";
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Match = NULL;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerMatch = DetectTlsFingerprintMatch;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerTxMatch = DetectTlsFingerprintMatch;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
|
|
|
|
|
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL;
|
|
|
|
@ -146,6 +155,12 @@ void DetectTlsRegister (void)
|
|
|
|
|
&issuerdn_parse_regex, &issuerdn_parse_regex_study);
|
|
|
|
|
DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT,
|
|
|
|
|
&fingerprint_parse_regex, &fingerprint_parse_regex_study);
|
|
|
|
|
|
|
|
|
|
g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert");
|
|
|
|
|
|
|
|
|
|
DetectAppLayerInspectEngineRegister("tls_cert",
|
|
|
|
|
ALPROTO_TLS, SIG_FLAG_TOCLIENT,
|
|
|
|
|
InspectTlsCert);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
@ -160,12 +175,12 @@ void DetectTlsRegister (void)
|
|
|
|
|
* \retval 1 match
|
|
|
|
|
*/
|
|
|
|
|
static int DetectTlsSubjectMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
Flow *f, uint8_t flags, void *state,
|
|
|
|
|
const Signature *s, const SigMatchData *m)
|
|
|
|
|
Flow *f, uint8_t flags, void *state, void *txv,
|
|
|
|
|
const Signature *s, const SigMatchCtx *m)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
const DetectTlsData *tls_data = (const DetectTlsData *)m->ctx;
|
|
|
|
|
const DetectTlsData *tls_data = (const DetectTlsData *)m;
|
|
|
|
|
SSLState *ssl_state = (SSLState *)state;
|
|
|
|
|
if (ssl_state == NULL) {
|
|
|
|
|
SCLogDebug("no tls state, no match");
|
|
|
|
@ -304,6 +319,11 @@ static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
|
|
|
|
|
DetectTlsData *tls = NULL;
|
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tls = DetectTlsSubjectParse(str);
|
|
|
|
|
if (tls == NULL)
|
|
|
|
|
goto error;
|
|
|
|
@ -314,18 +334,13 @@ static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
|
|
|
|
|
if (sm == NULL)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sm->type = DETECT_AL_TLS_SUBJECT;
|
|
|
|
|
sm->ctx = (void *)tls;
|
|
|
|
|
|
|
|
|
|
s->flags |= SIG_FLAG_APPLAYER;
|
|
|
|
|
s->alproto = ALPROTO_TLS;
|
|
|
|
|
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
|
|
|
|
|
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
@ -372,12 +387,12 @@ static void DetectTlsSubjectRegisterTests(void)
|
|
|
|
|
* \retval 1 match
|
|
|
|
|
*/
|
|
|
|
|
static int DetectTlsIssuerDNMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
Flow *f, uint8_t flags, void *state,
|
|
|
|
|
const Signature *s, const SigMatchData *m)
|
|
|
|
|
Flow *f, uint8_t flags, void *state, void *txv,
|
|
|
|
|
const Signature *s, const SigMatchCtx *m)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
const DetectTlsData *tls_data = (const DetectTlsData *)m->ctx;
|
|
|
|
|
const DetectTlsData *tls_data = (const DetectTlsData *)m;
|
|
|
|
|
SSLState *ssl_state = (SSLState *)state;
|
|
|
|
|
if (ssl_state == NULL) {
|
|
|
|
|
SCLogDebug("no tls state, no match");
|
|
|
|
@ -517,6 +532,11 @@ static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, char *
|
|
|
|
|
DetectTlsData *tls = NULL;
|
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tls = DetectTlsIssuerDNParse(str);
|
|
|
|
|
if (tls == NULL)
|
|
|
|
|
goto error;
|
|
|
|
@ -527,18 +547,13 @@ static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, char *
|
|
|
|
|
if (sm == NULL)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sm->type = DETECT_AL_TLS_ISSUERDN;
|
|
|
|
|
sm->ctx = (void *)tls;
|
|
|
|
|
|
|
|
|
|
s->flags |= SIG_FLAG_APPLAYER;
|
|
|
|
|
s->alproto = ALPROTO_TLS;
|
|
|
|
|
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
|
|
|
|
|
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
@ -656,11 +671,11 @@ error:
|
|
|
|
|
* \retval 1 match
|
|
|
|
|
*/
|
|
|
|
|
static int DetectTlsFingerprintMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
Flow *f, uint8_t flags, void *state,
|
|
|
|
|
const Signature *s, const SigMatchData *m)
|
|
|
|
|
Flow *f, uint8_t flags, void *state, void *txv,
|
|
|
|
|
const Signature *s, const SigMatchCtx *m)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
const DetectTlsData *tls_data = (const DetectTlsData *)m->ctx;
|
|
|
|
|
const DetectTlsData *tls_data = (const DetectTlsData *)m;
|
|
|
|
|
SSLState *ssl_state = (SSLState *)state;
|
|
|
|
|
if (ssl_state == NULL) {
|
|
|
|
|
SCLogDebug("no tls state, no match");
|
|
|
|
@ -720,6 +735,11 @@ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, cha
|
|
|
|
|
DetectTlsData *tls = NULL;
|
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tls = DetectTlsFingerprintParse(str);
|
|
|
|
|
if (tls == NULL)
|
|
|
|
|
goto error;
|
|
|
|
@ -730,18 +750,13 @@ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, cha
|
|
|
|
|
if (sm == NULL)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sm->type = DETECT_AL_TLS_FINGERPRINT;
|
|
|
|
|
sm->ctx = (void *)tls;
|
|
|
|
|
|
|
|
|
|
s->flags |= SIG_FLAG_APPLAYER;
|
|
|
|
|
s->alproto = ALPROTO_TLS;
|
|
|
|
|
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
|
|
|
|
|
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|