suricata
detect-ssl-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements support for ssl_state keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-state.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 #define PARSE_REGEX1 "^(!?)([_a-zA-Z0-9]+)(.*)$"
55 static pcre *parse_regex1;
56 static pcre_extra *parse_regex1_study;
57 
58 #define PARSE_REGEX2 "^(?:\\s*[|,]\\s*(!?)([_a-zA-Z0-9]+))(.*)$"
59 static pcre *parse_regex2;
60 static pcre_extra *parse_regex2_study;
61 
62 static int DetectSslStateMatch(DetectEngineThreadCtx *,
63  Flow *, uint8_t, void *, void *,
64  const Signature *, const SigMatchCtx *);
65 static int DetectSslStateSetup(DetectEngineCtx *, Signature *, const char *);
66 #ifdef UNITTESTS
67 static void DetectSslStateRegisterTests(void);
68 #endif
69 static void DetectSslStateFree(void *);
70 
71 static int InspectTlsGeneric(ThreadVars *tv,
72  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
73  const Signature *s, const SigMatchData *smd,
74  Flow *f, uint8_t flags, void *alstate,
75  void *txv, uint64_t tx_id);
76 
77 static int g_tls_generic_list_id = 0;
78 
79 /**
80  * \brief Registers the keyword handlers for the "ssl_state" keyword.
81  */
82 void DetectSslStateRegister(void)
83 {
84  sigmatch_table[DETECT_AL_SSL_STATE].name = "ssl_state";
85  sigmatch_table[DETECT_AL_SSL_STATE].desc = "match the state of the SSL connection";
86  sigmatch_table[DETECT_AL_SSL_STATE].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#ssl-state";
87  sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
88  sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
89  sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree;
90 #ifdef UNITTESTS
91  sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
92 #endif
93  DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1, &parse_regex1_study);
94  DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2, &parse_regex2_study);
95 
96  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
97 
98  DetectBufferTypeSetDescriptionByName("tls_generic",
99  "generic ssl/tls inspection");
100 
101  DetectAppLayerInspectEngineRegister("tls_generic",
102  ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
103  InspectTlsGeneric);
104  DetectAppLayerInspectEngineRegister("tls_generic",
105  ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
106  InspectTlsGeneric);
107 }
108 
109 static int InspectTlsGeneric(ThreadVars *tv,
110  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
111  const Signature *s, const SigMatchData *smd,
112  Flow *f, uint8_t flags, void *alstate,
113  void *txv, uint64_t tx_id)
114 {
115  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
116  f, flags, alstate, txv, tx_id);
117 }
118 
119 /**
120  * \brief App layer match function ssl_state keyword.
121  *
122  * \param tv Pointer to threadvars.
123  * \param det_ctx Pointer to the thread's detection context.
124  * \param f Pointer to the flow.
125  * \param flags Flags.
126  * \param state App layer state.
127  * \param s Sig we are currently inspecting.
128  * \param m SigMatch we are currently inspecting.
129  *
130  * \retval 1 Match.
131  * \retval 0 No match.
132  */
133 static int DetectSslStateMatch(DetectEngineThreadCtx *det_ctx,
134  Flow *f, uint8_t flags, void *alstate, void *txv,
135  const Signature *s, const SigMatchCtx *m)
136 {
137  const DetectSslStateData *ssd = (const DetectSslStateData *)m;
138  SSLState *ssl_state = (SSLState *)alstate;
139  if (ssl_state == NULL) {
140  SCLogDebug("no app state, no match");
141  return 0;
142  }
143 
144  uint32_t ssl_flags = ssl_state->current_flags;
145 
146  if ((ssd->flags & ssl_flags) ^ ssd->mask) {
147  return 1;
148  }
149 
150  return 0;
151 }
152 
153 /**
154  * \brief Parse the arg supplied with ssl_state and return it in a
155  * DetectSslStateData instance.
156  *
157  * \param arg Pointer to the string to be parsed.
158  *
159  * \retval ssd Pointer to DetectSslStateData on succese.
160  * \retval NULL On failure.
161  */
162 static DetectSslStateData *DetectSslStateParse(const char *arg)
163 {
164 #define MAX_SUBSTRINGS 30
165  int ret = 0, res = 0;
166  int ov1[MAX_SUBSTRINGS];
167  int ov2[MAX_SUBSTRINGS];
168  const char *str1;
169  const char *str2;
170  int negate = 0;
171  uint32_t flags = 0, mask = 0;
172  DetectSslStateData *ssd = NULL;
173 
174  ret = pcre_exec(parse_regex1, parse_regex1_study, arg, strlen(arg), 0, 0,
175  ov1, MAX_SUBSTRINGS);
176  if (ret < 1) {
177  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
178  "ssl_state keyword.", arg);
179  goto error;
180  }
181 
182  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 1, &str1);
183  if (res < 0) {
184  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
185  goto error;
186  }
187  negate = !strcmp("!", str1);
188  pcre_free_substring(str1);
189 
190  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 2, &str1);
191  if (res < 0) {
192  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
193  goto error;
194  }
195 
196  if (strcmp("client_hello", str1) == 0) {
197  flags |= DETECT_SSL_STATE_CLIENT_HELLO;
198  if (negate)
199  mask |= DETECT_SSL_STATE_CLIENT_HELLO;
200  } else if (strcmp("server_hello", str1) == 0) {
201  flags |= DETECT_SSL_STATE_SERVER_HELLO;
202  if (negate)
203  mask |= DETECT_SSL_STATE_SERVER_HELLO;
204  } else if (strcmp("client_keyx", str1) == 0) {
205  flags |= DETECT_SSL_STATE_CLIENT_KEYX;
206  if (negate)
207  mask |= DETECT_SSL_STATE_CLIENT_KEYX;
208  } else if (strcmp("server_keyx", str1) == 0) {
209  flags |= DETECT_SSL_STATE_SERVER_KEYX;
210  if (negate)
211  mask |= DETECT_SSL_STATE_SERVER_KEYX;
212  } else if (strcmp("unknown", str1) == 0) {
213  flags |= DETECT_SSL_STATE_UNKNOWN;
214  if (negate)
215  mask |= DETECT_SSL_STATE_UNKNOWN;
216  } else {
217  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
218  "in ssl_state keyword.", str1);
219  goto error;
220  }
221 
222  pcre_free_substring(str1);
223 
224  res = pcre_get_substring((char *)arg, ov1, MAX_SUBSTRINGS, 3, &str1);
225  if (res < 0) {
226  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
227  goto error;
228  }
229  while (res > 0) {
230  ret = pcre_exec(parse_regex2, parse_regex2_study, str1, strlen(str1), 0, 0,
231  ov2, MAX_SUBSTRINGS);
232  if (ret < 1) {
233  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
234  "ssl_state keyword.", arg);
235  goto error;
236  }
237 
238  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 1, &str2);
239  if (res < 0) {
240  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
241  goto error;
242  }
243  negate = !strcmp("!", str2);
244  pcre_free_substring(str2);
245 
246  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 2, &str2);
247  if (res <= 0) {
248  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
249  goto error;
250  }
251  if (strcmp("client_hello", str2) == 0) {
252  flags |= DETECT_SSL_STATE_CLIENT_HELLO;
253  if (negate)
254  mask |= DETECT_SSL_STATE_CLIENT_HELLO;
255  } else if (strcmp("server_hello", str2) == 0) {
256  flags |= DETECT_SSL_STATE_SERVER_HELLO;
257  if (negate)
258  mask |= DETECT_SSL_STATE_SERVER_HELLO;
259  } else if (strcmp("client_keyx", str2) == 0) {
260  flags |= DETECT_SSL_STATE_CLIENT_KEYX;
261  if (negate)
262  mask |= DETECT_SSL_STATE_CLIENT_KEYX;
263  } else if (strcmp("server_keyx", str2) == 0) {
264  flags |= DETECT_SSL_STATE_SERVER_KEYX;
265  if (negate)
266  mask |= DETECT_SSL_STATE_SERVER_KEYX;
267  } else if (strcmp("unknown", str2) == 0) {
268  flags |= DETECT_SSL_STATE_UNKNOWN;
269  if (negate)
270  mask |= DETECT_SSL_STATE_UNKNOWN;
271  } else {
272  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
273  "in ssl_state keyword.", str2);
274  goto error;
275  }
276 
277  res = pcre_get_substring((char *)str1, ov2, MAX_SUBSTRINGS, 3, &str2);
278  if (res < 0) {
279  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
280  goto error;
281  }
282 
283  pcre_free_substring(str1);
284  str1 = str2;
285  }
286  pcre_free_substring(str1);
287 
288  if ( (ssd = SCMalloc(sizeof(DetectSslStateData))) == NULL) {
289  goto error;
290  }
291  ssd->flags = flags;
292  ssd->mask = mask;
293 
294  return ssd;
295 
296 error:
297  return NULL;
298 }
299 
300  /**
301  * \internal
302  * \brief Setup function for ssl_state keyword.
303  *
304  * \param de_ctx Pointer to the Detection Engine Context.
305  * \param s Pointer to the Current Signature
306  * \param arg String holding the arg.
307  *
308  * \retval 0 On success.
309  * \retval -1 On failure.
310  */
311 static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
312 {
313  DetectSslStateData *ssd = NULL;
314  SigMatch *sm = NULL;
315 
316  if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
317  return -1;
318 
319  ssd = DetectSslStateParse(arg);
320  if (ssd == NULL)
321  goto error;
322 
323  sm = SigMatchAlloc();
324  if (sm == NULL)
325  goto error;
326 
327  sm->type = DETECT_AL_SSL_STATE;
328  sm->ctx = (SigMatchCtx*)ssd;
329 
330  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
331  return 0;
332 
333 error:
334  if (ssd != NULL)
335  DetectSslStateFree(ssd);
336  if (sm != NULL)
337  SCFree(sm);
338  return -1;
339 }
340 
341 /**
342  * \brief Free memory associated with DetectSslStateData.
343  *
344  * \param ptr pointer to the data to be freed.
345  */
346 static void DetectSslStateFree(void *ptr)
347 {
348  if (ptr != NULL)
349  SCFree(ptr);
350 
351  return;
352 }
353 
354 #ifdef UNITTESTS
355 #include "tests/detect-ssl-state.c"
356 #endif
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1460
SigMatchData_
Data needed for Match()
Definition: detect.h:327
SigTableElmt_::name
const char * name
Definition: detect.h:1200
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1518
Signature_
Signature container.
Definition: detect.h:522
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
DETECT_SSL_STATE_SERVER_KEYX
#define DETECT_SSL_STATE_SERVER_KEYX
Definition: detect-ssl-state.h:33
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DetectSslStateRegister
void DetectSslStateRegister(void)
Registers the keyword handlers for the "ssl_state" keyword.
Definition: detect-ssl-state.c:82
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
DETECT_SSL_STATE_SERVER_HELLO
#define DETECT_SSL_STATE_SERVER_HELLO
Definition: detect-ssl-state.h:31
PARSE_REGEX1
#define PARSE_REGEX1
Definition: detect-ssl-state.c:54
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1191
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DETECT_SSL_STATE_CLIENT_KEYX
#define DETECT_SSL_STATE_CLIENT_KEYX
Definition: detect-ssl-state.h:32
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2388
SSLState_::current_flags
uint32_t current_flags
Definition: app-layer-ssl.h:244
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
SigMatch_::type
uint8_t type
Definition: detect.h:319
SigTableElmt_::desc
const char * desc
Definition: detect.h:1202
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:809
DetectSslStateData_::flags
uint32_t flags
Definition: detect-ssl-state.h:37
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
SCFree
#define SCFree(a)
Definition: util-mem.h:322
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:268
DETECT_SSL_STATE_CLIENT_HELLO
#define DETECT_SSL_STATE_CLIENT_HELLO
Definition: detect-ssl-state.h:30
PARSE_REGEX2
#define PARSE_REGEX2
Definition: detect-ssl-state.c:58
SigTableElmt_::url
const char * url
Definition: detect.h:1203
DetectSslStateData_::mask
uint32_t mask
Definition: detect-ssl-state.h:38
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1173
m
SCMutex m
Definition: flow-hash.h:105
DETECT_SSL_STATE_UNKNOWN
#define DETECT_SSL_STATE_UNKNOWN
Definition: detect-ssl-state.h:34
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:881
DetectSslStateData_
Definition: detect-ssl-state.h:36
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:1003
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
Flow_
Flow data structure.
Definition: flow.h:325
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:170
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1192
SigMatch_
a single match condition for a signature
Definition: detect.h:318