suricata
detect-tls-cert-subject.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements support for tls_cert_subject keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-content.h"
37 #include "detect-pcre.h"
38 #include "detect-tls-cert-subject.h"
39 
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-var.h"
43 
44 #include "util-debug.h"
45 #include "util-unittest.h"
46 #include "util-spm.h"
47 #include "util-print.h"
48 
49 #include "stream-tcp.h"
50 
51 #include "app-layer.h"
52 #include "app-layer-ssl.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, const char *);
58 static void DetectTlsSubjectRegisterTests(void);
59 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
60  const DetectEngineTransforms *transforms,
61  Flow *_f, const uint8_t _flow_flags,
62  void *txv, const int list_id);
63 static int g_tls_cert_subject_buffer_id = 0;
64 
65 /**
66  * \brief Registration function for keyword: tls_cert_subject
67  */
68 void DetectTlsSubjectRegister(void)
69 {
70  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls_cert_subject";
71  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = "content modifier to match specifically and only on the TLS cert subject buffer";
72  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-subject";
73  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Match = NULL;
74  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup;
75  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Free = NULL;
76  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
77 
78  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT;
79 
80  DetectAppLayerInspectEngineRegister2("tls_cert_subject", ALPROTO_TLS,
81  SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
82  DetectEngineInspectBufferGeneric, GetData);
83 
84  DetectAppLayerMpmRegister2("tls_cert_subject", SIG_FLAG_TOCLIENT, 2,
85  PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
86  TLS_STATE_CERT_READY);
87 
88  DetectBufferTypeSetDescriptionByName("tls_cert_subject",
89  "TLS certificate subject");
90 
91  g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls_cert_subject");
92 }
93 
94 /**
95  * \brief this function setup the tls_cert_subject modifier keyword used in the rule
96  *
97  * \param de_ctx Pointer to the Detection Engine Context
98  * \param s Pointer to the Signature to which the current keyword belongs
99  * \param str Should hold an empty string always
100  *
101  * \retval 0 On success
102  */
103 static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
104 {
105  DetectBufferSetActiveList(s, g_tls_cert_subject_buffer_id);
106  s->alproto = ALPROTO_TLS;
107  return 0;
108 }
109 
110 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
111  const DetectEngineTransforms *transforms, Flow *_f,
112  const uint8_t _flow_flags, void *txv, const int list_id)
113 {
114  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
115  if (buffer->inspect == NULL) {
116  SSLState *ssl_state = (SSLState *)_f->alstate;
117 
118  if (ssl_state->server_connp.cert0_subject == NULL) {
119  return NULL;
120  }
121 
122  const uint32_t data_len = strlen(ssl_state->server_connp.cert0_subject);
123  const uint8_t *data = (uint8_t *)ssl_state->server_connp.cert0_subject;
124 
125  InspectionBufferSetup(buffer, data, data_len);
126  InspectionBufferApplyTransforms(buffer, transforms);
127  }
128 
129  return buffer;
130 }
131 
132 #ifdef UNITTESTS
133 
134 /**
135  * \test Test that a signature containing a tls_cert_subject is correctly parsed
136  * and that the keyword is registered.
137  */
138 static int DetectTlsSubjectTest01(void)
139 {
140  DetectEngineCtx *de_ctx = NULL;
141  SigMatch *sm = NULL;
142 
143  de_ctx = DetectEngineCtxInit();
144  FAIL_IF_NULL(de_ctx);
145 
146  de_ctx->flags |= DE_QUIET;
147  de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
148  "(msg:\"Testing tls_cert_subject\"; "
149  "tls_cert_subject; content:\"test\"; sid:1;)");
150  FAIL_IF_NULL(de_ctx->sig_list);
151 
152  /* sm should not be in the MATCH list */
153  sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
154  FAIL_IF_NOT_NULL(sm);
155 
156  sm = de_ctx->sig_list->sm_lists[g_tls_cert_subject_buffer_id];
157  FAIL_IF_NULL(sm);
158 
159  FAIL_IF(sm->type != DETECT_CONTENT);
160  FAIL_IF_NOT_NULL(sm->next);
161 
162  SigGroupCleanup(de_ctx);
163  SigCleanSignatures(de_ctx);
164  DetectEngineCtxFree(de_ctx);
165 
166  PASS;
167 }
168 
169 /**
170  * \test Test matching for google in the subject of a certificate
171  *
172  */
173 static int DetectTlsSubjectTest02(void)
174 {
175  /* client hello */
176  uint8_t client_hello[] = {
177  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
178  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
179  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
180  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
181  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
182  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
183  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
184  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
185  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
186  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
187  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
188  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
189  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
190  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
191  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
192  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
193  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
194  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
195  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
196  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
197  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
198  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
199  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
200  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
201  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
202  0x03, 0x04, 0x02, 0x02, 0x02
203  };
204 
205  /* server hello */
206  uint8_t server_hello[] = {
207  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
208  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
209  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
210  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
211  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
212  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
213  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
214  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
215  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
216  0x0b, 0x00, 0x02, 0x01, 0x00
217  };
218 
219  /* certificate */
220  uint8_t certificate[] = {
221  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
222  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
223  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
224  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
225  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
226  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
227  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
228  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
229  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
230  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
231  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
232  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
233  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
234  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
235  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
236  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
237  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
238  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
239  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
240  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
241  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
242  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
243  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
244  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
245  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
246  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
247  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
248  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
249  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
250  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
251  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
252  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
253  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
254  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
255  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
256  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
257  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
258  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
259  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
260  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
261  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
262  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
263  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
264  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
265  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
266  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
267  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
268  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
269  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
270  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
271  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
272  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
273  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
274  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
275  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
276  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
277  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
278  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
279  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
280  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
281  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
282  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
283  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
284  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
285  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
286  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
287  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
288  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
289  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
290  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
291  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
292  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
293  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
294  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
295  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
296  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
297  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
298  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
299  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
300  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
301  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
302  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
303  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
304  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
305  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
306  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
307  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
308  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
309  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
310  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
311  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
312  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
313  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
314  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
315  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
316  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
317  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
318  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
319  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
320  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
321  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
322  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
323  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
324  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
325  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
326  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
327  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
328  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
329  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
330  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
331  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
332  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
333  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
334  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
335  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
336  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
337  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
338  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
339  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
340  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
341  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
342  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
343  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
344  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
345  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
346  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
347  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
348  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
349  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
350  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
351  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
352  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
353  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
354  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
355  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
356  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
357  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
358  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
359  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
360  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
361  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
362  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
363  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
364  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
365  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
366  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
367  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
368  };
369 
370  Flow f;
371  SSLState *ssl_state = NULL;
372  TcpSession ssn;
373  Packet *p1 = NULL;
374  Packet *p2 = NULL;
375  Packet *p3 = NULL;
376  Signature *s = NULL;
377  ThreadVars tv;
378  DetectEngineThreadCtx *det_ctx = NULL;
379  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
380 
381  memset(&tv, 0, sizeof(ThreadVars));
382  memset(&f, 0, sizeof(Flow));
383  memset(&ssn, 0, sizeof(TcpSession));
384 
385  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
386  "192.168.1.5", "192.168.1.1", 51251, 443);
387  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
388  "192.168.1.1", "192.168.1.5", 443, 51251);
389  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
390  "192.168.1.1", "192.168.1.5", 443, 51251);
391 
392  FLOW_INITIALIZE(&f);
393  f.flags |= FLOW_IPV4;
394  f.proto = IPPROTO_TCP;
395  f.protomap = FlowGetProtoMapping(f.proto);
396  f.alproto = ALPROTO_TLS;
397 
398  p1->flow = &f;
399  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
400  p1->flowflags |= FLOW_PKT_TOSERVER;
401  p1->flowflags |= FLOW_PKT_ESTABLISHED;
402  p1->pcap_cnt = 1;
403 
404  p2->flow = &f;
405  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
406  p2->flowflags |= FLOW_PKT_TOCLIENT;
407  p2->flowflags |= FLOW_PKT_ESTABLISHED;
408  p2->pcap_cnt = 2;
409 
410  p3->flow = &f;
411  p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
412  p3->flowflags |= FLOW_PKT_TOCLIENT;
413  p3->flowflags |= FLOW_PKT_ESTABLISHED;
414  p3->pcap_cnt = 3;
415 
416  StreamTcpInitConfig(TRUE);
417 
418  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
419  FAIL_IF_NULL(de_ctx);
420 
421  de_ctx->mpm_matcher = mpm_default_matcher;
422  de_ctx->flags |= DE_QUIET;
423 
424  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
425  "(msg:\"Test tls_cert_subject\"; "
426  "tls_cert_subject; content:\"google\"; nocase; "
427  "sid:1;)");
428  FAIL_IF_NULL(s);
429 
430  SigGroupBuild(de_ctx);
431  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
432 
433  FLOWLOCK_WRLOCK(&f);
434  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
435  STREAM_TOSERVER, client_hello,
436  sizeof(client_hello));
437  FLOWLOCK_UNLOCK(&f);
438 
439  FAIL_IF(r != 0);
440 
441  ssl_state = f.alstate;
442  FAIL_IF_NULL(ssl_state);
443 
444  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
445 
446  FAIL_IF(PacketAlertCheck(p1, 1));
447 
448  FLOWLOCK_WRLOCK(&f);
449  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
450  server_hello, sizeof(server_hello));
451  FLOWLOCK_UNLOCK(&f);
452 
453  FAIL_IF(r != 0);
454 
455  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
456 
457  FAIL_IF(PacketAlertCheck(p2, 1));
458 
459  FLOWLOCK_WRLOCK(&f);
460  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
461  certificate, sizeof(certificate));
462  FLOWLOCK_UNLOCK(&f);
463 
464  FAIL_IF(r != 0);
465 
466  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
467 
468  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
469 
470  if (alp_tctx != NULL)
471  AppLayerParserThreadCtxFree(alp_tctx);
472  if (det_ctx != NULL)
473  DetectEngineThreadCtxDeinit(&tv, det_ctx);
474  if (de_ctx != NULL)
475  SigGroupCleanup(de_ctx);
476  if (de_ctx != NULL)
477  DetectEngineCtxFree(de_ctx);
478 
479  StreamTcpFreeConfig(TRUE);
480  FLOW_DESTROY(&f);
481  UTHFreePacket(p1);
482  UTHFreePacket(p2);
483  UTHFreePacket(p3);
484 
485  PASS;
486 }
487 
488 #endif
489 
490 static void DetectTlsSubjectRegisterTests(void)
491 {
492 #ifdef UNITTESTS
493  UtRegisterTest("DetectTlsSubjectTest01", DetectTlsSubjectTest01);
494  UtRegisterTest("DetectTlsSubjectTest02", DetectTlsSubjectTest02);
495 #endif
496 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2200
DetectTlsSubjectRegister
void DetectTlsSubjectRegister(void)
Registration function for keyword: tls_cert_subject.
Definition: detect-tls-cert-subject.c:68
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
TcpSession_
Definition: stream-tcp-private.h:257
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:195
detect-content.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:343
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1920
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:729
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:608
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:249
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:271
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:82
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:561
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:871
SigTableElmt_::name
const char * name
Definition: detect.h:1163
Signature_
Signature container.
Definition: detect.h:495
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:326
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:223
Flow_::alstate
void * alstate
Definition: flow.h:433
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:698
str
#define str(s)
Definition: suricata-common.h:258
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:242
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:724
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1154
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:772
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:183
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:167
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
Signature_::alproto
AppProto alproto
Definition: detect.h:499
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:245
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1964
SigMatch_::type
uint8_t type
Definition: detect.h:323
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1242
Packet_
Definition: decode.h:405
SigTableElmt_::desc
const char * desc
Definition: detect.h:1165
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.h:170
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:930
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:978
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1331
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
SigTableElmt_::url
const char * url
Definition: detect.h:1166
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:410
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:810
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:347
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:726
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:965
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:201
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:404
Packet_::flags
uint32_t flags
Definition: decode.h:441
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1157
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
Flow_::protomap
uint8_t protomap
Definition: flow.h:399
Flow_
Flow data structure.
Definition: flow.h:324
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:93
Flow_::flags
uint32_t flags
Definition: flow.h:374
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1155
SigMatch_
a single match condition for a signature
Definition: detect.h:322
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1130
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:85