aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls app layer: handle negation on subject and issuerdn.

Browse Source 
This patch adds negation support for tls.subject and tls.issuerdn
matches.
remotes/origin/HEAD
Eric Leblond 14 years ago committed by Victor Julien
parent ad0e05a112
commit fce2437dc2
2 changed files with 47 additions and 6 deletions
Show Stats Download Patch File Download Diff File

52
src/detect-tls.c
Unescape Escape View File

@ -63,7 +63,7 @@
/**
* \brief Regex for parsing "id" option, matching number or "number"
*/
#define PARSE_REGEX "^\\s*([A-z0-9\\.]+|\"[A-z0-9\\.]+\")\\s*$"
#define PARSE_REGEX "^\\s*(\\!*)\\s*([A-z0-9\\.=\\*] +|\"[A-z0-9\\.\\*= ]+\")\\s*$"
static pcre *subject_parse_regex;
static pcre_extra *subject_parse_regex_study;
@ -163,11 +163,20 @@ static int DetectTlsSubjectMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
int ret = 0;
SCMutexLock(&f->m);
if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 1;
} else {
ret = 0;
}
if (ssl_state->cert0_subject != NULL) {
SCLogDebug("TLS: Subject is [%s], looking for [%s]\n", ssl_state->cert0_subject, tls_data->subject);
if (strstr(ssl_state->cert0_subject, tls_data->subject) != NULL) {
ret = 1;
if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 0;
} else {
ret = 1;
}
}
}
@ -199,21 +208,32 @@ static DetectTlsData *DetectTlsSubjectParse (char *str)
goto error;
}
if (ret > 1) {
if (ret == 3) {
const char *str_ptr;
char *orig;
char *tmp_str;
uint32_t flag = 0;
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
if (str_ptr[0] == '!')
flag = DETECT_CONTENT_NEGATED;
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 2, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
/* We have a correct id option */
tls = SCMalloc(sizeof(DetectTlsData));
if (tls == NULL)
goto error;
tls->subject = NULL;
tls->flags = flag;
orig = SCStrdup((char*)str_ptr);
tmp_str=orig;
@ -337,11 +357,20 @@ static int DetectTlsIssuerDNMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx
int ret = 0;
SCMutexLock(&f->m);
if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 1;
} else {
ret = 0;
}
if (ssl_state->cert0_issuerdn != NULL) {
SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n", ssl_state->cert0_issuerdn, tls_data->issuerdn);
if (strstr(ssl_state->cert0_issuerdn, tls_data->issuerdn) != NULL) {
ret = 1;
if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 0;
} else {
ret = 1;
}
}
}
@ -368,26 +397,37 @@ static DetectTlsData *DetectTlsIssuerDNParse(char *str)
ret = pcre_exec(issuerdn_parse_regex, issuerdn_parse_regex_study, str, strlen(str), 0, 0,
ov, MAX_SUBSTRINGS);
if (ret < 1 || ret > 3) {
if (ret != 3) {
SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.issuerdn option");
goto error;
}
if (ret > 1) {
if (ret == 3) {
const char *str_ptr;
char *orig;
char *tmp_str;
uint32_t flag = 0;
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
if (str_ptr[0] == '!')
flag = DETECT_CONTENT_NEGATED;
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 2, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
/* We have a correct id option */
tls = SCMalloc(sizeof(DetectTlsData));
if (tls == NULL)
goto error;
tls->issuerdn = NULL;
tls->flags = flag;
orig = SCStrdup((char*)str_ptr);
tmp_str=orig;

1
src/detect-tls.h
Unescape Escape View File

@ -38,6 +38,7 @@ typedef struct DetectTlsData_ {
uint16_t ver; /** tls version to match */
char * subject; /** tls certificate subject substring to match */
char * issuerdn; /** tls certificate issuerDN substring to match */
uint32_t flags; /** flags containing match variant (Negation for example) */
} DetectTlsData;
/* prototypes */

Write Preview
Loading…
Cancel
Save