suricata
detect-ssl-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file detect-ssl-version.c
20  *
21  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22  *
23  * Implements the ssl_version keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-version.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 /**
55  * \brief Regex for parsing "id" option, matching number or "number"
56  */
57 #define PARSE_REGEX "^\\s*(!?[A-z0-9.]+)\\s*,?\\s*(!?[A-z0-9.]+)?\\s*\\,?\\s*" \
58  "(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*$"
59 
60 static pcre *parse_regex;
61 static pcre_extra *parse_regex_study;
62 
63 static int DetectSslVersionMatch(ThreadVars *, DetectEngineThreadCtx *,
64  Flow *, uint8_t, void *, void *,
65  const Signature *, const SigMatchCtx *);
66 static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, const char *);
67 #ifdef UNITTESTS
68 static void DetectSslVersionRegisterTests(void);
69 #endif
70 static void DetectSslVersionFree(void *);
71 static int g_tls_generic_list_id = 0;
72 
73 /**
74  * \brief Registration function for keyword: ssl_version
75  */
76 void DetectSslVersionRegister(void)
77 {
78  sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
79  sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
80  sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
81  sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
82 #ifdef UNITTESTS
83  sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
84 #endif
85  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
86 
87  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
88 }
89 
90 /**
91  * \brief match the specified version on a ssl session
92  *
93  * \param t pointer to thread vars
94  * \param det_ctx pointer to the pattern matcher thread
95  * \param p pointer to the current packet
96  * \param m pointer to the sigmatch that we will cast into DetectSslVersionData
97  *
98  * \retval 0 no match
99  * \retval 1 match
100  */
101 static int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
102  Flow *f, uint8_t flags, void *state, void *txv,
103  const Signature *s, const SigMatchCtx *m)
104 {
105  SCEnter();
106 
107  int ret = 0;
108  uint16_t ver = 0;
109  uint8_t sig_ver = TLS_UNKNOWN;
110 
111  const DetectSslVersionData *ssl = (const DetectSslVersionData *)m;
112  SSLState *app_state = (SSLState *)state;
113  if (app_state == NULL) {
114  SCLogDebug("no app state, no match");
115  SCReturnInt(0);
116  }
117 
118  if (flags & STREAM_TOCLIENT) {
119  SCLogDebug("server (toclient) version is 0x%02X",
120  app_state->server_connp.version);
121  ver = app_state->server_connp.version;
122  } else if (flags & STREAM_TOSERVER) {
123  SCLogDebug("client (toserver) version is 0x%02X",
124  app_state->client_connp.version);
125  ver = app_state->client_connp.version;
126  }
127 
128  switch (ver) {
129  case SSL_VERSION_2:
130  if (ver == ssl->data[SSLv2].ver)
131  ret = 1;
132  sig_ver = SSLv2;
133  break;
134  case SSL_VERSION_3:
135  if (ver == ssl->data[SSLv3].ver)
136  ret = 1;
137  sig_ver = SSLv3;
138  break;
139  case TLS_VERSION_10:
140  if (ver == ssl->data[TLS10].ver)
141  ret = 1;
142  sig_ver = TLS10;
143  break;
144  case TLS_VERSION_11:
145  if (ver == ssl->data[TLS11].ver)
146  ret = 1;
147  sig_ver = TLS11;
148  break;
149  case TLS_VERSION_12:
150  if (ver == ssl->data[TLS12].ver)
151  ret = 1;
152  sig_ver = TLS12;
153  break;
154  case TLS_VERSION_13_DRAFT28:
155  case TLS_VERSION_13_DRAFT27:
156  case TLS_VERSION_13_DRAFT26:
157  case TLS_VERSION_13_DRAFT25:
158  case TLS_VERSION_13_DRAFT24:
159  case TLS_VERSION_13_DRAFT23:
160  case TLS_VERSION_13_DRAFT22:
161  case TLS_VERSION_13_DRAFT21:
162  case TLS_VERSION_13_DRAFT20:
163  case TLS_VERSION_13_DRAFT19:
164  case TLS_VERSION_13_DRAFT18:
165  case TLS_VERSION_13_DRAFT17:
166  case TLS_VERSION_13_DRAFT16:
167  case TLS_VERSION_13_PRE_DRAFT16:
168  if (((ver >> 8) & 0xff) == 0x7f)
169  ver = TLS_VERSION_13;
170  /* fall through */
171  case TLS_VERSION_13:
172  if (ver == ssl->data[TLS13].ver)
173  ret = 1;
174  sig_ver = TLS13;
175  break;
176  }
177 
178  if (sig_ver == TLS_UNKNOWN)
179  SCReturnInt(0);
180 
181  SCReturnInt(ret ^ ((ssl->data[sig_ver].flags & DETECT_SSL_VERSION_NEGATED) ? 1 : 0));
182 }
183 
184 /**
185  * \brief This function is used to parse ssl_version data passed via
186  * keyword: "ssl_version"
187  *
188  * \param str Pointer to the user provided options
189  *
190  * \retval ssl pointer to DetectSslVersionData on success
191  * \retval NULL on failure
192  */
193 static DetectSslVersionData *DetectSslVersionParse(const char *str)
194 {
195  DetectSslVersionData *ssl = NULL;
196  #define MAX_SUBSTRINGS 30
197  int ret = 0, res = 0;
198  int ov[MAX_SUBSTRINGS];
199 
200  ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
201  ov, MAX_SUBSTRINGS);
202 
203  if (ret < 1 || ret > 5) {
204  SCLogError(SC_ERR_PCRE_MATCH, "invalid ssl_version option");
205  goto error;
206  }
207 
208  if (ret > 1) {
209  const char *str_ptr;
210  char *orig;
211  uint8_t found = 0, neg = 0;
212  char *tmp_str;
213 
214  /* We have a correct ssl_version options */
215  ssl = SCCalloc(1, sizeof (DetectSslVersionData));
216  if (unlikely(ssl == NULL))
217  goto error;
218 
219  int i;
220  for (i = 1; i < ret; i++) {
221  res = pcre_get_substring((char *) str, ov, MAX_SUBSTRINGS, i, &str_ptr);
222  if (res < 0) {
223  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
224  if (found == 0)
225  goto error;
226  break;
227  }
228 
229  orig = SCStrdup((char*) str_ptr);
230  if (unlikely(orig == NULL)) {
231  goto error;
232  }
233  tmp_str = orig;
234 
235  /* Let's see if we need to scape "'s */
236  if (tmp_str[0] == '"') {
237  tmp_str[strlen(tmp_str) - 1] = '\0';
238  tmp_str += 1;
239  }
240 
241 
242  if (tmp_str[0] == '!') {
243  neg = 1;
244  tmp_str++;
245  }
246 
247  if (strcasecmp("sslv2", tmp_str) == 0) {
248  ssl->data[SSLv2].ver = SSL_VERSION_2;
249  if (neg == 1)
250  ssl->data[SSLv2].flags |= DETECT_SSL_VERSION_NEGATED;
251  } else if (strcasecmp("sslv3", tmp_str) == 0) {
252  ssl->data[SSLv3].ver = SSL_VERSION_3;
253  if (neg == 1)
254  ssl->data[SSLv3].flags |= DETECT_SSL_VERSION_NEGATED;
255  } else if (strcasecmp("tls1.0", tmp_str) == 0) {
256  ssl->data[TLS10].ver = TLS_VERSION_10;
257  if (neg == 1)
258  ssl->data[TLS10].flags |= DETECT_SSL_VERSION_NEGATED;
259  } else if (strcasecmp("tls1.1", tmp_str) == 0) {
260  ssl->data[TLS11].ver = TLS_VERSION_11;
261  if (neg == 1)
262  ssl->data[TLS11].flags |= DETECT_SSL_VERSION_NEGATED;
263  } else if (strcasecmp("tls1.2", tmp_str) == 0) {
264  ssl->data[TLS12].ver = TLS_VERSION_12;
265  if (neg == 1)
266  ssl->data[TLS12].flags |= DETECT_SSL_VERSION_NEGATED;
267  } else if (strcasecmp("tls1.3", tmp_str) == 0) {
268  ssl->data[TLS13].ver = TLS_VERSION_13;
269  if (neg == 1)
270  ssl->data[TLS13].flags |= DETECT_SSL_VERSION_NEGATED;
271  } else if (strcmp(tmp_str, "") == 0) {
272  SCFree(orig);
273  if (found == 0)
274  goto error;
275  break;
276  } else {
277  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
278  SCFree(orig);
279  goto error;
280  }
281 
282  found = 1;
283  neg = 0;
284  SCFree(orig);
285  pcre_free_substring(str_ptr);
286  }
287  }
288 
289  return ssl;
290 
291 error:
292  if (ssl != NULL)
293  DetectSslVersionFree(ssl);
294  return NULL;
295 
296 }
297 
298 /**
299  * \brief this function is used to add the parsed "id" option
300  * \brief into the current signature
301  *
302  * \param de_ctx pointer to the Detection Engine Context
303  * \param s pointer to the Current Signature
304  * \param idstr pointer to the user provided "id" option
305  *
306  * \retval 0 on Success
307  * \retval -1 on Failure
308  */
309 static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
310 {
311  DetectSslVersionData *ssl = NULL;
312  SigMatch *sm = NULL;
313 
314  if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
315  return -1;
316 
317  ssl = DetectSslVersionParse(str);
318  if (ssl == NULL)
319  goto error;
320 
321  /* Okay so far so good, lets get this into a SigMatch
322  * and put it in the Signature. */
323  sm = SigMatchAlloc();
324  if (sm == NULL)
325  goto error;
326 
327  sm->type = DETECT_AL_SSL_VERSION;
328  sm->ctx = (void *)ssl;
329 
330  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
331  return 0;
332 
333 error:
334  if (ssl != NULL)
335  DetectSslVersionFree(ssl);
336  if (sm != NULL)
337  SCFree(sm);
338  return -1;
339 }
340 
341 /**
342  * \brief this function will free memory associated with DetectSslVersionData
343  *
344  * \param id_d pointer to DetectSslVersionData
345  */
346 void DetectSslVersionFree(void *ptr)
347 {
348  if (ptr != NULL)
349  SCFree(ptr);
350 }
351 
352 #ifdef UNITTESTS
353 #include "tests/detect-ssl-version.c"
354 #endif
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
flags
uint16_t flags
Definition: app-layer-dns-common.h:246
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1150
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1136
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1392
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-ssl-version.c:57
SSLVersionData_::ver
uint16_t ver
Definition: detect-ssl-version.h:43
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:182
SSLVersionData_::flags
uint8_t flags
Definition: detect-ssl-version.h:44
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:249
DetectSslVersionRegister
void DetectSslVersionRegister(void)
Registration function for keyword: ssl_version.
Definition: detect-ssl-version.c:76
SigTableElmt_::name
const char * name
Definition: detect.h:1164
Signature_
Signature container.
Definition: detect.h:496
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:724
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226
str
#define str(s)
Definition: suricata-common.h:258
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:197
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1155
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2302
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SigMatch_::type
uint8_t type
Definition: detect.h:323
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
DETECT_SSL_VERSION_NEGATED
#define DETECT_SSL_VERSION_NEGATED
Definition: detect-ssl-version.h:28
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:654
DetectSslVersionData_::data
SSLVersionData data[TLS_SIZE]
Definition: detect-ssl-version.h:48
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
DetectSslVersionData_
Definition: detect-ssl-version.h:47
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:212
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:966
Flow_
Flow data structure.
Definition: flow.h:325
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:248
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1156
SigMatch_
a single match condition for a signature
Definition: detect.h:322