suricata
detect-ssl-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements support for ssl_state keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-state.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 #define PARSE_REGEX1 "^(!?)([_a-zA-Z0-9]+)(.*)$"
55 static pcre *parse_regex1;
56 static pcre_extra *parse_regex1_study;
57 
58 #define PARSE_REGEX2 "^(?:\\s*[|,]\\s*(!?)([_a-zA-Z0-9]+))(.*)$"
59 static pcre *parse_regex2;
60 static pcre_extra *parse_regex2_study;
61 
62 static int DetectSslStateMatch(ThreadVars *, DetectEngineThreadCtx *,
63  Flow *, uint8_t, void *, void *,
64  const Signature *, const SigMatchCtx *);
65 static int DetectSslStateSetup(DetectEngineCtx *, Signature *, const char *);
66 static void DetectSslStateRegisterTests(void);
67 static void DetectSslStateFree(void *);
68 
69 static int InspectTlsGeneric(ThreadVars *tv,
70  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
71  const Signature *s, const SigMatchData *smd,
72  Flow *f, uint8_t flags, void *alstate,
73  void *txv, uint64_t tx_id);
74 
75 static int g_tls_generic_list_id = 0;
76 
77 /**
78  * \brief Registers the keyword handlers for the "ssl_state" keyword.
79  */
81 {
83  sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
84  sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
85  sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree;
86  sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
87 
88  DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1, &parse_regex1_study);
89  DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2, &parse_regex2_study);
90 
91  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
92 
94  "generic ssl/tls inspection");
95 
98  InspectTlsGeneric);
101  InspectTlsGeneric);
102 }
103 
104 static int InspectTlsGeneric(ThreadVars *tv,
105  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
106  const Signature *s, const SigMatchData *smd,
107  Flow *f, uint8_t flags, void *alstate,
108  void *txv, uint64_t tx_id)
109 {
110  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
111  f, flags, alstate, txv, tx_id);
112 }
113 
114 /**
115  * \brief App layer match function ssl_state keyword.
116  *
117  * \param tv Pointer to threadvars.
118  * \param det_ctx Pointer to the thread's detection context.
119  * \param f Pointer to the flow.
120  * \param flags Flags.
121  * \param state App layer state.
122  * \param s Sig we are currently inspecting.
123  * \param m SigMatch we are currently inspecting.
124  *
125  * \retval 1 Match.
126  * \retval 0 No match.
127  */
128 static int DetectSslStateMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
129  Flow *f, uint8_t flags, void *alstate, void *txv,
130  const Signature *s, const SigMatchCtx *m)
131 {
132  const DetectSslStateData *ssd = (const DetectSslStateData *)m;
133  SSLState *ssl_state = (SSLState *)alstate;
134  if (ssl_state == NULL) {
135  SCLogDebug("no app state, no match");
136  return 0;
137  }
138 
139  uint32_t ssl_flags = ssl_state->current_flags;
140 
141  if ((ssd->flags & ssl_flags) ^ ssd->mask) {
142  return 1;
143  }
144 
145  return 0;
146 }
147 
148 /**
149  * \brief Parse the arg supplied with ssl_state and return it in a
150  * DetectSslStateData instance.
151  *
152  * \param arg Pointer to the string to be parsed.
153  *
154  * \retval ssd Pointer to DetectSslStateData on succese.
155  * \retval NULL On failure.
156  */
157 static DetectSslStateData *DetectSslStateParse(const char *arg)
158 {
159 #define MAX_SUBSTRINGS 30
160  int ret = 0, res = 0;
161  int ov1[MAX_SUBSTRINGS];
162  int ov2[MAX_SUBSTRINGS];
163  const char *str1;
164  const char *str2;
165  int negate = 0;
166  uint32_t flags = 0, mask = 0;
167  DetectSslStateData *ssd = NULL;
168 
169  ret = pcre_exec(parse_regex1, parse_regex1_study, arg, strlen(arg), 0, 0,
170  ov1, MAX_SUBSTRINGS);
171  if (ret < 1) {
172  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
173  "ssl_state keyword.", arg);
174  goto error;
175  }
176 
177  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 1, &str1);
178  if (res < 0) {
179  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
180  goto error;
181  }
182  negate = !strcmp("!", str1);
183  pcre_free_substring(str1);
184 
185  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 2, &str1);
186  if (res < 0) {
187  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
188  goto error;
189  }
190 
191  if (strcmp("client_hello", str1) == 0) {
193  if (negate)
195  } else if (strcmp("server_hello", str1) == 0) {
197  if (negate)
199  } else if (strcmp("client_keyx", str1) == 0) {
201  if (negate)
203  } else if (strcmp("server_keyx", str1) == 0) {
205  if (negate)
207  } else if (strcmp("unknown", str1) == 0) {
208  flags |= DETECT_SSL_STATE_UNKNOWN;
209  if (negate)
210  mask |= DETECT_SSL_STATE_UNKNOWN;
211  } else {
212  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
213  "in ssl_state keyword.", str1);
214  goto error;
215  }
216 
217  pcre_free_substring(str1);
218 
219  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 3, &str1);
220  if (res < 0) {
221  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
222  goto error;
223  }
224  while (res > 0) {
225  ret = pcre_exec(parse_regex2, parse_regex2_study, str1, strlen(str1), 0, 0,
226  ov2, MAX_SUBSTRINGS);
227  if (ret < 1) {
228  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
229  "ssl_state keyword.", arg);
230  goto error;
231  }
232 
233  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 1, &str2);
234  if (res < 0) {
235  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
236  goto error;
237  }
238  negate = !strcmp("!", str2);
239  pcre_free_substring(str2);
240 
241  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 2, &str2);
242  if (res <= 0) {
243  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
244  goto error;
245  }
246  if (strcmp("client_hello", str2) == 0) {
248  if (negate)
250  } else if (strcmp("server_hello", str2) == 0) {
252  if (negate)
254  } else if (strcmp("client_keyx", str2) == 0) {
256  if (negate)
258  } else if (strcmp("server_keyx", str2) == 0) {
260  if (negate)
262  } else if (strcmp("unknown", str2) == 0) {
263  flags |= DETECT_SSL_STATE_UNKNOWN;
264  if (negate)
265  mask |= DETECT_SSL_STATE_UNKNOWN;
266  } else {
267  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
268  "in ssl_state keyword.", str2);
269  goto error;
270  }
271 
272  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 3, &str2);
273  if (res < 0) {
274  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
275  goto error;
276  }
277 
278  pcre_free_substring(str1);
279  str1 = str2;
280  }
281  pcre_free_substring(str1);
282 
283  if ( (ssd = SCMalloc(sizeof(DetectSslStateData))) == NULL) {
284  goto error;
285  }
286  ssd->flags = flags;
287  ssd->mask = mask;
288 
289  return ssd;
290 
291 error:
292  return NULL;
293 }
294 
295  /**
296  * \internal
297  * \brief Setup function for ssl_state keyword.
298  *
299  * \param de_ctx Pointer to the Detection Engine Context.
300  * \param s Pointer to the Current Signature
301  * \param arg String holding the arg.
302  *
303  * \retval 0 On success.
304  * \retval -1 On failure.
305  */
306 static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
307 {
308  DetectSslStateData *ssd = NULL;
309  SigMatch *sm = NULL;
310 
312  return -1;
313 
314  ssd = DetectSslStateParse(arg);
315  if (ssd == NULL)
316  goto error;
317 
318  sm = SigMatchAlloc();
319  if (sm == NULL)
320  goto error;
321 
323  sm->ctx = (SigMatchCtx*)ssd;
324 
325  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
326  return 0;
327 
328 error:
329  if (ssd != NULL)
330  DetectSslStateFree(ssd);
331  if (sm != NULL)
332  SCFree(sm);
333  return -1;
334 }
335 
336 /**
337  * \brief Free memory associated with DetectSslStateData.
338  *
339  * \param ptr pointer to the data to be freed.
340  */
341 static void DetectSslStateFree(void *ptr)
342 {
343  if (ptr != NULL)
344  SCFree(ptr);
345 
346  return;
347 }
348 
349 /************************************Unittests*********************************/
350 
351 #ifdef UNITTESTS
352 
353 static int DetectSslStateTest01(void)
354 {
355  DetectSslStateData *ssd = DetectSslStateParse("client_hello");
356  FAIL_IF_NULL(ssd);
358  SCFree(ssd);
359  PASS;
360 }
361 
362 static int DetectSslStateTest02(void)
363 {
364  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_hello");
365  FAIL_IF_NULL(ssd);
368  SCFree(ssd);
369  PASS;
370 }
371 
372 static int DetectSslStateTest03(void)
373 {
374  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
375  "client_hello");
376  FAIL_IF_NULL(ssd);
380  SCFree(ssd);
381  PASS;
382 }
383 
384 static int DetectSslStateTest04(void)
385 {
386  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
387  "client_hello , server_keyx , "
388  "unknown");
389  FAIL_IF_NULL(ssd);
395  SCFree(ssd);
396  PASS;
397 }
398 
399 static int DetectSslStateTest05(void)
400 {
401  DetectSslStateData *ssd = DetectSslStateParse(", server_hello , client_keyx , "
402  "client_hello , server_keyx , "
403  "unknown");
404 
405  FAIL_IF_NOT_NULL(ssd);
406  PASS;
407 }
408 
409 static int DetectSslStateTest06(void)
410 {
411  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
412  "client_hello , server_keyx , "
413  "unknown , ");
414  FAIL_IF_NOT_NULL(ssd);
415  PASS;
416 }
417 
418 /**
419  * \test Test a valid dce_iface entry for a bind and bind_ack
420  */
421 static int DetectSslStateTest07(void)
422 {
423  uint8_t chello_buf[] = {
424  0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00,
425  0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00,
426  0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02,
427  0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39,
428  0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00,
429  0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00,
430  0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16,
431  0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00,
432  0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00,
433  0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64,
434  0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00,
435  0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a,
436  0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80,
437  0x21
438  };
439  uint32_t chello_buf_len = sizeof(chello_buf);
440 
441  uint8_t shello_buf[] = {
442  0x16, 0x03, 0x00, 0x00, 0x4a, 0x02,
443  0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94,
444  0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88,
445  0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6,
446  0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd,
447  0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb,
448  0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe,
449  0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6,
450  0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e,
451  0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35,
452  0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00,
453  0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a,
454  0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f,
455  0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01,
456  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
457  0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
458  0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
459  0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31,
460  0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08,
461  0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
462  0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13,
463  0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
464  0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54,
465  0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06,
466  0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e,
467  0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c,
468  0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c,
469  0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43,
470  0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
471  0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
472  0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13,
473  0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53,
474  0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c,
475  0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06,
476  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
477  0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73,
478  0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e,
479  0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30,
480  0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34,
481  0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38,
482  0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37,
483  0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b,
484  0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
485  0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06,
486  0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e,
487  0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65,
488  0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
489  0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61,
490  0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31,
491  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
492  0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
493  0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64,
494  0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
495  0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65,
496  0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61,
497  0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
498  0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
499  0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c,
500  0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d,
501  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
502  0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77,
503  0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69,
504  0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f,
505  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
506  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
507  0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
508  0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde,
509  0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6,
510  0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba,
511  0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73,
512  0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4,
513  0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f,
514  0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45,
515  0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12,
516  0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c,
517  0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b,
518  0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7,
519  0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd,
520  0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e,
521  0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53,
522  0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90,
523  0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89,
524  0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
525  0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55,
526  0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10,
527  0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b,
528  0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d,
529  0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
530  0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16,
531  0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c,
532  0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
533  0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f,
534  0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
535  0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
536  0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09,
537  0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01,
538  0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
539  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
540  0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81,
541  0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75,
542  0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e,
543  0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d,
544  0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23,
545  0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9,
546  0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5,
547  0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b,
548  0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f,
549  0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14,
550  0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23,
551  0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2,
552  0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34,
553  0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53,
554  0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad,
555  0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2,
556  0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e,
557  0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e,
558  0x00, 0x00, 0x00
559  };
560  uint32_t shello_buf_len = sizeof(shello_buf);
561 
562  uint8_t client_change_cipher_spec_buf[] = {
563  0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00,
564  0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38,
565  0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61,
566  0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a,
567  0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e,
568  0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f,
569  0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80,
570  0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a,
571  0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80,
572  0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59,
573  0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76,
574  0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84,
575  0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7,
576  0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7,
577  0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2,
578  0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7,
579  0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb,
580  0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16,
581  0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35,
582  0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a,
583  0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81,
584  0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90,
585  0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1,
586  0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76,
587  0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79,
588  0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18,
589  0x4c, 0xfc, 0x75, 0x56
590  };
591  uint32_t client_change_cipher_spec_buf_len =
592  sizeof(client_change_cipher_spec_buf);
593 
594  uint8_t server_change_cipher_spec_buf[] = {
595  0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03,
596  0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59,
597  0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a,
598  0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86,
599  0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7,
600  0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3,
601  0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89,
602  0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27,
603  0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2,
604  0x4d, 0x9f, 0x6b
605  };
606  uint32_t server_change_cipher_spec_buf_len =
607  sizeof(server_change_cipher_spec_buf);
608 
609  uint8_t toserver_app_data_buf[] = {
610  0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e,
611  0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c,
612  0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10,
613  0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb,
614  0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa,
615  0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5,
616  0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e,
617  0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20,
618  0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7,
619  0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f,
620  0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78,
621  0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c,
622  0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f,
623  0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0,
624  0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0,
625  0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0,
626  0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc,
627  0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1,
628  0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67,
629  0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f,
630  0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10,
631  0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4,
632  0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0,
633  0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68,
634  0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f,
635  0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4,
636  0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10,
637  0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f,
638  0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60,
639  0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8,
640  0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8,
641  0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09,
642  0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a,
643  0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd,
644  0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7,
645  0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a,
646  0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63,
647  0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b,
648  0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1,
649  0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60,
650  0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87,
651  0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7,
652  0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed,
653  0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc,
654  0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43,
655  0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58,
656  0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d,
657  0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39,
658  0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99,
659  0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92,
660  0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40,
661  0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef,
662  0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2,
663  0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6,
664  0x8a, 0xa2, 0x9e, 0xcd, 0xfa
665  };
666  uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf);
667 
668  Signature *s = NULL;
669  ThreadVars th_v;
670  Packet *p = NULL;
671  Flow f;
672  TcpSession ssn;
673  DetectEngineThreadCtx *det_ctx = NULL;
674  DetectEngineCtx *de_ctx = NULL;
675  SSLState *ssl_state = NULL;
676  int r = 0;
678 
679  memset(&th_v, 0, sizeof(th_v));
680  memset(&p, 0, sizeof(p));
681  memset(&f, 0, sizeof(f));
682  memset(&ssn, 0, sizeof(ssn));
683 
684  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
685 
686  FLOW_INITIALIZE(&f);
687  f.protoctx = (void *)&ssn;
688  f.proto = IPPROTO_TCP;
689  p->flow = &f;
693  f.alproto = ALPROTO_TLS;
694 
696 
697  de_ctx = DetectEngineCtxInit();
698  FAIL_IF_NULL(de_ctx);
699 
700  de_ctx->flags |= DE_QUIET;
701 
702  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
703  "(msg:\"ssl state\"; ssl_state:client_hello; "
704  "sid:1;)");
705  FAIL_IF_NULL(s);
706 
707  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
708  "(msg:\"ssl state\"; "
709  "ssl_state:server_hello; "
710  "sid:2;)");
711  FAIL_IF_NULL(s);
712 
713  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
714  "(msg:\"ssl state\"; "
715  "ssl_state:client_keyx; "
716  "sid:3;)");
717  FAIL_IF_NULL(s);
718 
719  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
720  "(msg:\"ssl state\"; "
721  "ssl_state:server_keyx; "
722  "sid:4;)");
723  FAIL_IF_NULL(s);
724 
725  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
726  "(msg:\"ssl state\"; "
727  "ssl_state:!client_hello; "
728  "sid:5;)");
729  FAIL_IF_NULL(s);
730 
731  SigGroupBuild(de_ctx);
732  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
733 
734  FLOWLOCK_WRLOCK(&f);
735  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
736  STREAM_TOSERVER | STREAM_START, chello_buf,
737  chello_buf_len);
738  FAIL_IF(r != 0);
739  FLOWLOCK_UNLOCK(&f);
740 
741  ssl_state = f.alstate;
742  FAIL_IF(ssl_state == NULL);
743 
744  /* do detect */
745  p->alerts.cnt = 0;
746  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
747 
748  FAIL_IF(!PacketAlertCheck(p, 1));
749  FAIL_IF(PacketAlertCheck(p, 2));
750  FAIL_IF(PacketAlertCheck(p, 3));
751  FAIL_IF(PacketAlertCheck(p, 4));
752  FAIL_IF(PacketAlertCheck(p, 5));
753 
754  FLOWLOCK_WRLOCK(&f);
755  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
756  shello_buf, shello_buf_len);
757  FAIL_IF(r != 0);
758  FLOWLOCK_UNLOCK(&f);
759 
760  /* do detect */
761  p->alerts.cnt = 0;
763 
764  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
765 
766  FAIL_IF(PacketAlertCheck(p, 1));
767  FAIL_IF(!PacketAlertCheck(p, 2));
768  FAIL_IF(PacketAlertCheck(p, 3));
769  FAIL_IF(PacketAlertCheck(p, 4));
770  FAIL_IF(!PacketAlertCheck(p, 5));
771 
772  FLOWLOCK_WRLOCK(&f);
773  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
774  client_change_cipher_spec_buf,
775  client_change_cipher_spec_buf_len);
776  FAIL_IF(r != 0);
777  FLOWLOCK_UNLOCK(&f);
778 
779  /* do detect */
780  p->alerts.cnt = 0;
781  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
782 
783  FAIL_IF(PacketAlertCheck(p, 1));
784  FAIL_IF(PacketAlertCheck(p, 2));
785  FAIL_IF(!PacketAlertCheck(p, 3));
786  FAIL_IF(PacketAlertCheck(p, 4));
787 
788  FLOWLOCK_WRLOCK(&f);
789  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
790  server_change_cipher_spec_buf,
791  server_change_cipher_spec_buf_len);
792  FAIL_IF(r != 0);
793  FLOWLOCK_UNLOCK(&f);
794 
795  /* do detect */
796  p->alerts.cnt = 0;
797  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
798 
799  FAIL_IF(PacketAlertCheck(p, 1));
800  FAIL_IF(PacketAlertCheck(p, 2));
801  FAIL_IF(PacketAlertCheck(p, 3));
802  FAIL_IF(PacketAlertCheck(p, 4));
803 
804  FLOWLOCK_WRLOCK(&f);
805  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
806  toserver_app_data_buf, toserver_app_data_buf_len);
807  FAIL_IF(r != 0);
808  FLOWLOCK_UNLOCK(&f);
809 
810  /* do detect */
811  p->alerts.cnt = 0;
812  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
813 
814  FAIL_IF(PacketAlertCheck(p, 1));
815  FAIL_IF(PacketAlertCheck(p, 2));
816  FAIL_IF(PacketAlertCheck(p, 3));
817  FAIL_IF(PacketAlertCheck(p, 4));
818 
819  if (alp_tctx != NULL)
820  AppLayerParserThreadCtxFree(alp_tctx);
821  SigGroupCleanup(de_ctx);
822  SigCleanSignatures(de_ctx);
823 
824  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
825  DetectEngineCtxFree(de_ctx);
826 
828  FLOW_DESTROY(&f);
829  UTHFreePackets(&p, 1);
830  PASS;
831 }
832 
833 /**
834  * \brief Test that the "|" character still works as a separate for
835  * compatibility with older Suricata rules.
836  */
837 static int DetectSslStateTest08(void)
838 {
839  DetectSslStateData *ssd = DetectSslStateParse("server_hello|client_hello");
840  FAIL_IF_NULL(ssd);
843  SCFree(ssd);
844  PASS;
845 }
846 
847 /**
848  * \test Test parsing of negated states.
849  */
850 static int DetectSslStateTestParseNegate(void)
851 {
852  DetectSslStateData *ssd = DetectSslStateParse("!client_hello");
853  FAIL_IF_NULL(ssd);
854  uint32_t expected = DETECT_SSL_STATE_CLIENT_HELLO;
855  FAIL_IF(ssd->flags != expected || ssd->mask != expected);
856  SCFree(ssd);
857 
858  ssd = DetectSslStateParse("!client_hello,!server_hello");
859  FAIL_IF_NULL(ssd);
861  FAIL_IF(ssd->flags != expected || ssd->mask != expected);
862  SCFree(ssd);
863 
864  PASS;
865 }
866 
867 #endif /* UNITTESTS */
868 
869 static void DetectSslStateRegisterTests(void)
870 {
871 #ifdef UNITTESTS
872  UtRegisterTest("DetectSslStateTest01", DetectSslStateTest01);
873  UtRegisterTest("DetectSslStateTest02", DetectSslStateTest02);
874  UtRegisterTest("DetectSslStateTest03", DetectSslStateTest03);
875  UtRegisterTest("DetectSslStateTest04", DetectSslStateTest04);
876  UtRegisterTest("DetectSslStateTest05", DetectSslStateTest05);
877  UtRegisterTest("DetectSslStateTest06", DetectSslStateTest06);
878  UtRegisterTest("DetectSslStateTest07", DetectSslStateTest07);
879  UtRegisterTest("DetectSslStateTest08", DetectSslStateTest08);
880  UtRegisterTest("DetectSslStateTestParseNegate",
881  DetectSslStateTestParseNegate);
882 #endif
883  return;
884 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1135
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:443
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:343
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
Data needed for Match()
Definition: detect.h:331
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1163
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:495
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
#define DETECT_SSL_STATE_SERVER_KEYX
void * protoctx
Definition: flow.h:395
main detection engine ctx
Definition: detect.h:723
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void DetectSslStateRegister(void)
Registers the keyword handlers for the "ssl_state" keyword.
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:433
#define DE_QUIET
Definition: detect.h:296
#define SIG_FLAG_TOCLIENT
Definition: detect.h:242
#define DETECT_SSL_STATE_SERVER_HELLO
#define PARSE_REGEX1
uint8_t flags
Definition: detect.h:724
Data structures and function prototypes for keeping state for the detection engine.
void(* Free)(void *)
Definition: detect.h:1154
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define DETECT_SSL_STATE_CLIENT_KEYX
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
uint32_t current_flags
#define SIG_FLAG_TOSERVER
Definition: detect.h:241
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:437
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:323
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
int DetectBufferTypeRegister(const char *name)
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
uint16_t tx_id
#define DETECT_SSL_STATE_CLIENT_HELLO
#define PARSE_REGEX2
#define STREAM_START
Definition: stream.h:29
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
SCMutex m
Definition: flow-hash.h:105
PacketAlerts alerts
Definition: decode.h:555
#define DETECT_SSL_STATE_UNKNOWN
#define PKT_HAS_FLOW
Definition: decode.h:1092
#define MAX_SUBSTRINGS
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
uint16_t cnt
Definition: decode.h:291
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:201
AppProto alproto
application level protocol
Definition: flow.h:404
uint32_t flags
Definition: decode.h:441
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:324
#define PKT_STREAM_EST
Definition: decode.h:1090
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1155
a single match condition for a signature
Definition: detect.h:322
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)