suricata
detect-ssl-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements support for ssl_state keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-state.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 #define PARSE_REGEX1 "^(!?)([_a-zA-Z0-9]+)(.*)$"
55 static pcre *parse_regex1;
56 static pcre_extra *parse_regex1_study;
57 
58 #define PARSE_REGEX2 "^(?:\\s*[|,]\\s*(!?)([_a-zA-Z0-9]+))(.*)$"
59 static pcre *parse_regex2;
60 static pcre_extra *parse_regex2_study;
61 
62 static int DetectSslStateMatch(ThreadVars *, DetectEngineThreadCtx *,
63  Flow *, uint8_t, void *, void *,
64  const Signature *, const SigMatchCtx *);
65 static int DetectSslStateSetup(DetectEngineCtx *, Signature *, const char *);
66 #ifdef UNITTESTS
67 static void DetectSslStateRegisterTests(void);
68 #endif
69 static void DetectSslStateFree(void *);
70 
71 static int InspectTlsGeneric(ThreadVars *tv,
72  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
73  const Signature *s, const SigMatchData *smd,
74  Flow *f, uint8_t flags, void *alstate,
75  void *txv, uint64_t tx_id);
76 
77 static int g_tls_generic_list_id = 0;
78 
79 /**
80  * \brief Registers the keyword handlers for the "ssl_state" keyword.
81  */
82 void DetectSslStateRegister(void)
83 {
84  sigmatch_table[DETECT_AL_SSL_STATE].name = "ssl_state";
85  sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
86  sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
87  sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree;
88 #ifdef UNITTESTS
89  sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
90 #endif
91  DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1, &parse_regex1_study);
92  DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2, &parse_regex2_study);
93 
94  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
95 
96  DetectBufferTypeSetDescriptionByName("tls_generic",
97  "generic ssl/tls inspection");
98 
99  DetectAppLayerInspectEngineRegister("tls_generic",
100  ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
101  InspectTlsGeneric);
102  DetectAppLayerInspectEngineRegister("tls_generic",
103  ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
104  InspectTlsGeneric);
105 }
106 
107 static int InspectTlsGeneric(ThreadVars *tv,
108  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
109  const Signature *s, const SigMatchData *smd,
110  Flow *f, uint8_t flags, void *alstate,
111  void *txv, uint64_t tx_id)
112 {
113  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
114  f, flags, alstate, txv, tx_id);
115 }
116 
117 /**
118  * \brief App layer match function ssl_state keyword.
119  *
120  * \param tv Pointer to threadvars.
121  * \param det_ctx Pointer to the thread's detection context.
122  * \param f Pointer to the flow.
123  * \param flags Flags.
124  * \param state App layer state.
125  * \param s Sig we are currently inspecting.
126  * \param m SigMatch we are currently inspecting.
127  *
128  * \retval 1 Match.
129  * \retval 0 No match.
130  */
131 static int DetectSslStateMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
132  Flow *f, uint8_t flags, void *alstate, void *txv,
133  const Signature *s, const SigMatchCtx *m)
134 {
135  const DetectSslStateData *ssd = (const DetectSslStateData *)m;
136  SSLState *ssl_state = (SSLState *)alstate;
137  if (ssl_state == NULL) {
138  SCLogDebug("no app state, no match");
139  return 0;
140  }
141 
142  uint32_t ssl_flags = ssl_state->current_flags;
143 
144  if ((ssd->flags & ssl_flags) ^ ssd->mask) {
145  return 1;
146  }
147 
148  return 0;
149 }
150 
151 /**
152  * \brief Parse the arg supplied with ssl_state and return it in a
153  * DetectSslStateData instance.
154  *
155  * \param arg Pointer to the string to be parsed.
156  *
157  * \retval ssd Pointer to DetectSslStateData on succese.
158  * \retval NULL On failure.
159  */
160 static DetectSslStateData *DetectSslStateParse(const char *arg)
161 {
162 #define MAX_SUBSTRINGS 30
163  int ret = 0, res = 0;
164  int ov1[MAX_SUBSTRINGS];
165  int ov2[MAX_SUBSTRINGS];
166  const char *str1;
167  const char *str2;
168  int negate = 0;
169  uint32_t flags = 0, mask = 0;
170  DetectSslStateData *ssd = NULL;
171 
172  ret = pcre_exec(parse_regex1, parse_regex1_study, arg, strlen(arg), 0, 0,
173  ov1, MAX_SUBSTRINGS);
174  if (ret < 1) {
175  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
176  "ssl_state keyword.", arg);
177  goto error;
178  }
179 
180  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 1, &str1);
181  if (res < 0) {
182  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
183  goto error;
184  }
185  negate = !strcmp("!", str1);
186  pcre_free_substring(str1);
187 
188  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 2, &str1);
189  if (res < 0) {
190  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
191  goto error;
192  }
193 
194  if (strcmp("client_hello", str1) == 0) {
195  flags |= DETECT_SSL_STATE_CLIENT_HELLO;
196  if (negate)
197  mask |= DETECT_SSL_STATE_CLIENT_HELLO;
198  } else if (strcmp("server_hello", str1) == 0) {
199  flags |= DETECT_SSL_STATE_SERVER_HELLO;
200  if (negate)
201  mask |= DETECT_SSL_STATE_SERVER_HELLO;
202  } else if (strcmp("client_keyx", str1) == 0) {
203  flags |= DETECT_SSL_STATE_CLIENT_KEYX;
204  if (negate)
205  mask |= DETECT_SSL_STATE_CLIENT_KEYX;
206  } else if (strcmp("server_keyx", str1) == 0) {
207  flags |= DETECT_SSL_STATE_SERVER_KEYX;
208  if (negate)
209  mask |= DETECT_SSL_STATE_SERVER_KEYX;
210  } else if (strcmp("unknown", str1) == 0) {
211  flags |= DETECT_SSL_STATE_UNKNOWN;
212  if (negate)
213  mask |= DETECT_SSL_STATE_UNKNOWN;
214  } else {
215  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
216  "in ssl_state keyword.", str1);
217  goto error;
218  }
219 
220  pcre_free_substring(str1);
221 
222  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 3, &str1);
223  if (res < 0) {
224  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
225  goto error;
226  }
227  while (res > 0) {
228  ret = pcre_exec(parse_regex2, parse_regex2_study, str1, strlen(str1), 0, 0,
229  ov2, MAX_SUBSTRINGS);
230  if (ret < 1) {
231  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
232  "ssl_state keyword.", arg);
233  goto error;
234  }
235 
236  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 1, &str2);
237  if (res < 0) {
238  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
239  goto error;
240  }
241  negate = !strcmp("!", str2);
242  pcre_free_substring(str2);
243 
244  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 2, &str2);
245  if (res <= 0) {
246  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
247  goto error;
248  }
249  if (strcmp("client_hello", str2) == 0) {
250  flags |= DETECT_SSL_STATE_CLIENT_HELLO;
251  if (negate)
252  mask |= DETECT_SSL_STATE_CLIENT_HELLO;
253  } else if (strcmp("server_hello", str2) == 0) {
254  flags |= DETECT_SSL_STATE_SERVER_HELLO;
255  if (negate)
256  mask |= DETECT_SSL_STATE_SERVER_HELLO;
257  } else if (strcmp("client_keyx", str2) == 0) {
258  flags |= DETECT_SSL_STATE_CLIENT_KEYX;
259  if (negate)
260  mask |= DETECT_SSL_STATE_CLIENT_KEYX;
261  } else if (strcmp("server_keyx", str2) == 0) {
262  flags |= DETECT_SSL_STATE_SERVER_KEYX;
263  if (negate)
264  mask |= DETECT_SSL_STATE_SERVER_KEYX;
265  } else if (strcmp("unknown", str2) == 0) {
266  flags |= DETECT_SSL_STATE_UNKNOWN;
267  if (negate)
268  mask |= DETECT_SSL_STATE_UNKNOWN;
269  } else {
270  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
271  "in ssl_state keyword.", str2);
272  goto error;
273  }
274 
275  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 3, &str2);
276  if (res < 0) {
277  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
278  goto error;
279  }
280 
281  pcre_free_substring(str1);
282  str1 = str2;
283  }
284  pcre_free_substring(str1);
285 
286  if ( (ssd = SCMalloc(sizeof(DetectSslStateData))) == NULL) {
287  goto error;
288  }
289  ssd->flags = flags;
290  ssd->mask = mask;
291 
292  return ssd;
293 
294 error:
295  return NULL;
296 }
297 
298  /**
299  * \internal
300  * \brief Setup function for ssl_state keyword.
301  *
302  * \param de_ctx Pointer to the Detection Engine Context.
303  * \param s Pointer to the Current Signature
304  * \param arg String holding the arg.
305  *
306  * \retval 0 On success.
307  * \retval -1 On failure.
308  */
309 static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
310 {
311  DetectSslStateData *ssd = NULL;
312  SigMatch *sm = NULL;
313 
314  if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
315  return -1;
316 
317  ssd = DetectSslStateParse(arg);
318  if (ssd == NULL)
319  goto error;
320 
321  sm = SigMatchAlloc();
322  if (sm == NULL)
323  goto error;
324 
325  sm->type = DETECT_AL_SSL_STATE;
326  sm->ctx = (SigMatchCtx*)ssd;
327 
328  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
329  return 0;
330 
331 error:
332  if (ssd != NULL)
333  DetectSslStateFree(ssd);
334  if (sm != NULL)
335  SCFree(sm);
336  return -1;
337 }
338 
339 /**
340  * \brief Free memory associated with DetectSslStateData.
341  *
342  * \param ptr pointer to the data to be freed.
343  */
344 static void DetectSslStateFree(void *ptr)
345 {
346  if (ptr != NULL)
347  SCFree(ptr);
348 
349  return;
350 }
351 
352 #ifdef UNITTESTS
353 #include "tests/detect-ssl-state.c"
354 #endif
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1431
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1170
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1156
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1401
SigMatchData_
Data needed for Match()
Definition: detect.h:332
SigTableElmt_::name
const char * name
Definition: detect.h:1184
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1342
Signature_
Signature container.
Definition: detect.h:514
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:318
DETECT_SSL_STATE_SERVER_KEYX
#define DETECT_SSL_STATE_SERVER_KEYX
Definition: detect-ssl-state.h:33
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:743
DetectSslStateRegister
void DetectSslStateRegister(void)
Registers the keyword handlers for the "ssl_state" keyword.
Definition: detect-ssl-state.c:82
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:243
DETECT_SSL_STATE_SERVER_HELLO
#define DETECT_SSL_STATE_SERVER_HELLO
Definition: detect-ssl-state.h:31
PARSE_REGEX1
#define PARSE_REGEX1
Definition: detect-ssl-state.c:54
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1175
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DETECT_SSL_STATE_CLIENT_KEYX
#define DETECT_SSL_STATE_CLIENT_KEYX
Definition: detect-ssl-state.h:32
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2311
SSLState_::current_flags
uint32_t current_flags
Definition: app-layer-ssl.h:244
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:242
SigMatch_::type
uint8_t type
Definition: detect.h:324
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:652
DetectSslStateData_::flags
uint32_t flags
Definition: detect-ssl-state.h:37
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:326
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:268
DETECT_SSL_STATE_CLIENT_HELLO
#define DETECT_SSL_STATE_CLIENT_HELLO
Definition: detect-ssl-state.h:30
PARSE_REGEX2
#define PARSE_REGEX2
Definition: detect-ssl-state.c:58
DetectSslStateData_::mask
uint32_t mask
Definition: detect-ssl-state.h:38
m
SCMutex m
Definition: flow-hash.h:105
DETECT_SSL_STATE_UNKNOWN
#define DETECT_SSL_STATE_UNKNOWN
Definition: detect-ssl-state.h:34
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:724
DetectSslStateData_
Definition: detect-ssl-state.h:36
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:986
Flow_
Flow data structure.
Definition: flow.h:325
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:127
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1176
SigMatch_
a single match condition for a signature
Definition: detect.h:323