suricata
detect-ssl-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements support for ssl_state keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
36 
37 #include "flow.h"
38 #include "flow-var.h"
39 #include "flow-util.h"
40 
41 #include "util-debug.h"
42 #include "util-unittest.h"
43 #include "util-unittest-helper.h"
44 
45 #include "app-layer.h"
46 #include "app-layer-parser.h"
47 
48 #include "detect-ssl-state.h"
49 
50 #include "stream-tcp.h"
51 #include "app-layer-ssl.h"
52 
53 #define PARSE_REGEX1 "^(!?)([_a-zA-Z0-9]+)(.*)$"
54 static DetectParseRegex parse_regex1;
55 
56 #define PARSE_REGEX2 "^(?:\\s*[|,]\\s*(!?)([_a-zA-Z0-9]+))(.*)$"
57 static DetectParseRegex parse_regex2;
58 
59 static int DetectSslStateMatch(DetectEngineThreadCtx *,
60  Flow *, uint8_t, void *, void *,
61  const Signature *, const SigMatchCtx *);
62 static int DetectSslStateSetup(DetectEngineCtx *, Signature *, const char *);
63 #ifdef UNITTESTS
64 static void DetectSslStateRegisterTests(void);
65 #endif
66 static void DetectSslStateFree(DetectEngineCtx *, void *);
67 
68 static int g_tls_generic_list_id = 0;
69 
70 /**
71  * \brief Registers the keyword handlers for the "ssl_state" keyword.
72  */
74 {
76  sigmatch_table[DETECT_AL_SSL_STATE].desc = "match the state of the SSL connection";
77  sigmatch_table[DETECT_AL_SSL_STATE].url = "/rules/tls-keywords.html#ssl-state";
78  sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
79  sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
80  sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree;
81 #ifdef UNITTESTS
82  sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
83 #endif
84  DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1);
85  DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2);
86 
87  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
88 
90  "generic ssl/tls inspection");
91 
96 }
97 
98 /**
99  * \brief App layer match function ssl_state keyword.
100  *
101  * \param tv Pointer to threadvars.
102  * \param det_ctx Pointer to the thread's detection context.
103  * \param f Pointer to the flow.
104  * \param flags Flags.
105  * \param state App layer state.
106  * \param s Sig we are currently inspecting.
107  * \param m SigMatch we are currently inspecting.
108  *
109  * \retval 1 Match.
110  * \retval 0 No match.
111  */
112 static int DetectSslStateMatch(DetectEngineThreadCtx *det_ctx,
113  Flow *f, uint8_t flags, void *alstate, void *txv,
114  const Signature *s, const SigMatchCtx *m)
115 {
116  const DetectSslStateData *ssd = (const DetectSslStateData *)m;
117  SSLState *ssl_state = (SSLState *)alstate;
118  if (ssl_state == NULL) {
119  SCLogDebug("no app state, no match");
120  return 0;
121  }
122 
123  uint32_t ssl_flags = ssl_state->current_flags;
124 
125  if ((ssd->flags & ssl_flags) ^ ssd->mask) {
126  return 1;
127  }
128 
129  return 0;
130 }
131 
132 /**
133  * \brief Parse the arg supplied with ssl_state and return it in a
134  * DetectSslStateData instance.
135  *
136  * \param arg Pointer to the string to be parsed.
137  *
138  * \retval ssd Pointer to DetectSslStateData on success.
139  * \retval NULL On failure.
140  */
141 static DetectSslStateData *DetectSslStateParse(const char *arg)
142 {
143  int ret = 0, res = 0;
144  size_t pcre2len;
145  char str1[64];
146  char str2[64];
147  int negate = 0;
148  uint32_t flags = 0, mask = 0;
149  DetectSslStateData *ssd = NULL;
150 
151  ret = DetectParsePcreExec(&parse_regex1, arg, 0, 0);
152  if (ret < 1) {
153  SCLogError("Invalid arg \"%s\" supplied to "
154  "ssl_state keyword.",
155  arg);
156  goto error;
157  }
158 
159  pcre2len = sizeof(str1);
160  res = pcre2_substring_copy_bynumber(parse_regex1.match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
161  if (res < 0) {
162  SCLogError("pcre2_substring_copy_bynumber failed");
163  goto error;
164  }
165  negate = !strcmp("!", str1);
166 
167  pcre2len = sizeof(str1);
168  res = pcre2_substring_copy_bynumber(parse_regex1.match, 2, (PCRE2_UCHAR8 *)str1, &pcre2len);
169  if (res < 0) {
170  SCLogError("pcre2_substring_copy_bynumber failed");
171  goto error;
172  }
173 
174  if (strcmp("client_hello", str1) == 0) {
176  if (negate)
178  } else if (strcmp("server_hello", str1) == 0) {
180  if (negate)
182  } else if (strcmp("client_keyx", str1) == 0) {
184  if (negate)
186  } else if (strcmp("server_keyx", str1) == 0) {
188  if (negate)
190  } else if (strcmp("unknown", str1) == 0) {
192  if (negate)
193  mask |= DETECT_SSL_STATE_UNKNOWN;
194  } else {
195  SCLogError("Found invalid option \"%s\" "
196  "in ssl_state keyword.",
197  str1);
198  goto error;
199  }
200 
201  pcre2len = sizeof(str1);
202  res = pcre2_substring_copy_bynumber(parse_regex1.match, 3, (PCRE2_UCHAR8 *)str1, &pcre2len);
203  if (res < 0) {
204  SCLogError("pcre2_substring_copy_bynumber failed");
205  goto error;
206  }
207  while (res >= 0 && strlen(str1) > 0) {
208  ret = DetectParsePcreExec(&parse_regex2, str1, 0, 0);
209  if (ret < 1) {
210  SCLogError("Invalid arg \"%s\" supplied to "
211  "ssl_state keyword.",
212  arg);
213  goto error;
214  }
215 
216  pcre2len = sizeof(str2);
217  res = pcre2_substring_copy_bynumber(parse_regex2.match, 1, (PCRE2_UCHAR8 *)str2, &pcre2len);
218  if (res < 0) {
219  SCLogError("pcre2_substring_copy_bynumber failed");
220  goto error;
221  }
222  negate = !strcmp("!", str2);
223 
224  pcre2len = sizeof(str2);
225  res = pcre2_substring_copy_bynumber(parse_regex2.match, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
226  if (res < 0) {
227  SCLogError("pcre2_substring_copy_bynumber failed");
228  goto error;
229  }
230  if (strcmp("client_hello", str2) == 0) {
232  if (negate)
234  } else if (strcmp("server_hello", str2) == 0) {
236  if (negate)
238  } else if (strcmp("client_keyx", str2) == 0) {
240  if (negate)
242  } else if (strcmp("server_keyx", str2) == 0) {
244  if (negate)
246  } else if (strcmp("unknown", str2) == 0) {
248  if (negate)
249  mask |= DETECT_SSL_STATE_UNKNOWN;
250  } else {
251  SCLogError("Found invalid option \"%s\" "
252  "in ssl_state keyword.",
253  str2);
254  goto error;
255  }
256 
257  pcre2len = sizeof(str2);
258  res = pcre2_substring_copy_bynumber(parse_regex2.match, 3, (PCRE2_UCHAR8 *)str2, &pcre2len);
259  if (res < 0) {
260  SCLogError("pcre2_substring_copy_bynumber failed");
261  goto error;
262  }
263 
264  memcpy(str1, str2, sizeof(str1));
265  }
266 
267  if ( (ssd = SCMalloc(sizeof(DetectSslStateData))) == NULL) {
268  goto error;
269  }
270  ssd->flags = flags;
271  ssd->mask = mask;
272 
273  return ssd;
274 
275 error:
276  return NULL;
277 }
278 
279  /**
280  * \internal
281  * \brief Setup function for ssl_state keyword.
282  *
283  * \param de_ctx Pointer to the Detection Engine Context.
284  * \param s Pointer to the Current Signature
285  * \param arg String holding the arg.
286  *
287  * \retval 0 On success.
288  * \retval -1 On failure.
289  */
290 static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
291 {
292  DetectSslStateData *ssd = NULL;
293  SigMatch *sm = NULL;
294 
296  return -1;
297 
298  ssd = DetectSslStateParse(arg);
299  if (ssd == NULL)
300  goto error;
301 
302  sm = SigMatchAlloc();
303  if (sm == NULL)
304  goto error;
305 
307  sm->ctx = (SigMatchCtx*)ssd;
308 
309  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
310  return 0;
311 
312 error:
313  if (ssd != NULL)
314  DetectSslStateFree(de_ctx, ssd);
315  if (sm != NULL)
316  SCFree(sm);
317  return -1;
318 }
319 
320 /**
321  * \brief Free memory associated with DetectSslStateData.
322  *
323  * \param ptr pointer to the data to be freed.
324  */
325 static void DetectSslStateFree(DetectEngineCtx *de_ctx, void *ptr)
326 {
327  if (ptr != NULL)
328  SCFree(ptr);
329 
330  return;
331 }
332 
333 #ifdef UNITTESTS
334 #include "tests/detect-ssl-state.c"
335 #endif
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:288
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
flow-util.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1238
stream-tcp.h
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
threads.h
Flow_
Flow data structure.
Definition: flow.h:357
DETECT_SSL_STATE_CLIENT_HELLO
#define DETECT_SSL_STATE_CLIENT_HELLO
Definition: detect-ssl-state.h:29
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DETECT_SSL_STATE_UNKNOWN
#define DETECT_SSL_STATE_UNKNOWN
Definition: detect-ssl-state.h:33
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1209
m
SCMutex m
Definition: flow-hash.h:6
DetectSslStateData_::mask
uint32_t mask
Definition: detect-ssl-state.h:37
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
util-unittest.h
util-unittest-helper.h
SSLState_::current_flags
uint32_t current_flags
Definition: app-layer-ssl.h:302
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
detect-ssl-state.c
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2609
detect-engine-mpm.h
detect.h
DetectSslStateRegister
void DetectSslStateRegister(void)
Registers the keyword handlers for the "ssl_state" keyword.
Definition: detect-ssl-state.c:73
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
DetectSslStateData_::flags
uint32_t flags
Definition: detect-ssl-state.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DETECT_AL_SSL_STATE
@ DETECT_AL_SSL_STATE
Definition: detect-engine-register.h:177
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1025
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1948
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_SSL_STATE_SERVER_KEYX
#define DETECT_SSL_STATE_SERVER_KEYX
Definition: detect-ssl-state.h:32
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
PARSE_REGEX2
#define PARSE_REGEX2
Definition: detect-ssl-state.c:56
PARSE_REGEX1
#define PARSE_REGEX1
Definition: detect-ssl-state.c:53
detect-ssl-state.h
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
DetectSslStateData_
Definition: detect-ssl-state.h:35
flow.h
flow-var.h
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
DETECT_SSL_STATE_CLIENT_KEYX
#define DETECT_SSL_STATE_CLIENT_KEYX
Definition: detect-ssl-state.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
app-layer.h
DETECT_SSL_STATE_SERVER_HELLO
#define DETECT_SSL_STATE_SERVER_HELLO
Definition: detect-ssl-state.h:30