detect-tls-ja3-hash: add setup callback to lowercase content

Add setup callback that lowercase the content that follows 'ja3_hash'.
7 years ago · f36d578ee0
parent 5b954212f7
commit f36d578ee0
1 changed files with 35 additions and 0 deletions
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@ -64,6 +64,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
       const DetectEngineTransforms *transforms,
       Flow *_f, const uint8_t _flow_flags,
       void *txv, const int list_id);
+static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
+       Signature *s);
 static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
       const char **sigerror);
 static int g_tls_ja3_hash_buffer_id = 0;
@ -91,6 +93,9 @@ void DetectTlsJa3HashRegister(void)

    DetectBufferTypeSetDescriptionByName("ja3_hash", "TLS JA3 hash");

+    DetectBufferTypeRegisterSetupCallback("ja3_hash",
+            DetectTlsJa3HashSetupCallback);
+
    DetectBufferTypeRegisterValidateCallback("ja3_hash",
            DetectTlsJa3HashValidateCallback);

@ -176,6 +181,36 @@ static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
    return TRUE;
 }

+static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
+                                          Signature *s)
+{
+    SigMatch *sm = s->init_data->smlists[g_tls_ja3_hash_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        _Bool changed = FALSE;
+        uint32_t u;
+        for (u = 0; u < cd->content_len; u++)
+        {
+            if (isupper(cd->content[u])) {
+                cd->content[u] = tolower(cd->content[u]);
+                changed = TRUE;
+            }
+        }
+
+        /* recreate the context if changes were made */
+        if (changed) {
+            SpmDestroyCtx(cd->spm_ctx);
+            cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
+                                     de_ctx->spm_global_thread_ctx);
+        }
+    }
+}
+
 #ifndef HAVE_NSS

 static void DetectTlsJa3HashRegisterTests(void)