suricata
detect-ssl-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file detect-ssl-version.c
20  *
21  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22  *
23  * Implements the ssl_version keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-version.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 /**
55  * \brief Regex for parsing "id" option, matching number or "number"
56  */
57 #define PARSE_REGEX "^\\s*(!?[A-z0-9.]+)\\s*,?\\s*(!?[A-z0-9.]+)?\\s*\\,?\\s*" \
58  "(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*$"
59 
60 static DetectParseRegex parse_regex;
61 
62 static int DetectSslVersionMatch(DetectEngineThreadCtx *,
63  Flow *, uint8_t, void *, void *,
64  const Signature *, const SigMatchCtx *);
65 static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, const char *);
66 #ifdef UNITTESTS
67 static void DetectSslVersionRegisterTests(void);
68 #endif
69 static void DetectSslVersionFree(DetectEngineCtx *, void *);
70 static int g_tls_generic_list_id = 0;
71 
72 /**
73  * \brief Registration function for keyword: ssl_version
74  */
75 void DetectSslVersionRegister(void)
76 {
77  sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
78  sigmatch_table[DETECT_AL_SSL_VERSION].desc = "match version of SSL/TLS record";
79  sigmatch_table[DETECT_AL_SSL_VERSION].url = "/rules/tls-keywords.html#ssl-version";
80  sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
81  sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
82  sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
83 #ifdef UNITTESTS
84  sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
85 #endif
86  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
87 
88  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
89 }
90 
91 /**
92  * \brief match the specified version on a ssl session
93  *
94  * \param t pointer to thread vars
95  * \param det_ctx pointer to the pattern matcher thread
96  * \param p pointer to the current packet
97  * \param m pointer to the sigmatch that we will cast into DetectSslVersionData
98  *
99  * \retval 0 no match
100  * \retval 1 match
101  */
102 static int DetectSslVersionMatch(DetectEngineThreadCtx *det_ctx,
103  Flow *f, uint8_t flags, void *state, void *txv,
104  const Signature *s, const SigMatchCtx *m)
105 {
106  SCEnter();
107 
108  int ret = 0;
109  uint16_t ver = 0;
110  uint8_t sig_ver = TLS_UNKNOWN;
111 
112  const DetectSslVersionData *ssl = (const DetectSslVersionData *)m;
113  SSLState *app_state = (SSLState *)state;
114  if (app_state == NULL) {
115  SCLogDebug("no app state, no match");
116  SCReturnInt(0);
117  }
118 
119  if (flags & STREAM_TOCLIENT) {
120  SCLogDebug("server (toclient) version is 0x%02X",
121  app_state->server_connp.version);
122  ver = app_state->server_connp.version;
123  } else if (flags & STREAM_TOSERVER) {
124  SCLogDebug("client (toserver) version is 0x%02X",
125  app_state->client_connp.version);
126  ver = app_state->client_connp.version;
127  }
128 
129  switch (ver) {
130  case SSL_VERSION_2:
131  if (ver == ssl->data[SSLv2].ver)
132  ret = 1;
133  sig_ver = SSLv2;
134  break;
135  case SSL_VERSION_3:
136  if (ver == ssl->data[SSLv3].ver)
137  ret = 1;
138  sig_ver = SSLv3;
139  break;
140  case TLS_VERSION_10:
141  if (ver == ssl->data[TLS10].ver)
142  ret = 1;
143  sig_ver = TLS10;
144  break;
145  case TLS_VERSION_11:
146  if (ver == ssl->data[TLS11].ver)
147  ret = 1;
148  sig_ver = TLS11;
149  break;
150  case TLS_VERSION_12:
151  if (ver == ssl->data[TLS12].ver)
152  ret = 1;
153  sig_ver = TLS12;
154  break;
155  case TLS_VERSION_13_DRAFT28:
156  case TLS_VERSION_13_DRAFT27:
157  case TLS_VERSION_13_DRAFT26:
158  case TLS_VERSION_13_DRAFT25:
159  case TLS_VERSION_13_DRAFT24:
160  case TLS_VERSION_13_DRAFT23:
161  case TLS_VERSION_13_DRAFT22:
162  case TLS_VERSION_13_DRAFT21:
163  case TLS_VERSION_13_DRAFT20:
164  case TLS_VERSION_13_DRAFT19:
165  case TLS_VERSION_13_DRAFT18:
166  case TLS_VERSION_13_DRAFT17:
167  case TLS_VERSION_13_DRAFT16:
168  case TLS_VERSION_13_PRE_DRAFT16:
169  if (((ver >> 8) & 0xff) == 0x7f)
170  ver = TLS_VERSION_13;
171  /* fall through */
172  case TLS_VERSION_13:
173  if (ver == ssl->data[TLS13].ver)
174  ret = 1;
175  sig_ver = TLS13;
176  break;
177  }
178 
179  if (sig_ver == TLS_UNKNOWN)
180  SCReturnInt(0);
181 
182  SCReturnInt(ret ^ ((ssl->data[sig_ver].flags & DETECT_SSL_VERSION_NEGATED) ? 1 : 0));
183 }
184 
185 /**
186  * \brief This function is used to parse ssl_version data passed via
187  * keyword: "ssl_version"
188  *
189  * \param de_ctx Pointer to the detection engine context
190  * \param str Pointer to the user provided options
191  *
192  * \retval ssl pointer to DetectSslVersionData on success
193  * \retval NULL on failure
194  */
195 static DetectSslVersionData *DetectSslVersionParse(DetectEngineCtx *de_ctx, const char *str)
196 {
197  DetectSslVersionData *ssl = NULL;
198  int ret = 0, res = 0;
199  int ov[MAX_SUBSTRINGS];
200 
201  ret = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
202  if (ret < 1 || ret > 5) {
203  SCLogError(SC_ERR_PCRE_MATCH, "invalid ssl_version option");
204  goto error;
205  }
206 
207  if (ret > 1) {
208  uint8_t found = 0, neg = 0;
209  char *tmp_str;
210 
211  /* We have a correct ssl_version options */
212  ssl = SCCalloc(1, sizeof (DetectSslVersionData));
213  if (unlikely(ssl == NULL))
214  goto error;
215 
216  int i;
217  for (i = 1; i < ret; i++) {
218  char ver_ptr[64];
219  res = pcre_copy_substring((char *) str, ov, MAX_SUBSTRINGS, i, ver_ptr, sizeof(ver_ptr));
220  if (res < 0) {
221  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
222  if (found == 0)
223  goto error;
224  break;
225  }
226 
227  tmp_str = ver_ptr;
228 
229  /* Let's see if we need to scape "'s */
230  if (tmp_str[0] == '"') {
231  tmp_str[strlen(tmp_str) - 1] = '\0';
232  tmp_str += 1;
233  }
234 
235 
236  if (tmp_str[0] == '!') {
237  neg = 1;
238  tmp_str++;
239  }
240 
241  if (strcasecmp("sslv2", tmp_str) == 0) {
242  ssl->data[SSLv2].ver = SSL_VERSION_2;
243  if (neg == 1)
244  ssl->data[SSLv2].flags |= DETECT_SSL_VERSION_NEGATED;
245  } else if (strcasecmp("sslv3", tmp_str) == 0) {
246  ssl->data[SSLv3].ver = SSL_VERSION_3;
247  if (neg == 1)
248  ssl->data[SSLv3].flags |= DETECT_SSL_VERSION_NEGATED;
249  } else if (strcasecmp("tls1.0", tmp_str) == 0) {
250  ssl->data[TLS10].ver = TLS_VERSION_10;
251  if (neg == 1)
252  ssl->data[TLS10].flags |= DETECT_SSL_VERSION_NEGATED;
253  } else if (strcasecmp("tls1.1", tmp_str) == 0) {
254  ssl->data[TLS11].ver = TLS_VERSION_11;
255  if (neg == 1)
256  ssl->data[TLS11].flags |= DETECT_SSL_VERSION_NEGATED;
257  } else if (strcasecmp("tls1.2", tmp_str) == 0) {
258  ssl->data[TLS12].ver = TLS_VERSION_12;
259  if (neg == 1)
260  ssl->data[TLS12].flags |= DETECT_SSL_VERSION_NEGATED;
261  } else if (strcasecmp("tls1.3", tmp_str) == 0) {
262  ssl->data[TLS13].ver = TLS_VERSION_13;
263  if (neg == 1)
264  ssl->data[TLS13].flags |= DETECT_SSL_VERSION_NEGATED;
265  } else if (strcmp(tmp_str, "") == 0) {
266  if (found == 0)
267  goto error;
268  break;
269  } else {
270  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
271  goto error;
272  }
273 
274  found = 1;
275  neg = 0;
276  }
277  }
278 
279  return ssl;
280 
281 error:
282  if (ssl != NULL)
283  DetectSslVersionFree(de_ctx, ssl);
284  return NULL;
285 
286 }
287 
288 /**
289  * \brief this function is used to add the parsed "id" option
290  * \brief into the current signature
291  *
292  * \param de_ctx pointer to the Detection Engine Context
293  * \param s pointer to the Current Signature
294  * \param idstr pointer to the user provided "id" option
295  *
296  * \retval 0 on Success
297  * \retval -1 on Failure
298  */
299 static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
300 {
301  DetectSslVersionData *ssl = NULL;
302  SigMatch *sm = NULL;
303 
304  if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
305  return -1;
306 
307  ssl = DetectSslVersionParse(de_ctx, str);
308  if (ssl == NULL)
309  goto error;
310 
311  /* Okay so far so good, lets get this into a SigMatch
312  * and put it in the Signature. */
313  sm = SigMatchAlloc();
314  if (sm == NULL)
315  goto error;
316 
317  sm->type = DETECT_AL_SSL_VERSION;
318  sm->ctx = (void *)ssl;
319 
320  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
321  return 0;
322 
323 error:
324  if (ssl != NULL)
325  DetectSslVersionFree(de_ctx, ssl);
326  if (sm != NULL)
327  SCFree(sm);
328  return -1;
329 }
330 
331 /**
332  * \brief this function will free memory associated with DetectSslVersionData
333  *
334  * \param id_d pointer to DetectSslVersionData
335  */
336 void DetectSslVersionFree(DetectEngineCtx *de_ctx, void *ptr)
337 {
338  if (ptr != NULL)
339  SCFree(ptr);
340 }
341 
342 #ifdef UNITTESTS
343 #include "tests/detect-ssl-version.c"
344 #endif
SSLv2
@ SSLv2
Definition: detect-ssl-version.h:31
SigTableElmt_::url
const char * url
Definition: detect.h:1213
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1475
SSLv3
@ SSLv3
Definition: detect-ssl-version.h:32
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
TLS10
@ TLS10
Definition: detect-ssl-version.h:33
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1212
TLS_VERSION_13_DRAFT27
@ TLS_VERSION_13_DRAFT27
Definition: app-layer-ssl.h:152
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
TLS_UNKNOWN
@ TLS_UNKNOWN
Definition: detect-ssl-version.h:39
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1210
TLS_VERSION_13_DRAFT25
@ TLS_VERSION_13_DRAFT25
Definition: app-layer-ssl.h:154
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:250
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
TLS_VERSION_13_DRAFT28
@ TLS_VERSION_13_DRAFT28
Definition: app-layer-ssl.h:151
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:251
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
TLS_VERSION_13_DRAFT18
@ TLS_VERSION_13_DRAFT18
Definition: app-layer-ssl.h:161
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
TLS_VERSION_13_DRAFT19
@ TLS_VERSION_13_DRAFT19
Definition: app-layer-ssl.h:160
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1181
TLS12
@ TLS12
Definition: detect-ssl-version.h:35
TLS_VERSION_13_DRAFT21
@ TLS_VERSION_13_DRAFT21
Definition: app-layer-ssl.h:158
m
SCMutex m
Definition: flow-hash.h:6
detect-ssl-version.c
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
SSLVersionData_::flags
uint8_t flags
Definition: detect-ssl-version.h:44
util-unittest.h
util-unittest-helper.h
TLS_VERSION_13_DRAFT16
@ TLS_VERSION_13_DRAFT16
Definition: app-layer-ssl.h:163
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
TLS_VERSION_13_DRAFT20
@ TLS_VERSION_13_DRAFT20
Definition: app-layer-ssl.h:159
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-ssl-version.c:57
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2476
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
DetectSslVersionData_
Definition: detect-ssl-version.h:47
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SSL_VERSION_2
@ SSL_VERSION_2
Definition: app-layer-ssl.h:145
TLS_VERSION_13_DRAFT17
@ TLS_VERSION_13_DRAFT17
Definition: app-layer-ssl.h:162
TLS_VERSION_11
@ TLS_VERSION_11
Definition: app-layer-ssl.h:148
TLS_VERSION_13_DRAFT26
@ TLS_VERSION_13_DRAFT26
Definition: app-layer-ssl.h:153
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2406
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
TLS_VERSION_13_DRAFT23
@ TLS_VERSION_13_DRAFT23
Definition: app-layer-ssl.h:156
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
detect-ssl-version.h
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectSslVersionData_::data
SSLVersionData data[TLS_SIZE]
Definition: detect-ssl-version.h:48
TLS13
@ TLS13
Definition: detect-ssl-version.h:36
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
TLS_VERSION_12
@ TLS_VERSION_12
Definition: app-layer-ssl.h:149
TLS_VERSION_13
@ TLS_VERSION_13
Definition: app-layer-ssl.h:150
DETECT_AL_SSL_VERSION
@ DETECT_AL_SSL_VERSION
Definition: detect-engine-register.h:168
str
#define str(s)
Definition: suricata-common.h:273
TLS_VERSION_13_PRE_DRAFT16
@ TLS_VERSION_13_PRE_DRAFT16
Definition: app-layer-ssl.h:164
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
TLS_VERSION_10
@ TLS_VERSION_10
Definition: app-layer-ssl.h:147
SSL_VERSION_3
@ SSL_VERSION_3
Definition: app-layer-ssl.h:146
DetectSslVersionRegister
void DetectSslVersionRegister(void)
Registration function for keyword: ssl_version.
Definition: detect-ssl-version.c:75
SSLVersionData_::ver
uint16_t ver
Definition: detect-ssl-version.h:43
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DETECT_SSL_VERSION_NEGATED
#define DETECT_SSL_VERSION_NEGATED
Definition: detect-ssl-version.h:28
flow-var.h
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
TLS11
@ TLS11
Definition: detect-ssl-version.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202
TLS_VERSION_13_DRAFT24
@ TLS_VERSION_13_DRAFT24
Definition: app-layer-ssl.h:155
app-layer.h
TLS_VERSION_13_DRAFT22
@ TLS_VERSION_13_DRAFT22
Definition: app-layer-ssl.h:157
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:189