suricata
detect-tls-cert-subject.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements support for tls_cert_subject keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
36 #include "detect-content.h"
37 #include "detect-pcre.h"
39 
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-var.h"
43 
44 #include "util-debug.h"
45 #include "util-unittest.h"
46 #include "util-spm.h"
47 #include "util-print.h"
48 
49 #include "stream-tcp.h"
50 
51 #include "app-layer.h"
52 #include "app-layer-ssl.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, const char *);
58 static void DetectTlsSubjectRegisterTests(void);
59 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
60  const DetectEngineTransforms *transforms,
61  Flow *_f, const uint8_t _flow_flags,
62  void *txv, const int list_id);
63 static int g_tls_cert_subject_buffer_id = 0;
64 
65 /**
66  * \brief Registration function for keyword: tls_cert_subject
67  */
69 {
70  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls_cert_subject";
71  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = "content modifier to match specifically and only on the TLS cert subject buffer";
72  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-subject";
74  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup;
76  sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
77 
79 
83 
84  DetectAppLayerMpmRegister2("tls_cert_subject", SIG_FLAG_TOCLIENT, 2,
87 
88  DetectBufferTypeSetDescriptionByName("tls_cert_subject",
89  "TLS certificate subject");
90 
91  g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls_cert_subject");
92 }
93 
94 /**
95  * \brief this function setup the tls_cert_subject modifier keyword used in the rule
96  *
97  * \param de_ctx Pointer to the Detection Engine Context
98  * \param s Pointer to the Signature to which the current keyword belongs
99  * \param str Should hold an empty string always
100  *
101  * \retval 0 On success
102  */
103 static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
104 {
105  DetectBufferSetActiveList(s, g_tls_cert_subject_buffer_id);
106  s->alproto = ALPROTO_TLS;
107  return 0;
108 }
109 
110 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
111  const DetectEngineTransforms *transforms, Flow *_f,
112  const uint8_t _flow_flags, void *txv, const int list_id)
113 {
114  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
115  if (buffer->inspect == NULL) {
116  SSLState *ssl_state = (SSLState *)_f->alstate;
117 
118  if (ssl_state->server_connp.cert0_subject == NULL) {
119  return NULL;
120  }
121 
122  const uint32_t data_len = strlen(ssl_state->server_connp.cert0_subject);
123  const uint8_t *data = (uint8_t *)ssl_state->server_connp.cert0_subject;
124 
125  InspectionBufferSetup(buffer, data, data_len);
126  InspectionBufferApplyTransforms(buffer, transforms);
127  }
128 
129  return buffer;
130 }
131 
132 #ifdef UNITTESTS
133 
134 /**
135  * \test Test that a signature containing a tls_cert_subject is correctly parsed
136  * and that the keyword is registered.
137  */
138 static int DetectTlsSubjectTest01(void)
139 {
140  DetectEngineCtx *de_ctx = NULL;
141  SigMatch *sm = NULL;
142 
143  de_ctx = DetectEngineCtxInit();
144  FAIL_IF_NULL(de_ctx);
145 
146  de_ctx->flags |= DE_QUIET;
147  de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
148  "(msg:\"Testing tls_cert_subject\"; "
149  "tls_cert_subject; content:\"test\"; sid:1;)");
150  FAIL_IF_NULL(de_ctx->sig_list);
151 
152  /* sm should not be in the MATCH list */
153  sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
154  FAIL_IF_NOT_NULL(sm);
155 
156  sm = de_ctx->sig_list->sm_lists[g_tls_cert_subject_buffer_id];
157  FAIL_IF_NULL(sm);
158 
159  FAIL_IF(sm->type != DETECT_CONTENT);
160  FAIL_IF_NOT_NULL(sm->next);
161 
162  SigGroupCleanup(de_ctx);
163  SigCleanSignatures(de_ctx);
164  DetectEngineCtxFree(de_ctx);
165 
166  PASS;
167 }
168 
169 /**
170  * \test Test matching for google in the subject of a certificate
171  *
172  */
173 static int DetectTlsSubjectTest02(void)
174 {
175  /* client hello */
176  uint8_t client_hello[] = {
177  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
178  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
179  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
180  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
181  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
182  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
183  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
184  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
185  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
186  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
187  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
188  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
189  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
190  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
191  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
192  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
193  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
194  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
195  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
196  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
197  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
198  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
199  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
200  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
201  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
202  0x03, 0x04, 0x02, 0x02, 0x02
203  };
204 
205  /* server hello */
206  uint8_t server_hello[] = {
207  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
208  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
209  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
210  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
211  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
212  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
213  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
214  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
215  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
216  0x0b, 0x00, 0x02, 0x01, 0x00
217  };
218 
219  /* certificate */
220  uint8_t certificate[] = {
221  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
222  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
223  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
224  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
225  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
226  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
227  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
228  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
229  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
230  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
231  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
232  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
233  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
234  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
235  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
236  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
237  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
238  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
239  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
240  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
241  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
242  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
243  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
244  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
245  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
246  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
247  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
248  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
249  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
250  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
251  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
252  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
253  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
254  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
255  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
256  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
257  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
258  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
259  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
260  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
261  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
262  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
263  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
264  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
265  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
266  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
267  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
268  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
269  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
270  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
271  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
272  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
273  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
274  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
275  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
276  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
277  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
278  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
279  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
280  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
281  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
282  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
283  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
284  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
285  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
286  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
287  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
288  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
289  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
290  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
291  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
292  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
293  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
294  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
295  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
296  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
297  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
298  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
299  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
300  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
301  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
302  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
303  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
304  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
305  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
306  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
307  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
308  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
309  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
310  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
311  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
312  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
313  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
314  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
315  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
316  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
317  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
318  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
319  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
320  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
321  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
322  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
323  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
324  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
325  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
326  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
327  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
328  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
329  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
330  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
331  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
332  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
333  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
334  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
335  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
336  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
337  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
338  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
339  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
340  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
341  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
342  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
343  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
344  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
345  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
346  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
347  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
348  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
349  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
350  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
351  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
352  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
353  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
354  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
355  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
356  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
357  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
358  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
359  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
360  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
361  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
362  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
363  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
364  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
365  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
366  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
367  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
368  };
369 
370  Flow f;
371  SSLState *ssl_state = NULL;
372  TcpSession ssn;
373  Packet *p1 = NULL;
374  Packet *p2 = NULL;
375  Packet *p3 = NULL;
376  Signature *s = NULL;
377  ThreadVars tv;
378  DetectEngineThreadCtx *det_ctx = NULL;
380 
381  memset(&tv, 0, sizeof(ThreadVars));
382  memset(&f, 0, sizeof(Flow));
383  memset(&ssn, 0, sizeof(TcpSession));
384 
385  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
386  "192.168.1.5", "192.168.1.1", 51251, 443);
387  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
388  "192.168.1.1", "192.168.1.5", 443, 51251);
389  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
390  "192.168.1.1", "192.168.1.5", 443, 51251);
391 
392  FLOW_INITIALIZE(&f);
393  f.flags |= FLOW_IPV4;
394  f.proto = IPPROTO_TCP;
396  f.alproto = ALPROTO_TLS;
397 
398  p1->flow = &f;
402  p1->pcap_cnt = 1;
403 
404  p2->flow = &f;
408  p2->pcap_cnt = 2;
409 
410  p3->flow = &f;
414  p3->pcap_cnt = 3;
415 
417 
419  FAIL_IF_NULL(de_ctx);
420 
422  de_ctx->flags |= DE_QUIET;
423 
424  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
425  "(msg:\"Test tls_cert_subject\"; "
426  "tls_cert_subject; content:\"google\"; nocase; "
427  "sid:1;)");
428  FAIL_IF_NULL(s);
429 
430  SigGroupBuild(de_ctx);
431  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
432 
433  FLOWLOCK_WRLOCK(&f);
434  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
435  STREAM_TOSERVER, client_hello,
436  sizeof(client_hello));
437  FLOWLOCK_UNLOCK(&f);
438 
439  FAIL_IF(r != 0);
440 
441  ssl_state = f.alstate;
442  FAIL_IF_NULL(ssl_state);
443 
444  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
445 
446  FAIL_IF(PacketAlertCheck(p1, 1));
447 
448  FLOWLOCK_WRLOCK(&f);
449  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
450  server_hello, sizeof(server_hello));
451  FLOWLOCK_UNLOCK(&f);
452 
453  FAIL_IF(r != 0);
454 
455  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
456 
457  FAIL_IF(PacketAlertCheck(p2, 1));
458 
459  FLOWLOCK_WRLOCK(&f);
460  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
461  certificate, sizeof(certificate));
462  FLOWLOCK_UNLOCK(&f);
463 
464  FAIL_IF(r != 0);
465 
466  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
467 
469 
470  if (alp_tctx != NULL)
471  AppLayerParserThreadCtxFree(alp_tctx);
472  if (det_ctx != NULL)
473  DetectEngineThreadCtxDeinit(&tv, det_ctx);
474  if (de_ctx != NULL)
475  SigGroupCleanup(de_ctx);
476  if (de_ctx != NULL)
477  DetectEngineCtxFree(de_ctx);
478 
480  FLOW_DESTROY(&f);
481  UTHFreePacket(p1);
482  UTHFreePacket(p2);
483  UTHFreePacket(p3);
484 
485  PASS;
486 }
487 
488 #endif
489 
490 static void DetectTlsSubjectRegisterTests(void)
491 {
492 #ifdef UNITTESTS
493  UtRegisterTest("DetectTlsSubjectTest01", DetectTlsSubjectTest01);
494  UtRegisterTest("DetectTlsSubjectTest02", DetectTlsSubjectTest02);
495 #endif
496 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
void DetectTlsSubjectRegister(void)
Registration function for keyword: tls_cert_subject.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
char * cert0_subject
struct Flow_ * flow
Definition: decode.h:444
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:346
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:726
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
SSLStateConnp server_connp
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
uint64_t pcap_cnt
Definition: decode.h:566
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
#define TRUE
struct SigMatch_ * next
Definition: detect.h:328
main detection engine ctx
Definition: detect.h:720
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:436
#define DE_QUIET
Definition: detect.h:298
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:244
uint8_t flags
Definition: detect.h:721
void(* Free)(void *)
Definition: detect.h:1151
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint16_t mpm_matcher
Definition: detect.h:769
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
uint8_t flowflags
Definition: decode.h:438
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppProto alproto
Definition: detect.h:496
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:325
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const char * desc
Definition: detect.h:1162
int mpm_default_matcher
Definition: util-mpm.h:166
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1328
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
const char * url
Definition: detect.h:1163
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1101
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:349
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
AppProto alproto
application level protocol
Definition: flow.h:407
uint32_t flags
Definition: decode.h:442
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1154
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:402
Flow data structure.
Definition: flow.h:327
#define FLOW_IPV4
Definition: flow.h:93
uint32_t flags
Definition: flow.h:377
#define PKT_STREAM_EST
Definition: decode.h:1099
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine