suricata
detect-tls-cert-serial.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements support for tls_cert_serial keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
36 #include "detect-content.h"
37 #include "detect-pcre.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-debug.h"
44 #include "util-unittest.h"
45 #include "util-spm.h"
46 #include "util-print.h"
47 
48 #include "stream-tcp.h"
49 
50 #include "app-layer.h"
51 #include "app-layer-ssl.h"
52 #include "detect-tls-cert-serial.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 static int DetectTlsSerialSetup(DetectEngineCtx *, Signature *, const char *);
58 static void DetectTlsSerialRegisterTests(void);
59 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
60  const DetectEngineTransforms *transforms,
61  Flow *_f, const uint8_t _flow_flags,
62  void *txv, const int list_id);
63 static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx,
64  Signature *s);
65 static _Bool DetectTlsSerialValidateCallback(const Signature *s,
66  const char **sigerror);
67 static int g_tls_cert_serial_buffer_id = 0;
68 
69 /**
70  * \brief Registration function for keyword: tls_cert_serial
71  */
73 {
74  sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls_cert_serial";
75  sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].desc = "content modifier to match the TLS cert serial buffer";
76  sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-serial";
78  sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].Setup = DetectTlsSerialSetup;
80  sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests;
81 
83 
87 
88  DetectAppLayerMpmRegister2("tls_cert_serial", SIG_FLAG_TOCLIENT, 2,
91 
92  DetectBufferTypeSetDescriptionByName("tls_cert_serial",
93  "TLS certificate serial number");
94 
95  DetectBufferTypeRegisterSetupCallback("tls_cert_serial",
96  DetectTlsSerialSetupCallback);
97 
99  DetectTlsSerialValidateCallback);
100 
101  g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls_cert_serial");
102 }
103 
104 /**
105  * \brief this function setup the tls_cert_serial modifier keyword used in the rule
106  *
107  * \param de_ctx Pointer to the Detection Engine Context
108  * \param s Pointer to the Signature to which the current keyword belongs
109  * \param str Should hold an empty string always
110  *
111  * \retval 0 On success
112  */
113 static int DetectTlsSerialSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
114 {
115  DetectBufferSetActiveList(s, g_tls_cert_serial_buffer_id);
116 
118  return -1;
119 
120  return 0;
121 }
122 
123 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
124  const DetectEngineTransforms *transforms, Flow *_f,
125  const uint8_t _flow_flags, void *txv, const int list_id)
126 {
127  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
128  if (buffer->inspect == NULL) {
129  SSLState *ssl_state = (SSLState *)_f->alstate;
130 
131  if (ssl_state->server_connp.cert0_serial == NULL) {
132  return NULL;
133  }
134 
135  const uint32_t data_len = strlen(ssl_state->server_connp.cert0_serial);
136  const uint8_t *data = (uint8_t *)ssl_state->server_connp.cert0_serial;
137 
138  InspectionBufferSetup(buffer, data, data_len);
139  InspectionBufferApplyTransforms(buffer, transforms);
140  }
141 
142  return buffer;
143 }
144 
145 static _Bool DetectTlsSerialValidateCallback(const Signature *s,
146  const char **sigerror)
147 {
148  const SigMatch *sm = s->init_data->smlists[g_tls_cert_serial_buffer_id];
149  for ( ; sm != NULL; sm = sm->next)
150  {
151  if (sm->type != DETECT_CONTENT)
152  continue;
153 
154  const DetectContentData *cd = (DetectContentData *)sm->ctx;
155 
156  if (cd->flags & DETECT_CONTENT_NOCASE) {
157  *sigerror = "tls_cert_serial should not be used together "
158  "with nocase, since the rule is automatically "
159  "uppercased anyway which makes nocase redundant.";
160  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
161  }
162 
163  /* no need to worry about this if the content is short enough */
164  if (cd->content_len <= 2)
165  return TRUE;
166 
167  uint32_t u;
168  for (u = 0; u < cd->content_len; u++)
169  if (cd->content[u] == ':')
170  return TRUE;
171 
172  *sigerror = "No colon delimiters ':' detected in content after "
173  "tls_cert_serial. This rule will therefore never "
174  "match.";
175  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
176 
177  return FALSE;
178  }
179 
180  return TRUE;
181 }
182 
183 static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx,
184  Signature *s)
185 {
186  SigMatch *sm = s->init_data->smlists[g_tls_cert_serial_buffer_id];
187  for ( ; sm != NULL; sm = sm->next)
188  {
189  if (sm->type != DETECT_CONTENT)
190  continue;
191 
193 
194  _Bool changed = FALSE;
195  uint32_t u;
196  for (u = 0; u < cd->content_len; u++)
197  {
198  if (islower(cd->content[u])) {
199  cd->content[u] = toupper(cd->content[u]);
200  changed = TRUE;
201  }
202  }
203 
204  /* recreate the context if changes were made */
205  if (changed) {
206  SpmDestroyCtx(cd->spm_ctx);
207  cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
208  de_ctx->spm_global_thread_ctx);
209  }
210  }
211 }
212 
213 #ifdef UNITTESTS
214 
215 /**
216  * \test Test that a signature containing tls_cert_serial is correctly parsed
217  * and that the keyword is registered.
218  */
219 static int DetectTlsSerialTest01(void)
220 {
221  DetectEngineCtx *de_ctx = NULL;
222  SigMatch *sm = NULL;
223 
224  de_ctx = DetectEngineCtxInit();
225  FAIL_IF_NULL(de_ctx);
226 
227  de_ctx->flags |= DE_QUIET;
228  de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
229  "(msg:\"Testing tls_cert_serial\"; "
230  "tls_cert_serial; content:\"XX:XX:XX\"; sid:1;)");
231  FAIL_IF_NULL(de_ctx->sig_list);
232 
233  /* sm should not be in the MATCH list */
234  sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
235  FAIL_IF_NOT_NULL(sm);
236 
237  sm = de_ctx->sig_list->sm_lists[g_tls_cert_serial_buffer_id];
238  FAIL_IF_NULL(sm);
239 
240  FAIL_IF(sm->type != DETECT_CONTENT);
241  FAIL_IF_NOT_NULL(sm->next);
242 
243  SigGroupCleanup(de_ctx);
244  SigCleanSignatures(de_ctx);
245  DetectEngineCtxFree(de_ctx);
246 
247  PASS;
248 }
249 
250 /**
251  * \test Test matching for serial in a certificate.
252  */
253 static int DetectTlsSerialTest02(void)
254 {
255  /* client hello */
256  uint8_t client_hello[] = {
257  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
258  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
259  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
260  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
261  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
262  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
263  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
264  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
265  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
266  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
267  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
268  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
269  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
270  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
271  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
272  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
273  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
274  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
275  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
276  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
277  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
278  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
279  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
280  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
281  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
282  0x03, 0x04, 0x02, 0x02, 0x02
283  };
284 
285  /* server hello */
286  uint8_t server_hello[] = {
287  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
288  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
289  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
290  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
291  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
292  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
293  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
294  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
295  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
296  0x0b, 0x00, 0x02, 0x01, 0x00
297  };
298 
299  /* certificate */
300  uint8_t certificate[] = {
301  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
302  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
303  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
304  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
305  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
306  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
307  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
308  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
309  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
310  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
311  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
312  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
313  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
314  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
315  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
316  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
317  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
318  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
319  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
320  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
321  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
322  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
323  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
324  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
325  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
326  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
327  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
328  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
329  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
330  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
331  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
332  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
333  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
334  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
335  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
336  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
337  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
338  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
339  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
340  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
341  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
342  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
343  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
344  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
345  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
346  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
347  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
348  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
349  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
350  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
351  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
352  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
353  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
354  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
355  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
356  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
357  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
358  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
359  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
360  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
361  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
362  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
363  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
364  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
365  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
366  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
367  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
368  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
369  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
370  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
371  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
372  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
373  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
374  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
375  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
376  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
377  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
378  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
379  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
380  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
381  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
382  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
383  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
384  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
385  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
386  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
387  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
388  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
389  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
390  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
391  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
392  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
393  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
394  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
395  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
396  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
397  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
398  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
399  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
400  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
401  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
402  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
403  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
404  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
405  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
406  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
407  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
408  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
409  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
410  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
411  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
412  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
413  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
414  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
415  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
416  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
417  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
418  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
419  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
420  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
421  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
422  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
423  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
424  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
425  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
426  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
427  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
428  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
429  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
430  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
431  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
432  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
433  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
434  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
435  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
436  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
437  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
438  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
439  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
440  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
441  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
442  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
443  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
444  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
445  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
446  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
447  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
448  };
449 
450  Flow f;
451  SSLState *ssl_state = NULL;
452  TcpSession ssn;
453  Packet *p1 = NULL;
454  Packet *p2 = NULL;
455  Packet *p3 = NULL;
456  Signature *s = NULL;
457  ThreadVars tv;
458  DetectEngineThreadCtx *det_ctx = NULL;
460 
461  memset(&tv, 0, sizeof(ThreadVars));
462  memset(&f, 0, sizeof(Flow));
463  memset(&ssn, 0, sizeof(TcpSession));
464 
465  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
466  "192.168.1.5", "192.168.1.1", 51251, 443);
467  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
468  "192.168.1.1", "192.168.1.5", 443, 51251);
469  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
470  "192.168.1.1", "192.168.1.5", 443, 51251);
471 
472  FLOW_INITIALIZE(&f);
473  f.flags |= FLOW_IPV4;
474  f.proto = IPPROTO_TCP;
476  f.alproto = ALPROTO_TLS;
477 
478  p1->flow = &f;
482  p1->pcap_cnt = 1;
483 
484  p2->flow = &f;
488  p2->pcap_cnt = 2;
489 
490  p3->flow = &f;
494  p3->pcap_cnt = 3;
495 
497 
499  FAIL_IF_NULL(de_ctx);
500 
502  de_ctx->flags |= DE_QUIET;
503 
504  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
505  "(msg:\"Test tls_cert_serial\"; "
506  "tls_cert_serial; "
507  "content:\"5C:19:B7:B1:32:3B:1C:A1\"; "
508  "sid:1;)");
509  FAIL_IF_NULL(s);
510 
511  SigGroupBuild(de_ctx);
512  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
513 
514  FLOWLOCK_WRLOCK(&f);
515  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
516  STREAM_TOSERVER, client_hello,
517  sizeof(client_hello));
518  FLOWLOCK_UNLOCK(&f);
519 
520  FAIL_IF(r != 0);
521 
522  ssl_state = f.alstate;
523  FAIL_IF_NULL(ssl_state);
524 
525  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
526 
527  FAIL_IF(PacketAlertCheck(p1, 1));
528 
529  FLOWLOCK_WRLOCK(&f);
530  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
531  server_hello, sizeof(server_hello));
532  FLOWLOCK_UNLOCK(&f);
533 
534  FAIL_IF(r != 0);
535 
536  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
537 
538  FAIL_IF(PacketAlertCheck(p2, 1));
539 
540  FLOWLOCK_WRLOCK(&f);
541  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
542  certificate, sizeof(certificate));
543  FLOWLOCK_UNLOCK(&f);
544 
545  FAIL_IF(r != 0);
546 
547  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
548 
550 
551  if (alp_tctx != NULL)
552  AppLayerParserThreadCtxFree(alp_tctx);
553  if (det_ctx != NULL)
554  DetectEngineThreadCtxDeinit(&tv, det_ctx);
555  if (de_ctx != NULL)
556  SigGroupCleanup(de_ctx);
557  if (de_ctx != NULL)
558  DetectEngineCtxFree(de_ctx);
559 
561  FLOW_DESTROY(&f);
562  UTHFreePacket(p1);
563  UTHFreePacket(p2);
564  UTHFreePacket(p3);
565 
566  PASS;
567 }
568 
569 #endif /* UNITTESTS */
570 
571 static void DetectTlsSerialRegisterTests(void)
572 {
573 #ifdef UNITTESTS
574  UtRegisterTest("DetectTlsSerialTest01", DetectTlsSerialTest01);
575  UtRegisterTest("DetectTlsSerialTest02", DetectTlsSerialTest02);
576 #endif /* UNITTESTS */
577 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
SignatureInitData * init_data
Definition: detect.h:560
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:774
void DetectTlsSerialRegister(void)
Registration function for keyword: tls_cert_serial.
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:444
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:346
uint32_t id
Definition: detect.h:525
#define FALSE
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:726
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
SSLStateConnp server_connp
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
uint64_t pcap_cnt
Definition: decode.h:566
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
#define TRUE
struct SigMatch_ * next
Definition: detect.h:328
main detection engine ctx
Definition: detect.h:720
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:436
#define DE_QUIET
Definition: detect.h:298
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:244
SpmCtx * SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase, SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:166
uint8_t flags
Definition: detect.h:721
void(* Free)(void *)
Definition: detect.h:1151
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint16_t mpm_matcher
Definition: detect.h:769
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
uint8_t flowflags
Definition: decode.h:438
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:325
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
const char * desc
Definition: detect.h:1162
struct SigMatch_ ** smlists
Definition: detect.h:486
SigMatchCtx * ctx
Definition: detect.h:327
int mpm_default_matcher
Definition: util-mpm.h:166
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1328
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:176
const char * url
Definition: detect.h:1163
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1101
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:349
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
#define DETECT_CONTENT_NOCASE
Per thread variable structure.
Definition: threadvars.h:57
void DetectBufferTypeRegisterValidateCallback(const char *name, _Bool(*ValidateCallback)(const Signature *, const char **sigerror))
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
AppProto alproto
application level protocol
Definition: flow.h:407
uint32_t flags
Definition: decode.h:442
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1154
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:402
Flow data structure.
Definition: flow.h:327
#define FLOW_IPV4
Definition: flow.h:93
uint32_t flags
Definition: flow.h:377
#define PKT_STREAM_EST
Definition: decode.h:1099
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine