54 #define PARSE_REGEX1 "^(!?)([_a-zA-Z0-9]+)(.*)$" 55 static pcre *parse_regex1;
56 static pcre_extra *parse_regex1_study;
58 #define PARSE_REGEX2 "^(?:\\s*[|,]\\s*(!?)([_a-zA-Z0-9]+))(.*)$" 59 static pcre *parse_regex2;
60 static pcre_extra *parse_regex2_study;
63 Flow *, uint8_t,
void *,
void *,
66 static void DetectSslStateRegisterTests(
void);
67 static void DetectSslStateFree(
void *);
73 void *txv, uint64_t
tx_id);
75 static int g_tls_generic_list_id = 0;
94 "generic ssl/tls inspection");
108 void *txv, uint64_t
tx_id)
111 f,
flags, alstate, txv, tx_id);
129 Flow *f, uint8_t
flags,
void *alstate,
void *txv,
134 if (ssl_state == NULL) {
141 if ((ssd->
flags & ssl_flags) ^ ssd->
mask) {
159 #define MAX_SUBSTRINGS 30 160 int ret = 0,
res = 0;
166 uint32_t
flags = 0, mask = 0;
169 ret = pcre_exec(parse_regex1, parse_regex1_study, arg, strlen(arg), 0, 0,
173 "ssl_state keyword.", arg);
182 negate = !strcmp(
"!", str1);
183 pcre_free_substring(str1);
191 if (strcmp(
"client_hello", str1) == 0) {
195 }
else if (strcmp(
"server_hello", str1) == 0) {
199 }
else if (strcmp(
"client_keyx", str1) == 0) {
203 }
else if (strcmp(
"server_keyx", str1) == 0) {
207 }
else if (strcmp(
"unknown", str1) == 0) {
213 "in ssl_state keyword.", str1);
217 pcre_free_substring(str1);
225 ret = pcre_exec(parse_regex2, parse_regex2_study, str1, strlen(str1), 0, 0,
229 "ssl_state keyword.", arg);
238 negate = !strcmp(
"!", str2);
239 pcre_free_substring(str2);
246 if (strcmp(
"client_hello", str2) == 0) {
250 }
else if (strcmp(
"server_hello", str2) == 0) {
254 }
else if (strcmp(
"client_keyx", str2) == 0) {
258 }
else if (strcmp(
"server_keyx", str2) == 0) {
262 }
else if (strcmp(
"unknown", str2) == 0) {
268 "in ssl_state keyword.", str2);
278 pcre_free_substring(str1);
281 pcre_free_substring(str1);
314 ssd = DetectSslStateParse(arg);
330 DetectSslStateFree(ssd);
341 static void DetectSslStateFree(
void *ptr)
353 static int DetectSslStateTest01(
void)
362 static int DetectSslStateTest02(
void)
372 static int DetectSslStateTest03(
void)
384 static int DetectSslStateTest04(
void)
387 "client_hello , server_keyx , " 399 static int DetectSslStateTest05(
void)
402 "client_hello , server_keyx , " 409 static int DetectSslStateTest06(
void)
412 "client_hello , server_keyx , " 421 static int DetectSslStateTest07(
void)
423 uint8_t chello_buf[] = {
424 0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00,
425 0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00,
426 0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02,
427 0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39,
428 0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00,
429 0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00,
430 0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16,
431 0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00,
432 0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00,
433 0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64,
434 0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00,
435 0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a,
436 0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80,
439 uint32_t chello_buf_len =
sizeof(chello_buf);
441 uint8_t shello_buf[] = {
442 0x16, 0x03, 0x00, 0x00, 0x4a, 0x02,
443 0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94,
444 0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88,
445 0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6,
446 0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd,
447 0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb,
448 0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe,
449 0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6,
450 0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e,
451 0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35,
452 0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00,
453 0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a,
454 0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f,
455 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01,
456 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
457 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
458 0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
459 0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31,
460 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08,
461 0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
462 0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13,
463 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
464 0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54,
465 0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06,
466 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e,
467 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c,
468 0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c,
469 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43,
470 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
471 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
472 0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13,
473 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53,
474 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c,
475 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06,
476 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
477 0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73,
478 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e,
479 0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30,
480 0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34,
481 0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38,
482 0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37,
483 0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b,
484 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
485 0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06,
486 0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e,
487 0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65,
488 0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
489 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61,
490 0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31,
491 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
492 0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
493 0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64,
494 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
495 0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65,
496 0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61,
497 0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
498 0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
499 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c,
500 0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d,
501 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
502 0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77,
503 0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69,
504 0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f,
505 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
506 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
507 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
508 0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde,
509 0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6,
510 0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba,
511 0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73,
512 0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4,
513 0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f,
514 0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45,
515 0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12,
516 0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c,
517 0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b,
518 0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7,
519 0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd,
520 0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e,
521 0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53,
522 0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90,
523 0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89,
524 0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
525 0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55,
526 0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10,
527 0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b,
528 0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d,
529 0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
530 0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16,
531 0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c,
532 0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
533 0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f,
534 0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
535 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
536 0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09,
537 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01,
538 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
539 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
540 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81,
541 0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75,
542 0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e,
543 0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d,
544 0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23,
545 0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9,
546 0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5,
547 0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b,
548 0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f,
549 0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14,
550 0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23,
551 0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2,
552 0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34,
553 0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53,
554 0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad,
555 0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2,
556 0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e,
557 0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e,
560 uint32_t shello_buf_len =
sizeof(shello_buf);
562 uint8_t client_change_cipher_spec_buf[] = {
563 0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00,
564 0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38,
565 0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61,
566 0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a,
567 0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e,
568 0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f,
569 0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80,
570 0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a,
571 0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80,
572 0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59,
573 0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76,
574 0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84,
575 0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7,
576 0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7,
577 0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2,
578 0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7,
579 0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb,
580 0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16,
581 0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35,
582 0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a,
583 0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81,
584 0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90,
585 0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1,
586 0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76,
587 0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79,
588 0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18,
589 0x4c, 0xfc, 0x75, 0x56
591 uint32_t client_change_cipher_spec_buf_len =
592 sizeof(client_change_cipher_spec_buf);
594 uint8_t server_change_cipher_spec_buf[] = {
595 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03,
596 0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59,
597 0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a,
598 0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86,
599 0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7,
600 0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3,
601 0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89,
602 0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27,
603 0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2,
606 uint32_t server_change_cipher_spec_buf_len =
607 sizeof(server_change_cipher_spec_buf);
609 uint8_t toserver_app_data_buf[] = {
610 0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e,
611 0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c,
612 0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10,
613 0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb,
614 0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa,
615 0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5,
616 0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e,
617 0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20,
618 0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7,
619 0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f,
620 0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78,
621 0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c,
622 0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f,
623 0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0,
624 0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0,
625 0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0,
626 0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc,
627 0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1,
628 0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67,
629 0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f,
630 0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10,
631 0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4,
632 0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0,
633 0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68,
634 0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f,
635 0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4,
636 0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10,
637 0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f,
638 0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60,
639 0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8,
640 0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8,
641 0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09,
642 0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a,
643 0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd,
644 0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7,
645 0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a,
646 0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63,
647 0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b,
648 0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1,
649 0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60,
650 0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87,
651 0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7,
652 0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed,
653 0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc,
654 0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43,
655 0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58,
656 0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d,
657 0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39,
658 0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99,
659 0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92,
660 0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40,
661 0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef,
662 0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2,
663 0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6,
664 0x8a, 0xa2, 0x9e, 0xcd, 0xfa
666 uint32_t toserver_app_data_buf_len =
sizeof(toserver_app_data_buf);
679 memset(&th_v, 0,
sizeof(th_v));
680 memset(&p, 0,
sizeof(p));
681 memset(&f, 0,
sizeof(f));
682 memset(&ssn, 0,
sizeof(ssn));
688 f.
proto = IPPROTO_TCP;
703 "(msg:\"ssl state\"; ssl_state:client_hello; " 708 "(msg:\"ssl state\"; " 709 "ssl_state:server_hello; " 714 "(msg:\"ssl state\"; " 715 "ssl_state:client_keyx; " 720 "(msg:\"ssl state\"; " 721 "ssl_state:server_keyx; " 726 "(msg:\"ssl state\"; " 727 "ssl_state:!client_hello; " 756 shello_buf, shello_buf_len);
774 client_change_cipher_spec_buf,
775 client_change_cipher_spec_buf_len);
790 server_change_cipher_spec_buf,
791 server_change_cipher_spec_buf_len);
806 toserver_app_data_buf, toserver_app_data_buf_len);
819 if (alp_tctx != NULL)
837 static int DetectSslStateTest08(
void)
850 static int DetectSslStateTestParseNegate(
void)
858 ssd = DetectSslStateParse(
"!client_hello,!server_hello");
869 static void DetectSslStateRegisterTests(
void)
881 DetectSslStateTestParseNegate);
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define FLOWLOCK_UNLOCK(fb)
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
#define FLOWLOCK_WRLOCK(fb)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_SSL_STATE_SERVER_KEYX
main detection engine ctx
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void DetectSslStateRegister(void)
Registers the keyword handlers for the "ssl_state" keyword.
SSLv[2.0|3.[0|1|2|3]] state structure.
#define SIG_FLAG_TOCLIENT
#define DETECT_SSL_STATE_SERVER_HELLO
Data structures and function prototypes for keeping state for the detection engine.
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define DETECT_SSL_STATE_CLIENT_KEYX
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SIG_FLAG_TOSERVER
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
int DetectBufferTypeRegister(const char *name)
#define DETECT_SSL_STATE_CLIENT_HELLO
#define FLOW_INITIALIZE(f)
#define DETECT_SSL_STATE_UNKNOWN
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
SigMatch * SigMatchAlloc(void)
Per thread variable structure.
#define FLOW_PKT_TOCLIENT
AppProto alproto
application level protocol
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)