aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '77b94b8713'
${ noResults }
suricata/src/detect-tls-ja3-hash.c

246 lines
8.0 KiB
C
Raw Blame History

/* Copyright (C) 2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
* Implements support for ja3.hash keyword.
*/
#include "suricata-common.h"
#include "threads.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-prefilter.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-tls-ja3-hash.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "util-debug.h"
#include "util-spm.h"
#include "util-print.h"
#include "util-ja3.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-ssl.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#ifndef HAVE_JA3
static int DetectJA3SetupNoSupport(DetectEngineCtx *a, Signature *b, const char *c)
{
SCLogError("no JA3 support built in");
return -1;
}
#endif
#ifdef HAVE_JA3
static int DetectTlsJa3HashSetup(DetectEngineCtx *, Signature *, const char *);
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *f, const uint8_t flow_flags,
void *txv, const int list_id);
static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s);
static bool DetectTlsJa3HashValidateCallback(const Signature *s,
const char **sigerror);
static int g_tls_ja3_hash_buffer_id = 0;
#endif
/**
* \brief Registration function for keyword: ja3_hash
*/
void DetectTlsJa3HashRegister(void)
{
sigmatch_table[DETECT_TLS_JA3_HASH].name = "ja3.hash";
sigmatch_table[DETECT_TLS_JA3_HASH].alias = "ja3_hash";
sigmatch_table[DETECT_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer";
sigmatch_table[DETECT_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash";
#ifdef HAVE_JA3
sigmatch_table[DETECT_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup;
#else /* HAVE_JA3 */
sigmatch_table[DETECT_TLS_JA3_HASH].Setup = DetectJA3SetupNoSupport;
#endif /* HAVE_JA3 */
sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
#ifdef HAVE_JA3
DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerMpmRegister(
"ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
DetectAppLayerMpmRegister("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
Ja3DetectGetHash, ALPROTO_QUIC, 1);
DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
DetectEngineInspectBufferGeneric, Ja3DetectGetHash);
DetectBufferTypeSetDescriptionByName("ja3.hash", "TLS JA3 hash");
DetectBufferTypeRegisterSetupCallback("ja3.hash",
DetectTlsJa3HashSetupCallback);
DetectBufferTypeRegisterValidateCallback("ja3.hash",
DetectTlsJa3HashValidateCallback);
g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3.hash");
#endif /* HAVE_JA3 */
}
#ifdef HAVE_JA3
/**
* \brief this function setup the ja3.hash modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
* \retval -1 On failure
* \retval -2 on failure that should be silent after the first
*/
static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (DetectBufferSetActiveList(de_ctx, s, g_tls_ja3_hash_buffer_id) < 0)
return -1;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS && s->alproto != ALPROTO_QUIC) {
SCLogError("rule contains conflicting protocols.");
return -1;
}
/* try to enable JA3 */
SSLEnableJA3();
/* Check if JA3 is disabled */
if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3_HASH)) {
SCLogError("ja3 support is not enabled");
}
return -2;
}
s->init_data->init_flags |= SIG_FLAG_INIT_JA;
return 0;
}
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *f,
const uint8_t flow_flags, void *txv, const int list_id)
{
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
const SSLState *ssl_state = (SSLState *)f->alstate;
if (ssl_state->client_connp.ja3_hash == NULL) {
return NULL;
}
const uint32_t data_len = strlen(ssl_state->client_connp.ja3_hash);
const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash;
InspectionBufferSetupAndApplyTransforms(
det_ctx, list_id, buffer, data, data_len, transforms);
}
return buffer;
}
static bool DetectTlsJa3HashValidateCallback(const Signature *s,
const char **sigerror)
{
for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
if (s->init_data->buffers[x].id != (uint32_t)g_tls_ja3_hash_buffer_id)
continue;
const SigMatch *sm = s->init_data->buffers[x].head;
for (; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NOCASE) {
*sigerror = "ja3.hash should not be used together with "
"nocase, since the rule is automatically "
"lowercased anyway which makes nocase redundant.";
SCLogWarning("rule %u: %s", s->id, *sigerror);
}
if (cd->content_len == SC_MD5_HEX_LEN)
return true;
*sigerror = "Invalid length of the specified JA3 hash (should "
"be 32 characters long). This rule will therefore "
"never match.";
SCLogWarning("rule %u: %s", s->id, *sigerror);
return false;
}
}
return true;
}
static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s)
{
for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
if (s->init_data->buffers[x].id != (uint32_t)g_tls_ja3_hash_buffer_id)
continue;
SigMatch *sm = s->init_data->buffers[x].head;
for (; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
bool changed = false;
uint32_t u;
for (u = 0; u < cd->content_len; u++) {
if (isupper(cd->content[u])) {
cd->content[u] = u8_tolower(cd->content[u]);
changed = true;
}
}
/* recreate the context if changes were made */
if (changed) {
SpmDestroyCtx(cd->spm_ctx);
cd->spm_ctx =
SpmInitCtx(cd->content, cd->content_len, 1, de_ctx->spm_global_thread_ctx);
}
}
}
}
#endif
Reference in New Issue View Git Blame Copy Permalink