Go to the documentation of this file.
53 #define PARSE_REGEX1 "^(!?)([_a-zA-Z0-9]+)(.*)$"
56 #define PARSE_REGEX2 "^(?:\\s*[|,]\\s*(!?)([_a-zA-Z0-9]+))(.*)$"
60 Flow *, uint8_t,
void *,
void *,
64 static void DetectSslStateRegisterTests(
void);
68 static int g_tls_generic_list_id = 0;
90 "generic ssl/tls inspection");
113 Flow *f, uint8_t
flags,
void *alstate,
void *txv,
118 if (ssl_state == NULL) {
125 if ((ssd->
flags & ssl_flags) ^ ssd->
mask) {
147 uint32_t
flags = 0, mask = 0;
150 pcre2_match_data *match = NULL;
154 "ssl_state keyword.",
159 pcre2len =
sizeof(str1);
160 int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
162 SCLogError(
"pcre2_substring_copy_bynumber failed");
165 negate = !strcmp(
"!", str1);
167 pcre2len =
sizeof(str1);
168 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)str1, &pcre2len);
170 SCLogError(
"pcre2_substring_copy_bynumber failed");
174 if (strcmp(
"client_hello", str1) == 0) {
178 }
else if (strcmp(
"server_hello", str1) == 0) {
182 }
else if (strcmp(
"client_keyx", str1) == 0) {
186 }
else if (strcmp(
"server_keyx", str1) == 0) {
190 }
else if (strcmp(
"unknown", str1) == 0) {
196 "in ssl_state keyword.",
201 pcre2len =
sizeof(str1);
202 res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)str1, &pcre2len);
204 SCLogError(
"pcre2_substring_copy_bynumber failed");
207 while (res >= 0 && strlen(str1) > 0) {
208 pcre2_match_data *match2 = NULL;
212 "ssl_state keyword.",
215 pcre2_match_data_free(match2);
220 pcre2len =
sizeof(str2);
221 res = pcre2_substring_copy_bynumber(match2, 1, (PCRE2_UCHAR8 *)str2, &pcre2len);
223 SCLogError(
"pcre2_substring_copy_bynumber failed");
224 pcre2_match_data_free(match2);
227 negate = !strcmp(
"!", str2);
229 pcre2len =
sizeof(str2);
230 res = pcre2_substring_copy_bynumber(match2, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
232 SCLogError(
"pcre2_substring_copy_bynumber failed");
233 pcre2_match_data_free(match2);
236 if (strcmp(
"client_hello", str2) == 0) {
240 }
else if (strcmp(
"server_hello", str2) == 0) {
244 }
else if (strcmp(
"client_keyx", str2) == 0) {
248 }
else if (strcmp(
"server_keyx", str2) == 0) {
252 }
else if (strcmp(
"unknown", str2) == 0) {
258 "in ssl_state keyword.",
260 pcre2_match_data_free(match2);
264 pcre2len =
sizeof(str2);
265 res = pcre2_substring_copy_bynumber(match2, 3, (PCRE2_UCHAR8 *)str2, &pcre2len);
267 SCLogError(
"pcre2_substring_copy_bynumber failed");
268 pcre2_match_data_free(match2);
272 memcpy(str1, str2,
sizeof(str1));
273 pcre2_match_data_free(match2);
282 pcre2_match_data_free(match);
287 pcre2_match_data_free(match);
310 ssd = DetectSslStateParse(arg);
315 g_tls_generic_list_id) == NULL) {
322 DetectSslStateFree(
de_ctx, ssd);
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
SSLv[2.0|3.[0|1|2|3]] state structure.
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
#define DETECT_SSL_STATE_CLIENT_HELLO
main detection engine ctx
#define DETECT_SSL_STATE_UNKNOWN
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define SIG_FLAG_TOSERVER
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void DetectSslStateRegister(void)
Registers the keyword handlers for the "ssl_state" keyword.
Data structures and function prototypes for keeping state for the detection engine.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
int DetectBufferTypeRegister(const char *name)
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
#define DETECT_SSL_STATE_SERVER_KEYX
#define SCLogError(...)
Macro used to log ERROR messages.
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
#define DETECT_SSL_STATE_CLIENT_KEYX
void(* RegisterTests)(void)
#define DETECT_SSL_STATE_SERVER_HELLO