detect: add tls_cert_notbefore and tls_cert_notafter keywords

Detection plugin for TLS certificate fields notBefore and notAfter. Supports equal to, less than, greater than, and range operations for both keywords. Dates can be represented as either ISO 8601 or epoch (Unix time). Examples: alert tls [...] tls_cert_notafter:1445852105; [...] alert tls [...] tls_cert_notbefore:<2015-10-22T23:59:59; [...] alert tls [...] tls_cert_notbefore:>2015-10-22; [...] alert tls [...] tls_cert_notafter:2000-10-22<>2020-05-15; [...]
10 years ago · ea5696812f
parent c49cb05399
commit ea5696812f
5 changed files with 1254 additions and 0 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -208,6 +208,7 @@ detect-template.c detect-template.h \
 detect-template-buffer.c detect-template-buffer.h \
 detect-threshold.c detect-threshold.h \
 detect-tls.c detect-tls.h \
+detect-tls-cert-validity.c detect-tls-cert-validity.h \
 detect-tls-version.c detect-tls-version.h \
 detect-tos.c detect-tos.h \
 detect-ttl.c detect-ttl.h \
--- a/src/detect-tls-cert-validity.c
+++ b/src/detect-tls-cert-validity.c
--- a/src/detect-tls-cert-validity.h
+++ b/src/detect-tls-cert-validity.h
@ -0,0 +1,45 @@
+/* Copyright (C) 2015 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Mats Klepsland <mats.klepsland@gmail.com>
+ */
+
+#ifndef __DETECT_TLS_VALIDITY_H__
+#define __DETECT_TLS_VALIDITY_H__
+
+#define DETECT_TLS_VALIDITY_LT 0
+#define DETECT_TLS_VALIDITY_EQ 1
+#define DETECT_TLS_VALIDITY_GT 2
+#define DETECT_TLS_VALIDITY_RA 3
+
+#define DETECT_TLS_TYPE_NOTBEFORE 0
+#define DETECT_TLS_TYPE_NOTAFTER  1
+
+typedef struct DetectTlsValidityData_ {
+    time_t epoch;
+    time_t epoch2;
+    uint8_t mode;
+    uint8_t type;
+} DetectTlsValidityData;
+
+/* prototypes */
+void DetectTlsValidityRegister (void);
+
+#endif /* __DETECT_TLS_VALIDITY_H__ */
--- a/src/detect.c
+++ b/src/detect.c
@ -173,6 +173,7 @@
 #include "app-layer-smtp.h"
 #include "app-layer-template.h"
 #include "detect-tls.h"
+#include "detect-tls-cert-validity.h"
 #include "detect-tls-version.h"
 #include "detect-ssh-proto-version.h"
 #include "detect-ssh-software-version.h"
@ -4418,6 +4419,7 @@ void SigTableSetup(void)
    DetectHttpMethodRegister();
    DetectHttpStatMsgRegister();
    DetectTlsRegister();
+    DetectTlsValidityRegister();
    DetectTlsVersionRegister();
    DetectUrilenRegister();
    DetectDetectionFilterRegister();
--- a/src/detect.h
+++ b/src/detect.h
@ -1179,6 +1179,8 @@ enum {
    DETECT_AL_TLS_VERSION,
    DETECT_AL_TLS_SUBJECT,
    DETECT_AL_TLS_ISSUERDN,
+    DETECT_AL_TLS_NOTBEFORE,
+    DETECT_AL_TLS_NOTAFTER,
    DETECT_AL_TLS_FINGERPRINT,
    DETECT_AL_TLS_STORE,