aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
main-8.0.x
main
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8798bf48b2'
${ noResults }
suricata/src/detect-engine-tls.c

286 lines
8.9 KiB
C
Raw Blame History

/* Copyright (C) 2016 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/** \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
*/
#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-parse.h"
#include "detect-engine-state.h"
#include "detect-engine-content-inspection.h"
#include "detect-engine-prefilter.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-print.h"
#include "flow.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-protos.h"
#include "app-layer-ssl.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-validate.h"
/** \brief TLS SNI Mpm prefilter callback
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
* \param f flow to inspect
* \param txv tx to inspect
* \param pectx inspection context
*/
static void PrefilterTxTlsSni(DetectEngineThreadCtx *det_ctx, const void *pectx,
Packet *p, Flow *f, void *txv,
const uint64_t idx, const uint8_t flags)
{
SCEnter();
const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
SSLState *ssl_state = f->alstate;
if (ssl_state->client_connp.sni == NULL)
return;
const uint8_t *buffer = (uint8_t *)ssl_state->client_connp.sni;
const uint32_t buffer_len = strlen(ssl_state->client_connp.sni);
if (buffer_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
}
}
int PrefilterTxTlsSniRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
{
SCEnter();
return PrefilterAppendTxEngine(sgh, PrefilterTxTlsSni,
ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add
mpm_ctx, NULL, "tls_sni");
}
/** \brief Do the content inspection and validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param sm SigMatch to inspect
* \param f Flow
* \param flags App layer flags
* \param state App layer state
*
* \retval 0 No match
* \retval 1 Match
*/
int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Signature *s,
Flow *f, uint8_t flags, void *alstate, void *txv,
uint64_t tx_id)
{
uint8_t *buffer;
uint16_t buffer_len;
int cnt = 0;
SSLState *ssl_state = (SSLState *)alstate;
if (ssl_state->client_connp.sni == NULL)
return 0;
buffer = (uint8_t *)ssl_state->client_connp.sni;
buffer_len = strlen(ssl_state->client_connp.sni);
cnt = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TLSSNI_MATCH],
f, buffer, buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSNI, NULL);
return cnt;
}
/** \brief TLS Issuer Mpm prefilter callback
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
* \param f flow to inspect
* \param txv tx to inspect
* \param pectx inspection context
*/
static void PrefilterTxTlsIssuer(DetectEngineThreadCtx *det_ctx, const void *pectx,
Packet *p, Flow *f, void *txv,
const uint64_t idx, const uint8_t flags)
{
SCEnter();
const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
SSLState *ssl_state = f->alstate;
if (ssl_state->server_connp.cert0_issuerdn == NULL)
return;
const uint8_t *buffer = (const uint8_t *)ssl_state->server_connp.cert0_issuerdn;
const uint32_t buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn);
if (buffer_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
}
}
int PrefilterTxTlsIssuerRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
{
SCEnter();
return PrefilterAppendTxEngine(sgh, PrefilterTxTlsIssuer,
ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add
mpm_ctx, NULL, "tls_cert_issuer");
}
/** \brief Do the content inspection and validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param sm SigMatch to inspect
* \param f Flow
* \param flags App layer flags
* \param state App layer state
*
* \retval 0 No match
* \retval 1 Match
*/
int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Signature *s,
Flow *f, uint8_t flags, void *alstate, void *txv,
uint64_t tx_id)
{
uint8_t *buffer;
uint32_t buffer_len;
int cnt = 0;
SSLState *ssl_state = (SSLState *)alstate;
if (ssl_state->server_connp.cert0_issuerdn == NULL)
return 0;
buffer = (uint8_t *)ssl_state->server_connp.cert0_issuerdn;
buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn);
cnt = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TLSISSUER_MATCH],
f, buffer, buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSISSUER, NULL);
return cnt;
}
/** \brief TLS Subject Mpm prefilter callback
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
* \param f flow to inspect
* \param txv tx to inspect
* \param pectx inspection context
*/
static void PrefilterTxTlsSubject(DetectEngineThreadCtx *det_ctx, const void *pectx,
Packet *p, Flow *f, void *txv,
const uint64_t idx, const uint8_t flags)
{
SCEnter();
const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
SSLState *ssl_state = f->alstate;
if (ssl_state->server_connp.cert0_issuerdn == NULL)
return;
const uint8_t *buffer = (const uint8_t *)ssl_state->server_connp.cert0_subject;
const uint32_t buffer_len = strlen(ssl_state->server_connp.cert0_subject);
if (buffer_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
}
}
int PrefilterTxTlsSubjectRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
{
SCEnter();
return PrefilterAppendTxEngine(sgh, PrefilterTxTlsSubject,
ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add
mpm_ctx, NULL, "tls_cert_subject");
}
/** \brief Do the content inspection and validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param sm SigMatch to inspect
* \param f Flow
* \param flags App layer flags
* \param state App layer state
*
* \retval 0 No match
* \retval 1 Match
*/
int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Signature *s,
Flow *f, uint8_t flags, void *alstate, void *txv,
uint64_t tx_id)
{
uint8_t *buffer;
uint32_t buffer_len;
int cnt = 0;
SSLState *ssl_state = (SSLState *)alstate;
if (ssl_state->server_connp.cert0_subject == NULL)
return 0;
buffer = (uint8_t *)ssl_state->server_connp.cert0_subject;
buffer_len = strlen(ssl_state->server_connp.cert0_subject);
cnt = DetectEngineContentInspection(de_ctx, det_ctx, s,
s->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH],
f, buffer, buffer_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSUBJECT, NULL);
return cnt;
}
int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Signature *s,
Flow *f, uint8_t flags, void *alstate,
void *txv, uint64_t tx_id)
{
return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags,
alstate, txv, tx_id,
DETECT_SM_LIST_TLSVALIDITY_MATCH);
}
Reference in New Issue View Git Blame Copy Permalink