suricata
detect-tls-cert-issuer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements support for tls_cert_issuer keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
36 #include "detect-content.h"
37 #include "detect-pcre.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-debug.h"
44 #include "util-unittest.h"
45 #include "util-spm.h"
46 #include "util-print.h"
47 
48 #include "stream-tcp.h"
49 
50 #include "app-layer.h"
51 #include "app-layer-ssl.h"
52 #include "detect-tls-cert-issuer.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 static int DetectTlsIssuerSetup(DetectEngineCtx *, Signature *, const char *);
58 static void DetectTlsIssuerRegisterTests(void);
59 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
60  const DetectEngineTransforms *transforms,
61  Flow *_f, const uint8_t _flow_flags,
62  void *txv, const int list_id);
63 static int g_tls_cert_issuer_buffer_id = 0;
64 
65 /**
66  * \brief Registration function for keyword: tls_cert_issuer
67  */
69 {
70  sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls_cert_issuer";
71  sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = "content modifier to match specifically and only on the TLS cert issuer buffer";
72  sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-issuer";
74  sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup;
76  sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests;
77 
79 
83 
84  DetectAppLayerMpmRegister2("tls_cert_issuer", SIG_FLAG_TOCLIENT, 2,
87 
88  DetectBufferTypeSetDescriptionByName("tls_cert_issuer",
89  "TLS certificate issuer");
90 
91  g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls_cert_issuer");
92 }
93 
94 
95 /**
96  * \brief this function setup the tls_cert_issuer modifier keyword used in the rule
97  *
98  * \param de_ctx Pointer to the Detection Engine Context
99  * \param s Pointer to the Signature to which the current keyword belongs
100  * \param str Should hold an empty string always
101  *
102  * \retval 0 On success
103  */
104 static int DetectTlsIssuerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
105 {
106  DetectBufferSetActiveList(s, g_tls_cert_issuer_buffer_id);
107  s->alproto = ALPROTO_TLS;
108  return 0;
109 }
110 
111 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
112  const DetectEngineTransforms *transforms, Flow *_f,
113  const uint8_t _flow_flags, void *txv, const int list_id)
114 {
115  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
116  if (buffer->inspect == NULL) {
117  SSLState *ssl_state = (SSLState *)_f->alstate;
118 
119  if (ssl_state->server_connp.cert0_issuerdn == NULL) {
120  return NULL;
121  }
122 
123  const uint32_t data_len = strlen(ssl_state->server_connp.cert0_issuerdn);
124  const uint8_t *data = (uint8_t *)ssl_state->server_connp.cert0_issuerdn;
125 
126  InspectionBufferSetup(buffer, data, data_len);
127  InspectionBufferApplyTransforms(buffer, transforms);
128  }
129 
130  return buffer;
131 }
132 
133 #ifdef UNITTESTS
134 
135 /**
136  * \test Test that a signature containing a tls_cert_issuer is correctly parsed
137  * and that the keyword is registered.
138  */
139 static int DetectTlsIssuerTest01(void)
140 {
141  DetectEngineCtx *de_ctx = NULL;
142  SigMatch *sm = NULL;
143 
144  de_ctx = DetectEngineCtxInit();
145  FAIL_IF_NULL(de_ctx);
146 
147  de_ctx->flags |= DE_QUIET;
148  de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
149  "(msg:\"Testing tls_cert_issuer\"; "
150  "tls_cert_issuer; content:\"test\"; sid:1;)");
151  FAIL_IF_NULL(de_ctx->sig_list);
152 
153  /* sm should not be in the MATCH list */
154  sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
155  FAIL_IF_NOT_NULL(sm);
156 
157  sm = de_ctx->sig_list->sm_lists[g_tls_cert_issuer_buffer_id];
158  FAIL_IF_NULL(sm);
159 
160  FAIL_IF(sm->type != DETECT_CONTENT);
161  FAIL_IF_NOT_NULL(sm->next);
162 
163  SigGroupCleanup(de_ctx);
164  SigCleanSignatures(de_ctx);
165  DetectEngineCtxFree(de_ctx);
166 
167  PASS;
168 }
169 
170 /**
171  * \test Test matching for google in the issuer of a certificate
172  *
173  */
174 static int DetectTlsIssuerTest02(void)
175 {
176  /* client hello */
177  uint8_t client_hello[] = {
178  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
179  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
180  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
181  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
182  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
183  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
184  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
185  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
186  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
187  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
188  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
189  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
190  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
191  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
192  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
193  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
194  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
195  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
196  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
197  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
198  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
199  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
200  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
201  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
202  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
203  0x03, 0x04, 0x02, 0x02, 0x02
204  };
205 
206  /* server hello */
207  uint8_t server_hello[] = {
208  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
209  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
210  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
211  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
212  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
213  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
214  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
215  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
216  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
217  0x0b, 0x00, 0x02, 0x01, 0x00
218  };
219 
220  /* certificate */
221  uint8_t certificate[] = {
222  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
223  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
224  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
225  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
226  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
227  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
228  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
229  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
230  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
231  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
232  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
233  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
234  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
235  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
236  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
237  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
238  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
239  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
240  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
241  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
242  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
243  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
244  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
245  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
246  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
247  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
248  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
249  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
250  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
251  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
252  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
253  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
254  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
255  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
256  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
257  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
258  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
259  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
260  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
261  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
262  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
263  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
264  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
265  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
266  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
267  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
268  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
269  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
270  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
271  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
272  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
273  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
274  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
275  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
276  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
277  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
278  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
279  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
280  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
281  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
282  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
283  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
284  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
285  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
286  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
287  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
288  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
289  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
290  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
291  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
292  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
293  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
294  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
295  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
296  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
297  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
298  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
299  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
300  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
301  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
302  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
303  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
304  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
305  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
306  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
307  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
308  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
309  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
310  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
311  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
312  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
313  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
314  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
315  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
316  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
317  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
318  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
319  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
320  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
321  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
322  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
323  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
324  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
325  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
326  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
327  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
328  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
329  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
330  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
331  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
332  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
333  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
334  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
335  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
336  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
337  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
338  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
339  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
340  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
341  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
342  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
343  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
344  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
345  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
346  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
347  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
348  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
349  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
350  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
351  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
352  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
353  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
354  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
355  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
356  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
357  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
358  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
359  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
360  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
361  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
362  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
363  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
364  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
365  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
366  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
367  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
368  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
369  };
370 
371  Flow f;
372  SSLState *ssl_state = NULL;
373  TcpSession ssn;
374  Packet *p1 = NULL;
375  Packet *p2 = NULL;
376  Packet *p3 = NULL;
377  Signature *s = NULL;
378  ThreadVars tv;
379  DetectEngineThreadCtx *det_ctx = NULL;
381 
382  memset(&tv, 0, sizeof(ThreadVars));
383  memset(&f, 0, sizeof(Flow));
384  memset(&ssn, 0, sizeof(TcpSession));
385 
386  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
387  "192.168.1.5", "192.168.1.1", 51251, 443);
388  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
389  "192.168.1.1", "192.168.1.5", 443, 51251);
390  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
391  "192.168.1.1", "192.168.1.5", 443, 51251);
392 
393  FLOW_INITIALIZE(&f);
394  f.flags |= FLOW_IPV4;
395  f.proto = IPPROTO_TCP;
397  f.alproto = ALPROTO_TLS;
398 
399  p1->flow = &f;
403  p1->pcap_cnt = 1;
404 
405  p2->flow = &f;
409  p2->pcap_cnt = 2;
410 
411  p3->flow = &f;
415  p3->pcap_cnt = 3;
416 
418 
420  FAIL_IF_NULL(de_ctx);
421 
423  de_ctx->flags |= DE_QUIET;
424 
425  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
426  "(msg:\"Test tls_cert_issuer\"; "
427  "tls_cert_issuer; content:\"google\"; nocase; "
428  "sid:1;)");
429  FAIL_IF_NULL(s);
430 
431  SigGroupBuild(de_ctx);
432  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
433 
434  FLOWLOCK_WRLOCK(&f);
435  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
436  STREAM_TOSERVER, client_hello,
437  sizeof(client_hello));
438  FLOWLOCK_UNLOCK(&f);
439 
440  FAIL_IF(r != 0);
441 
442  ssl_state = f.alstate;
443  FAIL_IF_NULL(ssl_state);
444 
445  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
446 
447  FAIL_IF(PacketAlertCheck(p1, 1));
448 
449  FLOWLOCK_WRLOCK(&f);
450  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
451  server_hello, sizeof(server_hello));
452  FLOWLOCK_UNLOCK(&f);
453 
454  FAIL_IF(r != 0);
455 
456  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
457 
458  FAIL_IF(PacketAlertCheck(p2, 1));
459 
460  FLOWLOCK_WRLOCK(&f);
461  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
462  certificate, sizeof(certificate));
463  FLOWLOCK_UNLOCK(&f);
464 
465  FAIL_IF(r != 0);
466 
467  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
468 
470 
471  if (alp_tctx != NULL)
472  AppLayerParserThreadCtxFree(alp_tctx);
473  if (det_ctx != NULL)
474  DetectEngineThreadCtxDeinit(&tv, det_ctx);
475  if (de_ctx != NULL)
476  SigGroupCleanup(de_ctx);
477  if (de_ctx != NULL)
478  DetectEngineCtxFree(de_ctx);
479 
481  FLOW_DESTROY(&f);
482  UTHFreePacket(p1);
483  UTHFreePacket(p2);
484  UTHFreePacket(p3);
485 
486  PASS;
487 }
488 
489 #endif
490 
491 static void DetectTlsIssuerRegisterTests(void)
492 {
493 #ifdef UNITTESTS
494  UtRegisterTest("DetectTlsIssuerTest01", DetectTlsIssuerTest01);
495  UtRegisterTest("DetectTlsIssuerTest02", DetectTlsIssuerTest02);
496 #endif
497 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
struct Flow_ * flow
Definition: decode.h:443
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:343
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:729
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
SSLStateConnp server_connp
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239
uint64_t pcap_cnt
Definition: decode.h:561
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
#define TRUE
struct SigMatch_ * next
Definition: detect.h:326
main detection engine ctx
Definition: detect.h:723
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:433
#define DE_QUIET
Definition: detect.h:296
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:242
uint8_t flags
Definition: detect.h:724
void(* Free)(void *)
Definition: detect.h:1154
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint16_t mpm_matcher
Definition: detect.h:772
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
uint8_t flowflags
Definition: decode.h:437
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
AppProto alproto
Definition: detect.h:499
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:323
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const char * desc
Definition: detect.h:1165
int mpm_default_matcher
Definition: util-mpm.h:170
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1331
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
const char * url
Definition: detect.h:1166
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
void DetectTlsIssuerRegister(void)
Registration function for keyword: tls_cert_issuer.
#define PKT_HAS_FLOW
Definition: decode.h:1092
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:347
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:201
AppProto alproto
application level protocol
Definition: flow.h:404
uint32_t flags
Definition: decode.h:441
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1157
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:399
Flow data structure.
Definition: flow.h:324
#define FLOW_IPV4
Definition: flow.h:93
uint32_t flags
Definition: flow.h:374
#define PKT_STREAM_EST
Definition: decode.h:1090
void(* RegisterTests)(void)
Definition: detect.h:1155
a single match condition for a signature
Definition: detect.h:322
char * cert0_issuerdn
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine