suricata
detect-ssl-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file detect-ssl-version.c
20  *
21  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22  *
23  * Implements the ssl_version keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-version.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 /**
55  * \brief Regex for parsing "id" option, matching number or "number"
56  */
57 #define PARSE_REGEX "^\\s*(!?[A-z0-9.]+)\\s*,?\\s*(!?[A-z0-9.]+)?\\s*\\,?\\s*" \
58  "(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*$"
59 
60 static pcre *parse_regex;
61 static pcre_extra *parse_regex_study;
62 
63 static int DetectSslVersionMatch(DetectEngineThreadCtx *,
64  Flow *, uint8_t, void *, void *,
65  const Signature *, const SigMatchCtx *);
66 static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, const char *);
67 #ifdef UNITTESTS
68 static void DetectSslVersionRegisterTests(void);
69 #endif
70 static void DetectSslVersionFree(void *);
71 static int g_tls_generic_list_id = 0;
72 
73 /**
74  * \brief Registration function for keyword: ssl_version
75  */
76 void DetectSslVersionRegister(void)
77 {
78  sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
79  sigmatch_table[DETECT_AL_SSL_VERSION].desc = "match version of SSL/TLS record";
80  sigmatch_table[DETECT_AL_SSL_VERSION].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#ssl-version";
81  sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
82  sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
83  sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
84 #ifdef UNITTESTS
85  sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
86 #endif
87  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
88 
89  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
90 }
91 
92 /**
93  * \brief match the specified version on a ssl session
94  *
95  * \param t pointer to thread vars
96  * \param det_ctx pointer to the pattern matcher thread
97  * \param p pointer to the current packet
98  * \param m pointer to the sigmatch that we will cast into DetectSslVersionData
99  *
100  * \retval 0 no match
101  * \retval 1 match
102  */
103 static int DetectSslVersionMatch(DetectEngineThreadCtx *det_ctx,
104  Flow *f, uint8_t flags, void *state, void *txv,
105  const Signature *s, const SigMatchCtx *m)
106 {
107  SCEnter();
108 
109  int ret = 0;
110  uint16_t ver = 0;
111  uint8_t sig_ver = TLS_UNKNOWN;
112 
113  const DetectSslVersionData *ssl = (const DetectSslVersionData *)m;
114  SSLState *app_state = (SSLState *)state;
115  if (app_state == NULL) {
116  SCLogDebug("no app state, no match");
117  SCReturnInt(0);
118  }
119 
120  if (flags & STREAM_TOCLIENT) {
121  SCLogDebug("server (toclient) version is 0x%02X",
122  app_state->server_connp.version);
123  ver = app_state->server_connp.version;
124  } else if (flags & STREAM_TOSERVER) {
125  SCLogDebug("client (toserver) version is 0x%02X",
126  app_state->client_connp.version);
127  ver = app_state->client_connp.version;
128  }
129 
130  switch (ver) {
131  case SSL_VERSION_2:
132  if (ver == ssl->data[SSLv2].ver)
133  ret = 1;
134  sig_ver = SSLv2;
135  break;
136  case SSL_VERSION_3:
137  if (ver == ssl->data[SSLv3].ver)
138  ret = 1;
139  sig_ver = SSLv3;
140  break;
141  case TLS_VERSION_10:
142  if (ver == ssl->data[TLS10].ver)
143  ret = 1;
144  sig_ver = TLS10;
145  break;
146  case TLS_VERSION_11:
147  if (ver == ssl->data[TLS11].ver)
148  ret = 1;
149  sig_ver = TLS11;
150  break;
151  case TLS_VERSION_12:
152  if (ver == ssl->data[TLS12].ver)
153  ret = 1;
154  sig_ver = TLS12;
155  break;
156  case TLS_VERSION_13_DRAFT28:
157  case TLS_VERSION_13_DRAFT27:
158  case TLS_VERSION_13_DRAFT26:
159  case TLS_VERSION_13_DRAFT25:
160  case TLS_VERSION_13_DRAFT24:
161  case TLS_VERSION_13_DRAFT23:
162  case TLS_VERSION_13_DRAFT22:
163  case TLS_VERSION_13_DRAFT21:
164  case TLS_VERSION_13_DRAFT20:
165  case TLS_VERSION_13_DRAFT19:
166  case TLS_VERSION_13_DRAFT18:
167  case TLS_VERSION_13_DRAFT17:
168  case TLS_VERSION_13_DRAFT16:
169  case TLS_VERSION_13_PRE_DRAFT16:
170  if (((ver >> 8) & 0xff) == 0x7f)
171  ver = TLS_VERSION_13;
172  /* fall through */
173  case TLS_VERSION_13:
174  if (ver == ssl->data[TLS13].ver)
175  ret = 1;
176  sig_ver = TLS13;
177  break;
178  }
179 
180  if (sig_ver == TLS_UNKNOWN)
181  SCReturnInt(0);
182 
183  SCReturnInt(ret ^ ((ssl->data[sig_ver].flags & DETECT_SSL_VERSION_NEGATED) ? 1 : 0));
184 }
185 
186 /**
187  * \brief This function is used to parse ssl_version data passed via
188  * keyword: "ssl_version"
189  *
190  * \param str Pointer to the user provided options
191  *
192  * \retval ssl pointer to DetectSslVersionData on success
193  * \retval NULL on failure
194  */
195 static DetectSslVersionData *DetectSslVersionParse(const char *str)
196 {
197  DetectSslVersionData *ssl = NULL;
198  #define MAX_SUBSTRINGS 30
199  int ret = 0, res = 0;
200  int ov[MAX_SUBSTRINGS];
201 
202  ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
203  ov, MAX_SUBSTRINGS);
204 
205  if (ret < 1 || ret > 5) {
206  SCLogError(SC_ERR_PCRE_MATCH, "invalid ssl_version option");
207  goto error;
208  }
209 
210  if (ret > 1) {
211  const char *str_ptr;
212  char *orig;
213  uint8_t found = 0, neg = 0;
214  char *tmp_str;
215 
216  /* We have a correct ssl_version options */
217  ssl = SCCalloc(1, sizeof (DetectSslVersionData));
218  if (unlikely(ssl == NULL))
219  goto error;
220 
221  int i;
222  for (i = 1; i < ret; i++) {
223  res = pcre_get_substring((char *) str, ov, MAX_SUBSTRINGS, i, &str_ptr);
224  if (res < 0) {
225  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
226  if (found == 0)
227  goto error;
228  break;
229  }
230 
231  orig = SCStrdup((char*) str_ptr);
232  if (unlikely(orig == NULL)) {
233  goto error;
234  }
235  tmp_str = orig;
236 
237  /* Let's see if we need to scape "'s */
238  if (tmp_str[0] == '"') {
239  tmp_str[strlen(tmp_str) - 1] = '\0';
240  tmp_str += 1;
241  }
242 
243 
244  if (tmp_str[0] == '!') {
245  neg = 1;
246  tmp_str++;
247  }
248 
249  if (strcasecmp("sslv2", tmp_str) == 0) {
250  ssl->data[SSLv2].ver = SSL_VERSION_2;
251  if (neg == 1)
252  ssl->data[SSLv2].flags |= DETECT_SSL_VERSION_NEGATED;
253  } else if (strcasecmp("sslv3", tmp_str) == 0) {
254  ssl->data[SSLv3].ver = SSL_VERSION_3;
255  if (neg == 1)
256  ssl->data[SSLv3].flags |= DETECT_SSL_VERSION_NEGATED;
257  } else if (strcasecmp("tls1.0", tmp_str) == 0) {
258  ssl->data[TLS10].ver = TLS_VERSION_10;
259  if (neg == 1)
260  ssl->data[TLS10].flags |= DETECT_SSL_VERSION_NEGATED;
261  } else if (strcasecmp("tls1.1", tmp_str) == 0) {
262  ssl->data[TLS11].ver = TLS_VERSION_11;
263  if (neg == 1)
264  ssl->data[TLS11].flags |= DETECT_SSL_VERSION_NEGATED;
265  } else if (strcasecmp("tls1.2", tmp_str) == 0) {
266  ssl->data[TLS12].ver = TLS_VERSION_12;
267  if (neg == 1)
268  ssl->data[TLS12].flags |= DETECT_SSL_VERSION_NEGATED;
269  } else if (strcasecmp("tls1.3", tmp_str) == 0) {
270  ssl->data[TLS13].ver = TLS_VERSION_13;
271  if (neg == 1)
272  ssl->data[TLS13].flags |= DETECT_SSL_VERSION_NEGATED;
273  } else if (strcmp(tmp_str, "") == 0) {
274  SCFree(orig);
275  if (found == 0)
276  goto error;
277  break;
278  } else {
279  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
280  SCFree(orig);
281  goto error;
282  }
283 
284  found = 1;
285  neg = 0;
286  SCFree(orig);
287  pcre_free_substring(str_ptr);
288  }
289  }
290 
291  return ssl;
292 
293 error:
294  if (ssl != NULL)
295  DetectSslVersionFree(ssl);
296  return NULL;
297 
298 }
299 
300 /**
301  * \brief this function is used to add the parsed "id" option
302  * \brief into the current signature
303  *
304  * \param de_ctx pointer to the Detection Engine Context
305  * \param s pointer to the Current Signature
306  * \param idstr pointer to the user provided "id" option
307  *
308  * \retval 0 on Success
309  * \retval -1 on Failure
310  */
311 static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
312 {
313  DetectSslVersionData *ssl = NULL;
314  SigMatch *sm = NULL;
315 
316  if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
317  return -1;
318 
319  ssl = DetectSslVersionParse(str);
320  if (ssl == NULL)
321  goto error;
322 
323  /* Okay so far so good, lets get this into a SigMatch
324  * and put it in the Signature. */
325  sm = SigMatchAlloc();
326  if (sm == NULL)
327  goto error;
328 
329  sm->type = DETECT_AL_SSL_VERSION;
330  sm->ctx = (void *)ssl;
331 
332  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
333  return 0;
334 
335 error:
336  if (ssl != NULL)
337  DetectSslVersionFree(ssl);
338  if (sm != NULL)
339  SCFree(sm);
340  return -1;
341 }
342 
343 /**
344  * \brief this function will free memory associated with DetectSslVersionData
345  *
346  * \param id_d pointer to DetectSslVersionData
347  */
348 void DetectSslVersionFree(void *ptr)
349 {
350  if (ptr != NULL)
351  SCFree(ptr);
352 }
353 
354 #ifdef UNITTESTS
355 #include "tests/detect-ssl-version.c"
356 #endif
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1460
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-ssl-version.c:57
SSLVersionData_::ver
uint16_t ver
Definition: detect-ssl-version.h:43
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:182
SSLVersionData_::flags
uint8_t flags
Definition: detect-ssl-version.h:44
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:249
DetectSslVersionRegister
void DetectSslVersionRegister(void)
Registration function for keyword: ssl_version.
Definition: detect-ssl-version.c:76
SigTableElmt_::name
const char * name
Definition: detect.h:1200
Signature_
Signature container.
Definition: detect.h:522
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226
str
#define str(s)
Definition: suricata-common.h:256
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1191
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2388
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SigMatch_::type
uint8_t type
Definition: detect.h:319
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
DETECT_SSL_VERSION_NEGATED
#define DETECT_SSL_VERSION_NEGATED
Definition: detect-ssl-version.h:28
SigTableElmt_::desc
const char * desc
Definition: detect.h:1202
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:809
DetectSslVersionData_::data
SSLVersionData data[TLS_SIZE]
Definition: detect-ssl-version.h:48
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCFree
#define SCFree(a)
Definition: util-mem.h:322
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
SigTableElmt_::url
const char * url
Definition: detect.h:1203
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1173
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
DetectSslVersionData_
Definition: detect-ssl-version.h:47
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:268
DOC_URL
#define DOC_URL
Definition: suricata.h:86
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
DetectEngineThreadCtx_
Definition: detect.h:1003
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
Flow_
Flow data structure.
Definition: flow.h:325
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:248
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1192
SigMatch_
a single match condition for a signature
Definition: detect.h:318