suricata
detect-tls-cert-validity.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements tls certificate validity keywords
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-content.h"
36 #include "detect-pcre.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "app-layer-ssl.h"
47 
48 #include "util-time.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 /**
53  * [tls_notbefore|tls_notafter]:[<|>]<date string>[<><date string>];
54  */
55 #define PARSE_REGEX "^\\s*(<|>)?\\s*([ -:TW0-9]+)\\s*(?:(<>)\\s*([ -:TW0-9]+))?\\s*$"
56 static DetectParseRegex parse_regex;
57 
58 static int DetectTlsValidityMatch (DetectEngineThreadCtx *, Flow *,
59  uint8_t, void *, void *, const Signature *,
60  const SigMatchCtx *);
61 
62 static time_t DateStringToEpoch (char *);
63 static DetectTlsValidityData *DetectTlsValidityParse (const char *);
64 static int DetectTlsExpiredSetup (DetectEngineCtx *, Signature *s, const char *str);
65 static int DetectTlsValidSetup (DetectEngineCtx *, Signature *s, const char *str);
66 static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, const char *str);
67 static int DetectTlsNotAfterSetup (DetectEngineCtx *, Signature *s, const char *str);
68 static int DetectTlsValiditySetup (DetectEngineCtx *, Signature *s, const char *str, uint8_t);
69 #ifdef UNITTESTS
70 static void TlsNotBeforeRegisterTests(void);
71 static void TlsNotAfterRegisterTests(void);
72 static void TlsExpiredRegisterTests(void);
73 static void TlsValidRegisterTests(void);
74 #endif /* UNITTESTS */
75 static void DetectTlsValidityFree(DetectEngineCtx *, void *);
76 static int g_tls_validity_buffer_id = 0;
77 
78 static int DetectEngineInspectTlsValidity(ThreadVars *tv,
80  const Signature *s, const SigMatchData *smd,
81  Flow *f, uint8_t flags, void *alstate,
82  void *txv, uint64_t tx_id);
83 
84 /**
85  * \brief Registration function for tls validity keywords.
86  */
88 {
89  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].name = "tls_cert_notbefore";
90  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
91  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = "/rules/tls-keywords.html#tls-cert-notbefore";
92  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
93  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
94  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
95 #ifdef UNITTESTS
97 #endif
98 
99  sigmatch_table[DETECT_AL_TLS_NOTAFTER].name = "tls_cert_notafter";
100  sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
101  sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = "/rules/tls-keywords.html#tls-cert-notafter";
102  sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
103  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
104  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree;
105 #ifdef UNITTESTS
107 #endif
108 
109  sigmatch_table[DETECT_AL_TLS_EXPIRED].name = "tls_cert_expired";
110  sigmatch_table[DETECT_AL_TLS_EXPIRED].desc = "match expired TLS certificates";
111  sigmatch_table[DETECT_AL_TLS_EXPIRED].url = "/rules/tls-keywords.html#tls-cert-expired";
112  sigmatch_table[DETECT_AL_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch;
113  sigmatch_table[DETECT_AL_TLS_EXPIRED].Setup = DetectTlsExpiredSetup;
114  sigmatch_table[DETECT_AL_TLS_EXPIRED].Free = DetectTlsValidityFree;
116 #ifdef UNITTESTS
118 #endif
119 
120  sigmatch_table[DETECT_AL_TLS_VALID].name = "tls_cert_valid";
121  sigmatch_table[DETECT_AL_TLS_VALID].desc = "match valid TLS certificates";
122  sigmatch_table[DETECT_AL_TLS_VALID].url = "/rules/tls-keywords.html#tls-cert-valid";
123  sigmatch_table[DETECT_AL_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch;
124  sigmatch_table[DETECT_AL_TLS_VALID].Setup = DetectTlsValidSetup;
125  sigmatch_table[DETECT_AL_TLS_VALID].Free = DetectTlsValidityFree;
127 #ifdef UNITTESTS
129 #endif
130 
131  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
132 
135  DetectEngineInspectTlsValidity);
136 
137  g_tls_validity_buffer_id = DetectBufferTypeGetByName("tls_validity");
138 }
139 
140 static int DetectEngineInspectTlsValidity(ThreadVars *tv,
142  const Signature *s, const SigMatchData *smd,
143  Flow *f, uint8_t flags, void *alstate,
144  void *txv, uint64_t tx_id)
145 {
146  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
147  f, flags, alstate, txv, tx_id);
148 }
149 /**
150  * \internal
151  * \brief Function to match validity field in a tls certificate.
152  *
153  * \param t Pointer to thread vars.
154  * \param det_ctx Pointer to the pattern matcher thread.
155  * \param f Pointer to the current flow.
156  * \param flags Flags.
157  * \param state App layer state.
158  * \param s Pointer to the Signature.
159  * \param m Pointer to the sigmatch that we will cast into
160  * DetectTlsValidityData.
161  *
162  * \retval 0 no match.
163  * \retval 1 match.
164  */
165 static int DetectTlsValidityMatch (DetectEngineThreadCtx *det_ctx,
166  Flow *f, uint8_t flags, void *state,
167  void *txv, const Signature *s,
168  const SigMatchCtx *ctx)
169 {
170  SCEnter();
171 
172  SSLState *ssl_state = (SSLState *)state;
173  if (ssl_state == NULL) {
174  SCLogDebug("no tls state, no match");
175  SCReturnInt(0);
176  }
177 
178  int ret = 0;
179 
180  SSLStateConnp *connp = NULL;
181  if (flags & STREAM_TOSERVER)
182  connp = &ssl_state->client_connp;
183  else
184  connp = &ssl_state->server_connp;
185 
186  const DetectTlsValidityData *dd = (const DetectTlsValidityData *)ctx;
187 
188  time_t cert_epoch = 0;
189  if (dd->type == DETECT_TLS_TYPE_NOTBEFORE)
190  cert_epoch = connp->cert0_not_before;
191  else if (dd->type == DETECT_TLS_TYPE_NOTAFTER)
192  cert_epoch = connp->cert0_not_after;
193 
194  if (cert_epoch == 0)
195  SCReturnInt(0);
196 
197  if ((dd->mode & DETECT_TLS_VALIDITY_EQ) && cert_epoch == dd->epoch)
198  ret = 1;
199  else if ((dd->mode & DETECT_TLS_VALIDITY_LT) && cert_epoch <= dd->epoch)
200  ret = 1;
201  else if ((dd->mode & DETECT_TLS_VALIDITY_GT) && cert_epoch >= dd->epoch)
202  ret = 1;
203  else if ((dd->mode & DETECT_TLS_VALIDITY_RA) &&
204  cert_epoch >= dd->epoch && cert_epoch <= dd->epoch2)
205  ret = 1;
206  else if ((dd->mode & DETECT_TLS_VALIDITY_EX) &&
207  f->lastts.tv_sec > cert_epoch)
208  ret = 1;
209  else if ((dd->mode & DETECT_TLS_VALIDITY_VA) &&
210  f->lastts.tv_sec <= cert_epoch)
211  ret = 1;
212 
213  SCReturnInt(ret);
214 }
215 
216 /**
217  * \internal
218  * \brief Function to check if string is epoch.
219  *
220  * \param string Date string.
221  *
222  * \retval epoch time on success.
223  * \retval 0 on failure.
224  */
225 static time_t StringIsEpoch (char *string)
226 {
227  if (strlen(string) == 0)
228  return -1;
229 
230  /* We assume that the date string is epoch if it consists of only
231  digits. */
232  char *sp = string;
233  while (*sp) {
234  if (isdigit(*sp++) == 0)
235  return -1;
236  }
237 
238  return strtol(string, NULL, 10);
239 }
240 
241 /**
242  * \internal
243  * \brief Function to convert date string to epoch.
244  *
245  * \param string Date string.
246  *
247  * \retval epoch on success.
248  * \retval 0 on failure.
249  */
250 static time_t DateStringToEpoch (char *string)
251 {
252  int r = 0;
253  struct tm tm;
254  const char *patterns[] = {
255  /* ISO 8601 */
256  "%Y-%m",
257  "%Y-%m-%d",
258  "%Y-%m-%d %H",
259  "%Y-%m-%d %H:%M",
260  "%Y-%m-%d %H:%M:%S",
261  "%Y-%m-%dT%H",
262  "%Y-%m-%dT%H:%M",
263  "%Y-%m-%dT%H:%M:%S",
264  "%H:%M",
265  "%H:%M:%S",
266  };
267 
268  /* Skip leading whitespace. */
269  while (isspace(*string))
270  string++;
271 
272  size_t inlen, oldlen;
273 
274  oldlen = inlen = strlen(string);
275 
276  /* Skip trailing whitespace */
277  while (inlen > 0 && isspace(string[inlen - 1]))
278  inlen--;
279 
280  char tmp[inlen + 1];
281 
282  if (inlen < oldlen) {
283  strlcpy(tmp, string, inlen + 1);
284  string = tmp;
285  }
286 
287  time_t epoch = StringIsEpoch(string);
288  if (epoch != -1) {
289  return epoch;;
290  }
291 
292  r = SCStringPatternToTime(string, patterns, 10, &tm);
293 
294  if (r != 0)
295  return -1;
296 
297  return SCMkTimeUtc(&tm);
298 }
299 
300 /**
301  * \internal
302  * \brief Function to parse options passed via tls validity keywords.
303  *
304  * \param rawstr Pointer to the user provided options.
305  *
306  * \retval dd pointer to DetectTlsValidityData on success.
307  * \retval NULL on failure.
308  */
309 static DetectTlsValidityData *DetectTlsValidityParse (const char *rawstr)
310 {
311  DetectTlsValidityData *dd = NULL;
312  int ret = 0, res = 0;
313  int ov[MAX_SUBSTRINGS];
314  char mode[2] = "";
315  char value1[20] = "";
316  char value2[20] = "";
317  char range[3] = "";
318 
319  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
320  if (ret < 3 || ret > 5) {
321  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
322  goto error;
323  }
324 
325  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, mode,
326  sizeof(mode));
327  if (res < 0) {
328  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
329  goto error;
330  }
331  SCLogDebug("mode \"%s\"", mode);
332 
333  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, value1,
334  sizeof(value1));
335  if (res < 0) {
336  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
337  goto error;
338  }
339  SCLogDebug("value1 \"%s\"", value1);
340 
341  if (ret > 3) {
342  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3,
343  range, sizeof(range));
344  if (res < 0) {
345  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
346  goto error;
347  }
348  SCLogDebug("range \"%s\"", range);
349 
350  if (ret > 4) {
351  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4,
352  value2, sizeof(value2));
353  if (res < 0) {
355  "pcre_copy_substring failed");
356  goto error;
357  }
358  SCLogDebug("value2 \"%s\"", value2);
359  }
360  }
361 
362  dd = SCMalloc(sizeof(DetectTlsValidityData));
363  if (unlikely(dd == NULL))
364  goto error;
365 
366  dd->epoch = 0;
367  dd->epoch2 = 0;
368  dd->mode = 0;
369 
370  if (strlen(mode) > 0) {
371  if (mode[0] == '<')
373  else if (mode[0] == '>')
375  }
376 
377  if (strlen(range) > 0) {
378  if (strcmp("<>", range) == 0)
380  }
381 
382  if (strlen(range) != 0 && strlen(mode) != 0) {
384  "Range specified but mode also set");
385  goto error;
386  }
387 
388  if (dd->mode == 0) {
390  }
391 
392  /* set the first value */
393  dd->epoch = DateStringToEpoch(value1);
394  if (dd->epoch == -1)
395  goto error;
396 
397  /* set the second value if specified */
398  if (strlen(value2) > 0) {
399  if (!(dd->mode & DETECT_TLS_VALIDITY_RA)) {
401  "Multiple tls validity values specified but mode is not range");
402  goto error;
403  }
404 
405  dd->epoch2 = DateStringToEpoch(value2);
406  if (dd->epoch2 == -1)
407  goto error;
408 
409  if (dd->epoch2 <= dd->epoch) {
411  "Second value in range must not be smaller than the first");
412  goto error;
413  }
414  }
415  return dd;
416 
417 error:
418  if (dd)
419  SCFree(dd);
420  return NULL;
421 }
422 
423 /**
424  * \brief Function to add the parsed tls_cert_expired into the current signature.
425  *
426  * \param de_ctx Pointer to the Detection Engine Context.
427  * \param s Pointer to the Current Signature.
428  * \param rawstr Pointer to the user provided flags options.
429  *
430  * \retval 0 on Success.
431  * \retval -1 on Failure.
432  */
433 static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
434  const char *rawstr)
435 {
436  DetectTlsValidityData *dd = NULL;
437  SigMatch *sm = NULL;
438 
439  SCLogDebug("\'%s\'", rawstr);
440 
442  return -1;
443 
444  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
445  if (dd == NULL) {
446  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
447  goto error;
448  }
449 
450  /* okay so far so good, lets get this into a SigMatch
451  * and put it in the Signature. */
452  sm = SigMatchAlloc();
453  if (sm == NULL)
454  goto error;
455 
458  dd->epoch = 0;
459  dd->epoch2 = 0;
460 
462  sm->ctx = (void *)dd;
463 
464  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
465  return 0;
466 
467 error:
468  DetectTlsValidityFree(de_ctx, dd);
469  if (sm)
470  SCFree(sm);
471  return -1;
472 }
473 
474 /**
475  * \brief Function to add the parsed tls_cert_valid into the current signature.
476  *
477  * \param de_ctx Pointer to the Detection Engine Context.
478  * \param s Pointer to the Current Signature.
479  * \param rawstr Pointer to the user provided flags options.
480  *
481  * \retval 0 on Success.
482  * \retval -1 on Failure.
483  */
484 static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
485  const char *rawstr)
486 {
487  DetectTlsValidityData *dd = NULL;
488  SigMatch *sm = NULL;
489 
490  SCLogDebug("\'%s\'", rawstr);
491 
493  return -1;
494 
495  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
496  if (dd == NULL) {
497  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
498  goto error;
499  }
500 
501  /* okay so far so good, lets get this into a SigMatch
502  * and put it in the Signature. */
503  sm = SigMatchAlloc();
504  if (sm == NULL)
505  goto error;
506 
509  dd->epoch = 0;
510  dd->epoch2 = 0;
511 
513  sm->ctx = (void *)dd;
514 
515  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
516  return 0;
517 
518 error:
519  DetectTlsValidityFree(de_ctx, dd);
520  if (sm)
521  SCFree(sm);
522  return -1;
523 }
524 
525 /**
526  * \brief Function to add the parsed tls_notbefore into the current signature.
527  *
528  * \param de_ctx Pointer to the Detection Engine Context.
529  * \param s Pointer to the Current Signature.
530  * \param rawstr Pointer to the user provided flags options.
531  *
532  * \retval 0 on Success.
533  * \retval -1 on Failure.
534  */
535 static int DetectTlsNotBeforeSetup (DetectEngineCtx *de_ctx, Signature *s,
536  const char *rawstr)
537 {
539  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
540 
541  SCReturnInt(r);
542 }
543 
544 /**
545  * \brief Function to add the parsed tls_notafter into the current signature.
546  *
547  * \param de_ctx Pointer to the Detection Engine Context.
548  * \param s Pointer to the Current Signature.
549  * \param rawstr Pointer to the user provided flags options.
550  *
551  * \retval 0 on Success.
552  * \retval -1 on Failure.
553  */
554 static int DetectTlsNotAfterSetup (DetectEngineCtx *de_ctx, Signature *s,
555  const char *rawstr)
556 {
557  uint8_t type = DETECT_TLS_TYPE_NOTAFTER;
558  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
559 
560  SCReturnInt(r);
561 }
562 
563 /**
564  * \brief Function to add the parsed tls validity field into the current signature.
565  *
566  * \param de_ctx Pointer to the Detection Engine Context.
567  * \param s Pointer to the Current Signature.
568  * \param rawstr Pointer to the user provided flags options.
569  * \param type Defines if this is notBefore or notAfter.
570  *
571  * \retval 0 on Success.
572  * \retval -1 on Failure.
573  */
574 static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
575  const char *rawstr, uint8_t type)
576 {
577  DetectTlsValidityData *dd = NULL;
578  SigMatch *sm = NULL;
579 
580  SCLogDebug("\'%s\'", rawstr);
581 
583  return -1;
584 
585  dd = DetectTlsValidityParse(rawstr);
586  if (dd == NULL) {
587  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
588  goto error;
589  }
590 
591  /* okay so far so good, lets get this into a SigMatch
592  * and put it in the Signature. */
593  sm = SigMatchAlloc();
594  if (sm == NULL)
595  goto error;
596 
600  }
601  else if (type == DETECT_TLS_TYPE_NOTAFTER) {
604  }
605  else {
606  goto error;
607  }
608 
609  sm->ctx = (void *)dd;
610 
611  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
612  return 0;
613 
614 error:
615  DetectTlsValidityFree(de_ctx, dd);
616  if (sm)
617  SCFree(sm);
618  return -1;
619 }
620 
621 /**
622  * \internal
623  * \brief Function to free memory associated with DetectTlsValidityData.
624  *
625  * \param de_ptr Pointer to DetectTlsValidityData.
626  */
627 void DetectTlsValidityFree(DetectEngineCtx *de_ctx, void *de_ptr)
628 {
630  if (dd)
631  SCFree(dd);
632 }
633 
634 #ifdef UNITTESTS
636 #endif
DETECT_AL_TLS_EXPIRED
@ DETECT_AL_TLS_EXPIRED
Definition: detect-engine-register.h:112
SSLStateConnp_::cert0_not_before
time_t cert0_not_before
Definition: app-layer-ssl.h:205
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
detect-content.h
DetectTlsValidityData_::type
uint8_t type
Definition: detect-tls-cert-validity.h:45
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
DETECT_TLS_TYPE_NOTAFTER
#define DETECT_TLS_TYPE_NOTAFTER
Definition: detect-tls-cert-validity.h:39
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
detect-tls-cert-validity.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:250
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
DETECT_TLS_VALIDITY_EQ
#define DETECT_TLS_VALIDITY_EQ
Definition: detect-tls-cert-validity.h:27
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
TlsNotBeforeRegisterTests
void TlsNotBeforeRegisterTests(void)
Register unit tests for tls_cert_notbefore.
Definition: detect-tls-cert-validity.c:1330
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-tls-cert-validity.c:55
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:251
SSLStateConnp_
Definition: app-layer-ssl.h:179
TlsNotAfterRegisterTests
void TlsNotAfterRegisterTests(void)
Register unit tests for tls_cert_notafter.
Definition: detect-tls-cert-validity.c:1350
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SCMkTimeUtc
time_t SCMkTimeUtc(struct tm *tp)
Convert broken-down time to seconds since Unix epoch.
Definition: util-time.c:448
DETECT_TLS_VALIDITY_RA
#define DETECT_TLS_VALIDITY_RA
Definition: detect-tls-cert-validity.h:30
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
DetectTlsValidityRegister
void DetectTlsValidityRegister(void)
Registration function for tls validity keywords.
Definition: detect-tls-cert-validity.c:87
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
detect-pcre.h
util-unittest.h
util-unittest-helper.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SSLStateConnp_::cert0_not_after
time_t cert0_not_after
Definition: app-layer-ssl.h:206
decode.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
type
uint8_t type
Definition: decode-icmpv4.h:0
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
TLS_STATE_CERT_READY
@ TLS_STATE_CERT_READY
Definition: app-layer-ssl.h:70
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectTlsValidityData_
Definition: detect-tls-cert-validity.h:41
util-time.h
DetectTlsValidityData_::mode
uint8_t mode
Definition: detect-tls-cert-validity.h:44
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
detect-tls-cert-validity.c
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_AL_TLS_NOTAFTER
@ DETECT_AL_TLS_NOTAFTER
Definition: detect-engine-register.h:111
SigMatch_::type
uint8_t type
Definition: detect.h:321
Flow_::lastts
struct timeval lastts
Definition: flow.h:404
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
flags
uint8_t flags
Definition: decode-gre.h:0
DETECT_TLS_VALIDITY_LT
#define DETECT_TLS_VALIDITY_LT
Definition: detect-tls-cert-validity.h:28
suricata-common.h
DETECT_TLS_VALIDITY_EX
#define DETECT_TLS_VALIDITY_EX
Definition: detect-tls-cert-validity.h:33
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
DetectTlsValidityData_::epoch2
time_t epoch2
Definition: detect-tls-cert-validity.h:43
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DETECT_TLS_VALIDITY_GT
#define DETECT_TLS_VALIDITY_GT
Definition: detect-tls-cert-validity.h:29
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
DETECT_TLS_VALIDITY_VA
#define DETECT_TLS_VALIDITY_VA
Definition: detect-tls-cert-validity.h:36
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
TlsValidRegisterTests
void TlsValidRegisterTests(void)
Register unit tests for tls_cert_valid.
Definition: detect-tls-cert-validity.c:1376
DetectTlsValidityData_::epoch
time_t epoch
Definition: detect-tls-cert-validity.h:42
DETECT_TLS_TYPE_NOTBEFORE
#define DETECT_TLS_TYPE_NOTBEFORE
Definition: detect-tls-cert-validity.h:38
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
DETECT_AL_TLS_NOTBEFORE
@ DETECT_AL_TLS_NOTBEFORE
Definition: detect-engine-register.h:110
DETECT_AL_TLS_VALID
@ DETECT_AL_TLS_VALID
Definition: detect-engine-register.h:113
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1380
SCStringPatternToTime
int SCStringPatternToTime(char *string, const char **patterns, int num_patterns, struct tm *tp)
Parse a date string based on specified patterns.
Definition: util-time.c:491
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
TlsExpiredRegisterTests
void TlsExpiredRegisterTests(void)
Register unit tests for tls_cert_expired.
Definition: detect-tls-cert-validity.c:1368
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer.h