suricata
detect-ssl-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements support for ssl_state keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-state.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 #define PARSE_REGEX1 "^(!?)([_a-zA-Z0-9]+)(.*)$"
55 static DetectParseRegex parse_regex1;
56 
57 #define PARSE_REGEX2 "^(?:\\s*[|,]\\s*(!?)([_a-zA-Z0-9]+))(.*)$"
58 static DetectParseRegex parse_regex2;
59 
60 static int DetectSslStateMatch(DetectEngineThreadCtx *,
61  Flow *, uint8_t, void *, void *,
62  const Signature *, const SigMatchCtx *);
63 static int DetectSslStateSetup(DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void DetectSslStateRegisterTests(void);
66 #endif
67 static void DetectSslStateFree(DetectEngineCtx *, void *);
68 
69 static int InspectTlsGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
70  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
71  uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
72 
73 static int g_tls_generic_list_id = 0;
74 
75 /**
76  * \brief Registers the keyword handlers for the "ssl_state" keyword.
77  */
79 {
81  sigmatch_table[DETECT_AL_SSL_STATE].desc = "match the state of the SSL connection";
82  sigmatch_table[DETECT_AL_SSL_STATE].url = "/rules/tls-keywords.html#ssl-state";
83  sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
84  sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
85  sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree;
86 #ifdef UNITTESTS
87  sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
88 #endif
89  DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1);
90  DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2);
91 
92  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
93 
95  "generic ssl/tls inspection");
96 
98  "tls_generic", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, InspectTlsGeneric, NULL);
100  "tls_generic", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, InspectTlsGeneric, NULL);
101 }
102 
103 static int InspectTlsGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
104  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
105  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
106 {
108  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
109 }
110 
111 /**
112  * \brief App layer match function ssl_state keyword.
113  *
114  * \param tv Pointer to threadvars.
115  * \param det_ctx Pointer to the thread's detection context.
116  * \param f Pointer to the flow.
117  * \param flags Flags.
118  * \param state App layer state.
119  * \param s Sig we are currently inspecting.
120  * \param m SigMatch we are currently inspecting.
121  *
122  * \retval 1 Match.
123  * \retval 0 No match.
124  */
125 static int DetectSslStateMatch(DetectEngineThreadCtx *det_ctx,
126  Flow *f, uint8_t flags, void *alstate, void *txv,
127  const Signature *s, const SigMatchCtx *m)
128 {
129  const DetectSslStateData *ssd = (const DetectSslStateData *)m;
130  SSLState *ssl_state = (SSLState *)alstate;
131  if (ssl_state == NULL) {
132  SCLogDebug("no app state, no match");
133  return 0;
134  }
135 
136  uint32_t ssl_flags = ssl_state->current_flags;
137 
138  if ((ssd->flags & ssl_flags) ^ ssd->mask) {
139  return 1;
140  }
141 
142  return 0;
143 }
144 
145 /**
146  * \brief Parse the arg supplied with ssl_state and return it in a
147  * DetectSslStateData instance.
148  *
149  * \param arg Pointer to the string to be parsed.
150  *
151  * \retval ssd Pointer to DetectSslStateData on success.
152  * \retval NULL On failure.
153  */
154 static DetectSslStateData *DetectSslStateParse(const char *arg)
155 {
156  int ret = 0, res = 0;
157  size_t pcre2len;
158  char str1[64];
159  char str2[64];
160  int negate = 0;
161  uint32_t flags = 0, mask = 0;
162  DetectSslStateData *ssd = NULL;
163 
164  ret = DetectParsePcreExec(&parse_regex1, arg, 0, 0);
165  if (ret < 1) {
166  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
167  "ssl_state keyword.", arg);
168  goto error;
169  }
170 
171  pcre2len = sizeof(str1);
172  res = pcre2_substring_copy_bynumber(parse_regex1.match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
173  if (res < 0) {
174  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
175  goto error;
176  }
177  negate = !strcmp("!", str1);
178 
179  pcre2len = sizeof(str1);
180  res = pcre2_substring_copy_bynumber(parse_regex1.match, 2, (PCRE2_UCHAR8 *)str1, &pcre2len);
181  if (res < 0) {
182  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
183  goto error;
184  }
185 
186  if (strcmp("client_hello", str1) == 0) {
188  if (negate)
190  } else if (strcmp("server_hello", str1) == 0) {
192  if (negate)
194  } else if (strcmp("client_keyx", str1) == 0) {
196  if (negate)
198  } else if (strcmp("server_keyx", str1) == 0) {
200  if (negate)
202  } else if (strcmp("unknown", str1) == 0) {
204  if (negate)
205  mask |= DETECT_SSL_STATE_UNKNOWN;
206  } else {
207  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
208  "in ssl_state keyword.", str1);
209  goto error;
210  }
211 
212  pcre2len = sizeof(str1);
213  res = pcre2_substring_copy_bynumber(parse_regex1.match, 3, (PCRE2_UCHAR8 *)str1, &pcre2len);
214  if (res < 0) {
215  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
216  goto error;
217  }
218  while (res >= 0 && strlen(str1) > 0) {
219  ret = DetectParsePcreExec(&parse_regex2, str1, 0, 0);
220  if (ret < 1) {
221  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg \"%s\" supplied to "
222  "ssl_state keyword.", arg);
223  goto error;
224  }
225 
226  pcre2len = sizeof(str2);
227  res = pcre2_substring_copy_bynumber(parse_regex2.match, 1, (PCRE2_UCHAR8 *)str2, &pcre2len);
228  if (res < 0) {
229  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
230  goto error;
231  }
232  negate = !strcmp("!", str2);
233 
234  pcre2len = sizeof(str2);
235  res = pcre2_substring_copy_bynumber(parse_regex2.match, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
236  if (res < 0) {
237  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
238  goto error;
239  }
240  if (strcmp("client_hello", str2) == 0) {
242  if (negate)
244  } else if (strcmp("server_hello", str2) == 0) {
246  if (negate)
248  } else if (strcmp("client_keyx", str2) == 0) {
250  if (negate)
252  } else if (strcmp("server_keyx", str2) == 0) {
254  if (negate)
256  } else if (strcmp("unknown", str2) == 0) {
258  if (negate)
259  mask |= DETECT_SSL_STATE_UNKNOWN;
260  } else {
261  SCLogError(SC_ERR_INVALID_SIGNATURE, "Found invalid option \"%s\" "
262  "in ssl_state keyword.", str2);
263  goto error;
264  }
265 
266  pcre2len = sizeof(str2);
267  res = pcre2_substring_copy_bynumber(parse_regex2.match, 3, (PCRE2_UCHAR8 *)str2, &pcre2len);
268  if (res < 0) {
269  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre2_substring_copy_bynumber failed");
270  goto error;
271  }
272 
273  memcpy(str1, str2, sizeof(str1));
274  }
275 
276  if ( (ssd = SCMalloc(sizeof(DetectSslStateData))) == NULL) {
277  goto error;
278  }
279  ssd->flags = flags;
280  ssd->mask = mask;
281 
282  return ssd;
283 
284 error:
285  return NULL;
286 }
287 
288  /**
289  * \internal
290  * \brief Setup function for ssl_state keyword.
291  *
292  * \param de_ctx Pointer to the Detection Engine Context.
293  * \param s Pointer to the Current Signature
294  * \param arg String holding the arg.
295  *
296  * \retval 0 On success.
297  * \retval -1 On failure.
298  */
299 static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
300 {
301  DetectSslStateData *ssd = NULL;
302  SigMatch *sm = NULL;
303 
305  return -1;
306 
307  ssd = DetectSslStateParse(arg);
308  if (ssd == NULL)
309  goto error;
310 
311  sm = SigMatchAlloc();
312  if (sm == NULL)
313  goto error;
314 
316  sm->ctx = (SigMatchCtx*)ssd;
317 
318  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
319  return 0;
320 
321 error:
322  if (ssd != NULL)
323  DetectSslStateFree(de_ctx, ssd);
324  if (sm != NULL)
325  SCFree(sm);
326  return -1;
327 }
328 
329 /**
330  * \brief Free memory associated with DetectSslStateData.
331  *
332  * \param ptr pointer to the data to be freed.
333  */
334 static void DetectSslStateFree(DetectEngineCtx *de_ctx, void *ptr)
335 {
336  if (ptr != NULL)
337  SCFree(ptr);
338 
339  return;
340 }
341 
342 #ifdef UNITTESTS
343 #include "tests/detect-ssl-state.c"
344 #endif
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:243
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
flow-util.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
DETECT_SSL_STATE_CLIENT_HELLO
#define DETECT_SSL_STATE_CLIENT_HELLO
Definition: detect-ssl-state.h:30
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DETECT_SSL_STATE_UNKNOWN
#define DETECT_SSL_STATE_UNKNOWN
Definition: detect-ssl-state.h:34
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1238
m
SCMutex m
Definition: flow-hash.h:6
DetectSslStateData_::mask
uint32_t mask
Definition: detect-ssl-state.h:38
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
util-unittest-helper.h
SSLState_::current_flags
uint32_t current_flags
Definition: app-layer-ssl.h:256
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
detect-ssl-state.c
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
SC_ERR_PCRE_COPY_SUBSTRING
@ SC_ERR_PCRE_COPY_SUBSTRING
Definition: util-error.h:358
detect-engine-mpm.h
detect.h
DetectSslStateRegister
void DetectSslStateRegister(void)
Registers the keyword handlers for the "ssl_state" keyword.
Definition: detect-ssl-state.c:78
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DetectSslStateData_::flags
uint32_t flags
Definition: detect-ssl-state.h:37
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
DETECT_AL_SSL_STATE
@ DETECT_AL_SSL_STATE
Definition: detect-engine-register.h:172
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1023
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_SSL_STATE_SERVER_KEYX
#define DETECT_SSL_STATE_SERVER_KEYX
Definition: detect-ssl-state.h:33
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
PARSE_REGEX2
#define PARSE_REGEX2
Definition: detect-ssl-state.c:57
PARSE_REGEX1
#define PARSE_REGEX1
Definition: detect-ssl-state.c:54
detect-ssl-state.h
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1174
DetectSslStateData_
Definition: detect-ssl-state.h:36
flow.h
flow-var.h
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
DETECT_SSL_STATE_CLIENT_KEYX
#define DETECT_SSL_STATE_CLIENT_KEYX
Definition: detect-ssl-state.h:32
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
app-layer.h
DETECT_SSL_STATE_SERVER_HELLO
#define DETECT_SSL_STATE_SERVER_HELLO
Definition: detect-ssl-state.h:31