detect-tls-cert-subject_8c_source.html

 /* Copyright (C) 2007-2016 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \file
  *
  * \author Mats Klepsland <mats.klepsland@gmail.com>
  *
  * Implements support for tls.cert_subject keyword.
  */

 #include "suricata-common.h"
 #include "threads.h"
 #include "debug.h"
 #include "decode.h"
 #include "detect.h"

 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-mpm.h"
 #include "detect-engine-prefilter.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-tls-cert-subject.h"

 #include "flow.h"
 #include "flow-util.h"
 #include "flow-var.h"

 #include "util-debug.h"
 #include "util-unittest.h"
 #include "util-spm.h"
 #include "util-print.h"

 #include "stream-tcp.h"

 #include "app-layer.h"
 #include "app-layer-ssl.h"

 #include "util-unittest.h"
 #include "util-unittest-helper.h"

 static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, const char *);
 #ifdef UNITTESTS
 static void DetectTlsSubjectRegisterTests(void);
 #endif
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms,
         Flow *f, const uint8_t flow_flags,
         void *txv, const int list_id);
 static int g_tls_cert_subject_buffer_id = 0;

 /**
  * \brief Registration function for keyword: tls.cert_subject
  */
 void DetectTlsSubjectRegister(void)
 {
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls.cert_subject";
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].alias = "tls_cert_subject";
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = "content modifier to match specifically and only on the TLS cert subject buffer";
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-subject";
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
 #endif
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister2("tls.cert_subject", ALPROTO_TLS,
             SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
             DetectEngineInspectBufferGeneric, GetData);

     DetectAppLayerMpmRegister2("tls.cert_subject", SIG_FLAG_TOCLIENT, 2,
             PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
             TLS_STATE_CERT_READY);

     DetectBufferTypeSetDescriptionByName("tls.cert_subject",
             "TLS certificate subject");

     g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls.cert_subject");
 }

 /**
  * \brief this function setup the tls.cert_subject modifier keyword used in the rule
  *
  * \param de_ctx   Pointer to the Detection Engine Context
  * \param s        Pointer to the Signature to which the current keyword belongs
  * \param str      Should hold an empty string always
  *
  * \retval 0  On success
  * \retval -1 On failure
  */
 static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
     if (DetectBufferSetActiveList(s, g_tls_cert_subject_buffer_id) < 0)
         return -1;

     if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0)
         return -1;

     return 0;
 }

 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms, Flow *f,
         const uint8_t flow_flags, void *txv, const int list_id)
 {
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
         const SSLState *ssl_state = (SSLState *)f->alstate;

         if (ssl_state->server_connp.cert0_subject == NULL) {
             return NULL;
         }

         const uint32_t data_len = strlen(ssl_state->server_connp.cert0_subject);
         const uint8_t *data = (uint8_t *)ssl_state->server_connp.cert0_subject;

         InspectionBufferSetup(buffer, data, data_len);
         InspectionBufferApplyTransforms(buffer, transforms);
     }

     return buffer;
 }

 #ifdef UNITTESTS
 #include "tests/detect-tls-cert-subject.c"
 #endif
DetectTlsSubjectRegister
void DetectTlsSubjectRegister(void)
Registration function for keyword: tls.cert_subject.
Definition: detect-tls-cert-subject.c:70

sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1431

SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1170

SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:195

detect-content.h

DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1401

debug.h

DetectEngineTransforms
Definition: detect.h:374

PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611

SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:249

detect-pcre.h

detect-engine-prefilter.h

InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:869

SigTableElmt_::name
const char * name
Definition: detect.h:1184

util-unittest.h

Signature_
Signature container.
Definition: detect.h:514

decode.h

DetectEngineCtx_
main detection engine ctx
Definition: detect.h:743

flow.h

SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226

Flow_::alstate
void * alstate
Definition: flow.h:438

DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:696

str
#define str(s)
Definition: suricata-common.h:258

threads.h

SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:243

SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1378

util-debug.h

util-unittest-helper.h

DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:181

detect-engine-mpm.h

suricata-common.h

util-spm.h

detect-engine.h

detect-tls-cert-subject.h

util-print.h

DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1391

DETECT_AL_TLS_CERT_SUBJECT
Definition: detect-engine-register.h:199

SigTableElmt_::desc
const char * desc
Definition: detect.h:1186

app-layer-ssl.h

SigTableElmt_::alias
const char * alias
Definition: detect.h:1185

stream-tcp.h

detect-parse.h

detect-tls-cert-subject.c

InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:928

InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:976

SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1354

flow-util.h

SigTableElmt_::url
const char * url
Definition: detect.h:1187

flow-var.h

DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:808

InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:348

DOC_URL
#define DOC_URL
Definition: suricata.h:86

DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:724

app-layer.h

DetectEngineThreadCtx_
Definition: detect.h:986

DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91

TLS_STATE_CERT_READY
Definition: app-layer-ssl.h:63

SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1178

InspectionBuffer
Definition: detect.h:347

Flow_
Flow data structure.
Definition: flow.h:325

SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1176

ALPROTO_TLS
Definition: app-layer-protos.h:33

DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:90

detect.h