detect: add detect engine for tls validity keywords

Add detect engine for tls validity keywords (tls_cert_notbefore and tls_cert_notafter).
9 years ago · dc8e0b3cf2
parent d91664d67a
commit dc8e0b3cf2
7 changed files with 41 additions and 8 deletions
--- a/src/detect-engine-state.h
+++ b/src/detect-engine-state.h
@ -90,8 +90,9 @@
 #define DE_STATE_FLAG_TLSSNI_INSPECT      BIT_U32(24)
 #define DE_STATE_FLAG_TLSISSUER_INSPECT   BIT_U32(25)
 #define DE_STATE_FLAG_TLSSUBJECT_INSPECT  BIT_U32(26)
-#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(27)
-#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(28)
+#define DE_STATE_FLAG_TLSVALIDITY_INSPECT BIT_U32(27)
+#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(28)
+#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(29)

 /* state flags */
 #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001
--- a/src/detect-engine-tls.c
+++ b/src/detect-engine-tls.c
@ -341,3 +341,13 @@ int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx,

    return cnt;
 }
+
+int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx,
+                                  DetectEngineThreadCtx *det_ctx, Signature *s,
+                                  Flow *f, uint8_t flags, void *alstate,
+                                  void *txv, uint64_t tx_id)
+{
+    return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags,
+                                          alstate, txv, tx_id,
+                                          DETECT_SM_LIST_TLSVALIDITY_MATCH);
+}
--- a/src/detect-engine-tls.h
+++ b/src/detect-engine-tls.h
@ -38,4 +38,9 @@ int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx,
                                  Signature *s, Flow *f, uint8_t flags,
                                  void *alstate, void *txv, uint64_t tx_id);

+int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx,
+                                   DetectEngineThreadCtx *det_ctx,
+                                   Signature *s, Flow *f, uint8_t flags,
+                                   void *alstate, void *txv, uint64_t tx_id);
+
 #endif /* __DETECT_ENGINE_TLS_H__ */
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -377,6 +377,12 @@ void DetectEngineRegisterAppInspectionEngines(void)
          DE_STATE_FLAG_TLSSUBJECT_INSPECT,
          1,
          DetectEngineInspectTlsSubject },
+        { IPPROTO_TCP,
+          ALPROTO_TLS,
+          DETECT_SM_LIST_TLSVALIDITY_MATCH,
+          DE_STATE_FLAG_TLSVALIDITY_INSPECT,
+          1,
+          DetectEngineInspectTlsValidity },
        /* specifically for UDP, register again
         * allows us to use the alproto w/o translation
         * in the detection engine */
@ -2808,6 +2814,8 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
            return "tls issuer";
        case DETECT_SM_LIST_TLSSUBJECT_MATCH:
            return "tls subject";
+        case DETECT_SM_LIST_TLSVALIDITY_MATCH:
+            return "tls validity";

        case DETECT_SM_LIST_MODBUS_MATCH:
            return "modbus";
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -167,6 +167,7 @@ const char *DetectListToHumanString(int list)
        CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni");
        CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer");
        CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject");
+        CASE_CODE_STRING(DETECT_SM_LIST_TLSVALIDITY_MATCH, "tls_cert_validity");
        CASE_CODE_STRING(DETECT_SM_LIST_MODBUS_MATCH, "modbus");
        CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template");
        CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch");
@ -210,6 +211,7 @@ const char *DetectListToString(int list)
        CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH);
        CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH);
        CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH);
+        CASE_CODE(DETECT_SM_LIST_TLSVALIDITY_MATCH);
        CASE_CODE(DETECT_SM_LIST_MODBUS_MATCH);
        CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH);
        CASE_CODE(DETECT_SM_LIST_POSTMATCH);
@ -1587,6 +1589,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
        sig->flags |= SIG_FLAG_STATE_MATCH;
    if (sig->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH])
        sig->flags |= SIG_FLAG_STATE_MATCH;
+    if (sig->sm_lists[DETECT_SM_LIST_TLSVALIDITY_MATCH])
+        sig->flags |= SIG_FLAG_STATE_MATCH;

    if (sig->sm_lists[DETECT_SM_LIST_MODBUS_MATCH])
        sig->flags |= SIG_FLAG_STATE_MATCH;
--- a/src/detect-tls-cert-validity.c
+++ b/src/detect-tls-cert-validity.c
@ -57,7 +57,9 @@ static pcre *parse_regex;
 static pcre_extra *parse_regex_study;

 static int DetectTlsValidityMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
-                                   uint8_t, void *, Signature *, SigMatch *);
+                                   uint8_t, void *, void *, const Signature *,
+                                   const SigMatchCtx *);
+
 static time_t DateStringToEpoch (char *);
 static DetectTlsValidityData *DetectTlsValidityParse (char *);
 static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, char *str);
@ -76,7 +78,7 @@ void DetectTlsValidityRegister (void)
    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsnotbefore";
    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Match = NULL;
-    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerMatch = DetectTlsValidityMatch;
+    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
    sigmatch_table[DETECT_AL_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests;
@ -85,7 +87,7 @@ void DetectTlsValidityRegister (void)
    sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
    sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsnotafter";
    sigmatch_table[DETECT_AL_TLS_NOTAFTER].Match = NULL;
-    sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerMatch = DetectTlsValidityMatch;
+    sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
    sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
    sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree;
    sigmatch_table[DETECT_AL_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests;
@ -110,7 +112,9 @@ void DetectTlsValidityRegister (void)
 * \retval 1 match.
 */
 static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
-                   Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
+                                   Flow *f, uint8_t flags, void *state,
+                                   void *txv, const Signature *s,
+                                   const SigMatchCtx *ctx)
 {
    SCEnter();

@ -128,7 +132,7 @@ static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx
    else
        connp = &ssl_state->server_connp;

-    const DetectTlsValidityData *dd = (const DetectTlsValidityData *)m->ctx;
+    const DetectTlsValidityData *dd = (const DetectTlsValidityData *)ctx;

    time_t cert_epoch = 0;
    if (dd->type == DETECT_TLS_TYPE_NOTBEFORE)
@ -451,7 +455,7 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
    s->flags |= SIG_FLAG_APPLAYER;
    s->alproto = ALPROTO_TLS;

-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH);

    return 0;

--- a/src/detect.h
+++ b/src/detect.h
@ -127,6 +127,7 @@ enum DetectSigmatchListEnum {
    DETECT_SM_LIST_TLSSNI_MATCH,
    DETECT_SM_LIST_TLSISSUER_MATCH,
    DETECT_SM_LIST_TLSSUBJECT_MATCH,
+    DETECT_SM_LIST_TLSVALIDITY_MATCH,

    DETECT_SM_LIST_MODBUS_MATCH,