suricata
detect-tls-cert-validity.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements tls certificate validity keywords
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-content.h"
36 #include "detect-pcre.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "app-layer-ssl.h"
47 
48 #include "util-time.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 /**
53  * [tls_notbefore|tls_notafter]:[<|>]<date string>[<><date string>];
54  */
55 #define PARSE_REGEX "^\\s*(<|>)?\\s*([ -:TW0-9]+)\\s*(?:(<>)\\s*([ -:TW0-9]+))?\\s*$"
56 static DetectParseRegex parse_regex;
57 
58 static int DetectTlsValidityMatch (DetectEngineThreadCtx *, Flow *,
59  uint8_t, void *, void *, const Signature *,
60  const SigMatchCtx *);
61 
62 static time_t DateStringToEpoch (char *);
63 static DetectTlsValidityData *DetectTlsValidityParse (const char *);
64 static int DetectTlsExpiredSetup (DetectEngineCtx *, Signature *s, const char *str);
65 static int DetectTlsValidSetup (DetectEngineCtx *, Signature *s, const char *str);
66 static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, const char *str);
67 static int DetectTlsNotAfterSetup (DetectEngineCtx *, Signature *s, const char *str);
68 static int DetectTlsValiditySetup (DetectEngineCtx *, Signature *s, const char *str, uint8_t);
69 #ifdef UNITTESTS
70 static void TlsNotBeforeRegisterTests(void);
71 static void TlsNotAfterRegisterTests(void);
72 static void TlsExpiredRegisterTests(void);
73 static void TlsValidRegisterTests(void);
74 #endif /* UNITTESTS */
75 static void DetectTlsValidityFree(DetectEngineCtx *, void *);
76 static int g_tls_validity_buffer_id = 0;
77 
78 static int DetectEngineInspectTlsValidity(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
79  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
80  uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
81 
82 /**
83  * \brief Registration function for tls validity keywords.
84  */
86 {
87  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].name = "tls_cert_notbefore";
88  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
89  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = "/rules/tls-keywords.html#tls-cert-notbefore";
90  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
91  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
92  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
93 #ifdef UNITTESTS
95 #endif
96 
97  sigmatch_table[DETECT_AL_TLS_NOTAFTER].name = "tls_cert_notafter";
98  sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
99  sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = "/rules/tls-keywords.html#tls-cert-notafter";
100  sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
101  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
102  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree;
103 #ifdef UNITTESTS
105 #endif
106 
107  sigmatch_table[DETECT_AL_TLS_EXPIRED].name = "tls_cert_expired";
108  sigmatch_table[DETECT_AL_TLS_EXPIRED].desc = "match expired TLS certificates";
109  sigmatch_table[DETECT_AL_TLS_EXPIRED].url = "/rules/tls-keywords.html#tls-cert-expired";
110  sigmatch_table[DETECT_AL_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch;
111  sigmatch_table[DETECT_AL_TLS_EXPIRED].Setup = DetectTlsExpiredSetup;
112  sigmatch_table[DETECT_AL_TLS_EXPIRED].Free = DetectTlsValidityFree;
114 #ifdef UNITTESTS
116 #endif
117 
118  sigmatch_table[DETECT_AL_TLS_VALID].name = "tls_cert_valid";
119  sigmatch_table[DETECT_AL_TLS_VALID].desc = "match valid TLS certificates";
120  sigmatch_table[DETECT_AL_TLS_VALID].url = "/rules/tls-keywords.html#tls-cert-valid";
121  sigmatch_table[DETECT_AL_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch;
122  sigmatch_table[DETECT_AL_TLS_VALID].Setup = DetectTlsValidSetup;
123  sigmatch_table[DETECT_AL_TLS_VALID].Free = DetectTlsValidityFree;
125 #ifdef UNITTESTS
127 #endif
128 
129  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
130 
132  TLS_STATE_CERT_READY, DetectEngineInspectTlsValidity, NULL);
133 
134  g_tls_validity_buffer_id = DetectBufferTypeGetByName("tls_validity");
135 }
136 
137 static int DetectEngineInspectTlsValidity(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
138  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
139  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
140 {
142  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
143 }
144 
145 /**
146  * \internal
147  * \brief Function to match validity field in a tls certificate.
148  *
149  * \param t Pointer to thread vars.
150  * \param det_ctx Pointer to the pattern matcher thread.
151  * \param f Pointer to the current flow.
152  * \param flags Flags.
153  * \param state App layer state.
154  * \param s Pointer to the Signature.
155  * \param m Pointer to the sigmatch that we will cast into
156  * DetectTlsValidityData.
157  *
158  * \retval 0 no match.
159  * \retval 1 match.
160  */
161 static int DetectTlsValidityMatch (DetectEngineThreadCtx *det_ctx,
162  Flow *f, uint8_t flags, void *state,
163  void *txv, const Signature *s,
164  const SigMatchCtx *ctx)
165 {
166  SCEnter();
167 
168  SSLState *ssl_state = (SSLState *)state;
169  if (ssl_state == NULL) {
170  SCLogDebug("no tls state, no match");
171  SCReturnInt(0);
172  }
173 
174  int ret = 0;
175 
176  SSLStateConnp *connp = NULL;
177  if (flags & STREAM_TOSERVER)
178  connp = &ssl_state->client_connp;
179  else
180  connp = &ssl_state->server_connp;
181 
182  const DetectTlsValidityData *dd = (const DetectTlsValidityData *)ctx;
183 
184  time_t cert_epoch = 0;
185  if (dd->type == DETECT_TLS_TYPE_NOTBEFORE)
186  cert_epoch = connp->cert0_not_before;
187  else if (dd->type == DETECT_TLS_TYPE_NOTAFTER)
188  cert_epoch = connp->cert0_not_after;
189 
190  if (cert_epoch == 0)
191  SCReturnInt(0);
192 
193  if ((dd->mode & DETECT_TLS_VALIDITY_EQ) && cert_epoch == dd->epoch)
194  ret = 1;
195  else if ((dd->mode & DETECT_TLS_VALIDITY_LT) && cert_epoch <= dd->epoch)
196  ret = 1;
197  else if ((dd->mode & DETECT_TLS_VALIDITY_GT) && cert_epoch >= dd->epoch)
198  ret = 1;
199  else if ((dd->mode & DETECT_TLS_VALIDITY_RA) &&
200  cert_epoch >= dd->epoch && cert_epoch <= dd->epoch2)
201  ret = 1;
202  else if ((dd->mode & DETECT_TLS_VALIDITY_EX) &&
203  f->lastts.tv_sec > cert_epoch)
204  ret = 1;
205  else if ((dd->mode & DETECT_TLS_VALIDITY_VA) &&
206  f->lastts.tv_sec <= cert_epoch)
207  ret = 1;
208 
209  SCReturnInt(ret);
210 }
211 
212 /**
213  * \internal
214  * \brief Function to check if string is epoch.
215  *
216  * \param string Date string.
217  *
218  * \retval epoch time on success.
219  * \retval 0 on failure.
220  */
221 static time_t StringIsEpoch (char *string)
222 {
223  if (strlen(string) == 0)
224  return -1;
225 
226  /* We assume that the date string is epoch if it consists of only
227  digits. */
228  char *sp = string;
229  while (*sp) {
230  if (isdigit(*sp++) == 0)
231  return -1;
232  }
233 
234  return strtol(string, NULL, 10);
235 }
236 
237 /**
238  * \internal
239  * \brief Function to convert date string to epoch.
240  *
241  * \param string Date string.
242  *
243  * \retval epoch on success.
244  * \retval 0 on failure.
245  */
246 static time_t DateStringToEpoch (char *string)
247 {
248  int r = 0;
249  struct tm tm;
250  const char *patterns[] = {
251  /* ISO 8601 */
252  "%Y-%m",
253  "%Y-%m-%d",
254  "%Y-%m-%d %H",
255  "%Y-%m-%d %H:%M",
256  "%Y-%m-%d %H:%M:%S",
257  "%Y-%m-%dT%H",
258  "%Y-%m-%dT%H:%M",
259  "%Y-%m-%dT%H:%M:%S",
260  "%H:%M",
261  "%H:%M:%S",
262  };
263 
264  /* Skip leading whitespace. */
265  while (isspace(*string))
266  string++;
267 
268  size_t inlen, oldlen;
269 
270  oldlen = inlen = strlen(string);
271 
272  /* Skip trailing whitespace */
273  while (inlen > 0 && isspace(string[inlen - 1]))
274  inlen--;
275 
276  char tmp[inlen + 1];
277 
278  if (inlen < oldlen) {
279  strlcpy(tmp, string, inlen + 1);
280  string = tmp;
281  }
282 
283  time_t epoch = StringIsEpoch(string);
284  if (epoch != -1) {
285  return epoch;;
286  }
287 
288  r = SCStringPatternToTime(string, patterns, 10, &tm);
289 
290  if (r != 0)
291  return -1;
292 
293  return SCMkTimeUtc(&tm);
294 }
295 
296 /**
297  * \internal
298  * \brief Function to parse options passed via tls validity keywords.
299  *
300  * \param rawstr Pointer to the user provided options.
301  *
302  * \retval dd pointer to DetectTlsValidityData on success.
303  * \retval NULL on failure.
304  */
305 static DetectTlsValidityData *DetectTlsValidityParse (const char *rawstr)
306 {
307  DetectTlsValidityData *dd = NULL;
308  int ret = 0, res = 0;
309  size_t pcre2len;
310  char mode[2] = "";
311  char value1[20] = "";
312  char value2[20] = "";
313  char range[3] = "";
314 
315  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
316  if (ret < 3 || ret > 5) {
317  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
318  goto error;
319  }
320 
321  pcre2len = sizeof(mode);
322  res = SC_Pcre2SubstringCopy(parse_regex.match, 1, (PCRE2_UCHAR8 *)mode, &pcre2len);
323  if (res < 0) {
324  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
325  goto error;
326  }
327  SCLogDebug("mode \"%s\"", mode);
328 
329  pcre2len = sizeof(value1);
330  res = pcre2_substring_copy_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 *)value1, &pcre2len);
331  if (res < 0) {
332  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
333  goto error;
334  }
335  SCLogDebug("value1 \"%s\"", value1);
336 
337  if (ret > 3) {
338  pcre2len = sizeof(range);
339  res = pcre2_substring_copy_bynumber(parse_regex.match, 3, (PCRE2_UCHAR8 *)range, &pcre2len);
340  if (res < 0) {
341  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
342  goto error;
343  }
344  SCLogDebug("range \"%s\"", range);
345 
346  if (ret > 4) {
347  pcre2len = sizeof(value2);
348  res = pcre2_substring_copy_bynumber(
349  parse_regex.match, 4, (PCRE2_UCHAR8 *)value2, &pcre2len);
350  if (res < 0) {
351  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
352  goto error;
353  }
354  SCLogDebug("value2 \"%s\"", value2);
355  }
356  }
357 
358  dd = SCMalloc(sizeof(DetectTlsValidityData));
359  if (unlikely(dd == NULL))
360  goto error;
361 
362  dd->epoch = 0;
363  dd->epoch2 = 0;
364  dd->mode = 0;
365 
366  if (strlen(mode) > 0) {
367  if (mode[0] == '<')
369  else if (mode[0] == '>')
371  }
372 
373  if (strlen(range) > 0) {
374  if (strcmp("<>", range) == 0)
376  }
377 
378  if (strlen(range) != 0 && strlen(mode) != 0) {
380  "Range specified but mode also set");
381  goto error;
382  }
383 
384  if (dd->mode == 0) {
386  }
387 
388  /* set the first value */
389  dd->epoch = DateStringToEpoch(value1);
390  if (dd->epoch == -1)
391  goto error;
392 
393  /* set the second value if specified */
394  if (strlen(value2) > 0) {
395  if (!(dd->mode & DETECT_TLS_VALIDITY_RA)) {
397  "Multiple tls validity values specified but mode is not range");
398  goto error;
399  }
400 
401  dd->epoch2 = DateStringToEpoch(value2);
402  if (dd->epoch2 == -1)
403  goto error;
404 
405  if (dd->epoch2 <= dd->epoch) {
407  "Second value in range must not be smaller than the first");
408  goto error;
409  }
410  }
411  return dd;
412 
413 error:
414  if (dd)
415  SCFree(dd);
416  return NULL;
417 }
418 
419 /**
420  * \brief Function to add the parsed tls_cert_expired into the current signature.
421  *
422  * \param de_ctx Pointer to the Detection Engine Context.
423  * \param s Pointer to the Current Signature.
424  * \param rawstr Pointer to the user provided flags options.
425  *
426  * \retval 0 on Success.
427  * \retval -1 on Failure.
428  */
429 static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
430  const char *rawstr)
431 {
432  DetectTlsValidityData *dd = NULL;
433  SigMatch *sm = NULL;
434 
435  SCLogDebug("\'%s\'", rawstr);
436 
438  return -1;
439 
440  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
441  if (dd == NULL) {
442  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
443  goto error;
444  }
445 
446  /* okay so far so good, lets get this into a SigMatch
447  * and put it in the Signature. */
448  sm = SigMatchAlloc();
449  if (sm == NULL)
450  goto error;
451 
454  dd->epoch = 0;
455  dd->epoch2 = 0;
456 
458  sm->ctx = (void *)dd;
459 
460  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
461  return 0;
462 
463 error:
464  DetectTlsValidityFree(de_ctx, dd);
465  if (sm)
466  SCFree(sm);
467  return -1;
468 }
469 
470 /**
471  * \brief Function to add the parsed tls_cert_valid into the current signature.
472  *
473  * \param de_ctx Pointer to the Detection Engine Context.
474  * \param s Pointer to the Current Signature.
475  * \param rawstr Pointer to the user provided flags options.
476  *
477  * \retval 0 on Success.
478  * \retval -1 on Failure.
479  */
480 static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
481  const char *rawstr)
482 {
483  DetectTlsValidityData *dd = NULL;
484  SigMatch *sm = NULL;
485 
486  SCLogDebug("\'%s\'", rawstr);
487 
489  return -1;
490 
491  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
492  if (dd == NULL) {
493  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
494  goto error;
495  }
496 
497  /* okay so far so good, lets get this into a SigMatch
498  * and put it in the Signature. */
499  sm = SigMatchAlloc();
500  if (sm == NULL)
501  goto error;
502 
505  dd->epoch = 0;
506  dd->epoch2 = 0;
507 
509  sm->ctx = (void *)dd;
510 
511  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
512  return 0;
513 
514 error:
515  DetectTlsValidityFree(de_ctx, dd);
516  if (sm)
517  SCFree(sm);
518  return -1;
519 }
520 
521 /**
522  * \brief Function to add the parsed tls_notbefore into the current signature.
523  *
524  * \param de_ctx Pointer to the Detection Engine Context.
525  * \param s Pointer to the Current Signature.
526  * \param rawstr Pointer to the user provided flags options.
527  *
528  * \retval 0 on Success.
529  * \retval -1 on Failure.
530  */
531 static int DetectTlsNotBeforeSetup (DetectEngineCtx *de_ctx, Signature *s,
532  const char *rawstr)
533 {
535  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
536 
537  SCReturnInt(r);
538 }
539 
540 /**
541  * \brief Function to add the parsed tls_notafter into the current signature.
542  *
543  * \param de_ctx Pointer to the Detection Engine Context.
544  * \param s Pointer to the Current Signature.
545  * \param rawstr Pointer to the user provided flags options.
546  *
547  * \retval 0 on Success.
548  * \retval -1 on Failure.
549  */
550 static int DetectTlsNotAfterSetup (DetectEngineCtx *de_ctx, Signature *s,
551  const char *rawstr)
552 {
553  uint8_t type = DETECT_TLS_TYPE_NOTAFTER;
554  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
555 
556  SCReturnInt(r);
557 }
558 
559 /**
560  * \brief Function to add the parsed tls validity field into the current signature.
561  *
562  * \param de_ctx Pointer to the Detection Engine Context.
563  * \param s Pointer to the Current Signature.
564  * \param rawstr Pointer to the user provided flags options.
565  * \param type Defines if this is notBefore or notAfter.
566  *
567  * \retval 0 on Success.
568  * \retval -1 on Failure.
569  */
570 static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
571  const char *rawstr, uint8_t type)
572 {
573  DetectTlsValidityData *dd = NULL;
574  SigMatch *sm = NULL;
575 
576  SCLogDebug("\'%s\'", rawstr);
577 
579  return -1;
580 
581  dd = DetectTlsValidityParse(rawstr);
582  if (dd == NULL) {
583  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
584  goto error;
585  }
586 
587  /* okay so far so good, lets get this into a SigMatch
588  * and put it in the Signature. */
589  sm = SigMatchAlloc();
590  if (sm == NULL)
591  goto error;
592 
596  }
597  else if (type == DETECT_TLS_TYPE_NOTAFTER) {
600  }
601  else {
602  goto error;
603  }
604 
605  sm->ctx = (void *)dd;
606 
607  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
608  return 0;
609 
610 error:
611  DetectTlsValidityFree(de_ctx, dd);
612  if (sm)
613  SCFree(sm);
614  return -1;
615 }
616 
617 /**
618  * \internal
619  * \brief Function to free memory associated with DetectTlsValidityData.
620  *
621  * \param de_ptr Pointer to DetectTlsValidityData.
622  */
623 void DetectTlsValidityFree(DetectEngineCtx *de_ctx, void *de_ptr)
624 {
626  if (dd)
627  SCFree(dd);
628 }
629 
630 #ifdef UNITTESTS
632 #endif
DETECT_AL_TLS_EXPIRED
@ DETECT_AL_TLS_EXPIRED
Definition: detect-engine-register.h:115
SSLStateConnp_::cert0_not_before
time_t cert0_not_before
Definition: app-layer-ssl.h:215
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:243
detect-content.h
DetectTlsValidityData_::type
uint8_t type
Definition: detect-tls-cert-validity.h:45
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DETECT_TLS_TYPE_NOTAFTER
#define DETECT_TLS_TYPE_NOTAFTER
Definition: detect-tls-cert-validity.h:39
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
flow-util.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
detect-tls-cert-validity.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:260
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
DETECT_TLS_VALIDITY_EQ
#define DETECT_TLS_VALIDITY_EQ
Definition: detect-tls-cert-validity.h:27
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
TlsNotBeforeRegisterTests
void TlsNotBeforeRegisterTests(void)
Register unit tests for tls_cert_notbefore.
Definition: detect-tls-cert-validity.c:1330
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-tls-cert-validity.c:55
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:261
SSLStateConnp_
Definition: app-layer-ssl.h:189
TlsNotAfterRegisterTests
void TlsNotAfterRegisterTests(void)
Register unit tests for tls_cert_notafter.
Definition: detect-tls-cert-validity.c:1350
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SCMkTimeUtc
time_t SCMkTimeUtc(struct tm *tp)
Convert broken-down time to seconds since Unix epoch.
Definition: util-time.c:449
DETECT_TLS_VALIDITY_RA
#define DETECT_TLS_VALIDITY_RA
Definition: detect-tls-cert-validity.h:30
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1238
DetectTlsValidityRegister
void DetectTlsValidityRegister(void)
Registration function for tls validity keywords.
Definition: detect-tls-cert-validity.c:85
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
TLS_STATE_CERT_READY
@ TLS_STATE_CERT_READY
Definition: app-layer-ssl.h:80
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
detect-pcre.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SSLStateConnp_::cert0_not_after
time_t cert0_not_after
Definition: app-layer-ssl.h:216
decode.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
type
uint8_t type
Definition: decode-icmpv4.h:0
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
DetectTlsValidityData_
Definition: detect-tls-cert-validity.h:41
util-time.h
DetectTlsValidityData_::mode
uint8_t mode
Definition: detect-tls-cert-validity.h:44
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
detect-tls-cert-validity.c
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_AL_TLS_NOTAFTER
@ DETECT_AL_TLS_NOTAFTER
Definition: detect-engine-register.h:114
Flow_::lastts
struct timeval lastts
Definition: flow.h:414
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
flags
uint8_t flags
Definition: decode-gre.h:0
DETECT_TLS_VALIDITY_LT
#define DETECT_TLS_VALIDITY_LT
Definition: detect-tls-cert-validity.h:28
suricata-common.h
DETECT_TLS_VALIDITY_EX
#define DETECT_TLS_VALIDITY_EX
Definition: detect-tls-cert-validity.h:33
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectTlsValidityData_::epoch2
time_t epoch2
Definition: detect-tls-cert-validity.h:43
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DETECT_TLS_VALIDITY_GT
#define DETECT_TLS_VALIDITY_GT
Definition: detect-tls-cert-validity.h:29
DETECT_TLS_VALIDITY_VA
#define DETECT_TLS_VALIDITY_VA
Definition: detect-tls-cert-validity.h:36
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
TlsValidRegisterTests
void TlsValidRegisterTests(void)
Register unit tests for tls_cert_valid.
Definition: detect-tls-cert-validity.c:1376
DetectTlsValidityData_::epoch
time_t epoch
Definition: detect-tls-cert-validity.h:42
DETECT_TLS_TYPE_NOTBEFORE
#define DETECT_TLS_TYPE_NOTBEFORE
Definition: detect-tls-cert-validity.h:38
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2573
DETECT_AL_TLS_NOTBEFORE
@ DETECT_AL_TLS_NOTBEFORE
Definition: detect-engine-register.h:113
DETECT_AL_TLS_VALID
@ DETECT_AL_TLS_VALID
Definition: detect-engine-register.h:116
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1453
SCStringPatternToTime
int SCStringPatternToTime(char *string, const char **patterns, int num_patterns, struct tm *tp)
Parse a date string based on specified patterns.
Definition: util-time.c:492
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
TlsExpiredRegisterTests
void TlsExpiredRegisterTests(void)
Register unit tests for tls_cert_expired.
Definition: detect-tls-cert-validity.c:1368
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
app-layer.h