diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 06647980c2..5eb47f8af4 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -446,12 +446,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "%s", payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream"); } - else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH) - fprintf(rule_engine_analysis_FD, "tls sni extension content"); - else if (list_type == DETECT_SM_LIST_TLSISSUER_MATCH) - fprintf(rule_engine_analysis_FD, "tls issuer content"); - else if (list_type == DETECT_SM_LIST_TLSSUBJECT_MATCH) - fprintf(rule_engine_analysis_FD, "tls subject content"); else if (list_type == DETECT_SM_LIST_DNP3_DATA_MATCH) fprintf(rule_engine_analysis_FD, "dnp3 data content"); else { diff --git a/src/detect-engine.c b/src/detect-engine.c index 994a44290a..32b94f4ab4 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2811,15 +2811,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) case DETECT_SM_LIST_FILEMATCH: return "file"; - case DETECT_SM_LIST_TLSSNI_MATCH: - return "tls sni extension"; - case DETECT_SM_LIST_TLSISSUER_MATCH: - return "tls issuer"; - case DETECT_SM_LIST_TLSSUBJECT_MATCH: - return "tls subject"; - case DETECT_SM_LIST_TLSVALIDITY_MATCH: - return "tls validity"; - case DETECT_SM_LIST_MODBUS_MATCH: return "modbus"; case DETECT_SM_LIST_DNP3_DATA_MATCH: diff --git a/src/detect-parse.c b/src/detect-parse.c index 3354847069..bdfe4bd471 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -146,10 +146,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag"); CASE_CODE_STRING(DETECT_SM_LIST_FILEMATCH, "file"); - CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni"); - CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer"); - CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject"); - CASE_CODE_STRING(DETECT_SM_LIST_TLSVALIDITY_MATCH, "tls_cert_validity"); CASE_CODE_STRING(DETECT_SM_LIST_MODBUS_MATCH, "modbus"); CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template"); CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch"); @@ -173,10 +169,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_DMATCH); CASE_CODE(DETECT_SM_LIST_TMATCH); CASE_CODE(DETECT_SM_LIST_FILEMATCH); - CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH); - CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH); - CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH); - CASE_CODE(DETECT_SM_LIST_TLSVALIDITY_MATCH); CASE_CODE(DETECT_SM_LIST_MODBUS_MATCH); CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH); CASE_CODE(DETECT_SM_LIST_POSTMATCH); diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index 10e697c6f3..f3fa104da8 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -55,6 +55,7 @@ static int DetectTlsIssuerSetup(DetectEngineCtx *, Signature *, char *); static void DetectTlsIssuerRegisterTests(void); +static int g_tls_cert_issuer_buffer_id = 0; /** * \brief Registration function for keyword: tls_cert_issuer @@ -73,13 +74,14 @@ void DetectTlsIssuerRegister(void) sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("tls_cert_issuer", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_TLSISSUER_MATCH, 2, + DetectAppLayerMpmRegister("tls_cert_issuer", SIG_FLAG_TOCLIENT, 2, PrefilterTxTlsIssuerRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_TLSISSUER_MATCH, + DetectAppLayerInspectEngineRegister2("tls_cert_issuer", + ALPROTO_TLS, SIG_FLAG_TOCLIENT, DetectEngineInspectTlsIssuer); + + g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls_cert_issuer"); } @@ -94,7 +96,7 @@ void DetectTlsIssuerRegister(void) */ static int DetectTlsIssuerSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - s->init_data->list = DETECT_SM_LIST_TLSISSUER_MATCH; + s->init_data->list = g_tls_cert_issuer_buffer_id; s->alproto = ALPROTO_TLS; return 0; } @@ -123,7 +125,7 @@ static int DetectTlsIssuerTest01(void) sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH]; FAIL_IF_NOT_NULL(sm); - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_TLSISSUER_MATCH]; + sm = de_ctx->sig_list->sm_lists[g_tls_cert_issuer_buffer_id]; FAIL_IF_NULL(sm); FAIL_IF(sm->type != DETECT_CONTENT); diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index 02431a19c6..33d4d51161 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -55,6 +55,7 @@ static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, char *); static void DetectTlsSubjectRegisterTests(void); +static int g_tls_cert_subject_buffer_id = 0; /** * \brief Registration function for keyword: tls_cert_issuer @@ -73,14 +74,14 @@ void DetectTlsSubjectRegister(void) sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("tls_cert_subject", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_TLSSUBJECT_MATCH, 2, + DetectAppLayerMpmRegister("tls_cert_subject", SIG_FLAG_TOCLIENT, 2, PrefilterTxTlsSubjectRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_TLSSUBJECT_MATCH, + DetectAppLayerInspectEngineRegister2("tls_cert_subject", + ALPROTO_TLS, SIG_FLAG_TOCLIENT, DetectEngineInspectTlsSubject); + g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls_cert_subject"); } /** @@ -94,7 +95,7 @@ void DetectTlsSubjectRegister(void) */ static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - s->init_data->list = DETECT_SM_LIST_TLSSUBJECT_MATCH; + s->init_data->list = g_tls_cert_subject_buffer_id; s->alproto = ALPROTO_TLS; return 0; } @@ -123,7 +124,7 @@ static int DetectTlsSubjectTest01(void) sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH]; FAIL_IF_NOT_NULL(sm); - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH]; + sm = de_ctx->sig_list->sm_lists[g_tls_cert_subject_buffer_id]; FAIL_IF_NULL(sm); FAIL_IF(sm->type != DETECT_CONTENT); diff --git a/src/detect-tls-cert-validity.c b/src/detect-tls-cert-validity.c index f3ad4fd9c2..510a6ca50c 100644 --- a/src/detect-tls-cert-validity.c +++ b/src/detect-tls-cert-validity.c @@ -68,11 +68,12 @@ static int DetectTlsValidSetup (DetectEngineCtx *, Signature *s, char *str); static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, char *str); static int DetectTlsNotAfterSetup (DetectEngineCtx *, Signature *s, char *str); static int DetectTlsValiditySetup (DetectEngineCtx *, Signature *s, char *str, uint8_t); -void TlsNotBeforeRegisterTests(void); -void TlsNotAfterRegisterTests(void); -void TlsExpiredRegisterTests(void); -void TlsValidRegisterTests(void); +static void TlsNotBeforeRegisterTests(void); +static void TlsNotAfterRegisterTests(void); +static void TlsExpiredRegisterTests(void); +static void TlsValidRegisterTests(void); static void DetectTlsValidityFree(void *); +static int g_tls_validity_buffer_id = 0; /** * \brief Registration function for tls validity keywords. @@ -119,9 +120,11 @@ void DetectTlsValidityRegister (void) DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); - DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_TLSVALIDITY_MATCH, + DetectAppLayerInspectEngineRegister2("tls_validity", + ALPROTO_TLS, SIG_FLAG_TOCLIENT, DetectEngineInspectTlsValidity); + + g_tls_validity_buffer_id = DetectBufferTypeGetByName("tls_validity"); } /** @@ -447,7 +450,7 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s, s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH); + SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id); return 0; @@ -505,7 +508,7 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s, s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH); + SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id); return 0; @@ -608,7 +611,7 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s, s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH); + SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id); return 0; diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index 36b64c6584..07c71f49c1 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -55,6 +55,7 @@ static int DetectTlsSniSetup(DetectEngineCtx *, Signature *, char *); static void DetectTlsSniRegisterTests(void); +static int g_tls_sni_buffer_id = 0; /** * \brief Registration function for keyword: tls_sni @@ -73,13 +74,14 @@ void DetectTlsSniRegister(void) sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("tls_sni", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_TLSSNI_MATCH, 2, + DetectAppLayerMpmRegister("tls_sni", SIG_FLAG_TOSERVER, 2, PrefilterTxTlsSniRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_TLSSNI_MATCH, + DetectAppLayerInspectEngineRegister2("tls_sni", + ALPROTO_TLS, SIG_FLAG_TOSERVER, DetectEngineInspectTlsSni); + + g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls_sni"); } @@ -94,7 +96,7 @@ void DetectTlsSniRegister(void) */ static int DetectTlsSniSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - s->init_data->list = DETECT_SM_LIST_TLSSNI_MATCH; + s->init_data->list = g_tls_sni_buffer_id; s->alproto = ALPROTO_TLS; return 0; } diff --git a/src/detect.h b/src/detect.h index 4f7cf94097..eb577b2e24 100644 --- a/src/detect.h +++ b/src/detect.h @@ -120,11 +120,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_FILEMATCH, - DETECT_SM_LIST_TLSSNI_MATCH, - DETECT_SM_LIST_TLSISSUER_MATCH, - DETECT_SM_LIST_TLSSUBJECT_MATCH, - DETECT_SM_LIST_TLSVALIDITY_MATCH, - DETECT_SM_LIST_MODBUS_MATCH, DETECT_SM_LIST_CIP_MATCH,