suricata
detect-tls-certs.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements support for tls.certs keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
37 #include "detect-content.h"
38 #include "detect-pcre.h"
39 #include "detect-tls-certs.h"
40 
41 #include "flow.h"
42 #include "flow-util.h"
43 #include "flow-var.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-spm.h"
48 #include "util-print.h"
49 
50 #include "stream-tcp.h"
51 
52 #include "app-layer.h"
53 #include "app-layer-ssl.h"
54 
55 #include "util-unittest.h"
56 #include "util-unittest-helper.h"
57 
58 static int DetectTlsCertsSetup(DetectEngineCtx *, Signature *, const char *);
59 #ifdef UNITTESTS
60 static void DetectTlsCertsRegisterTests(void);
61 #endif
62 static int DetectEngineInspectTlsCerts(DetectEngineCtx *de_ctx,
63  DetectEngineThreadCtx *det_ctx,
64  const DetectEngineAppInspectionEngine *engine,
65  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv,
66  uint64_t tx_id);
67 static int PrefilterMpmTlsCertsRegister(DetectEngineCtx *de_ctx,
68  SigGroupHead *sgh, MpmCtx *mpm_ctx,
69  const DetectBufferMpmRegistery *mpm_reg, int list_id);
70 
71 static int g_tls_certs_buffer_id = 0;
72 
74  int local_id; /**< used as index into thread inspect array */
76 };
77 
78 typedef struct PrefilterMpmTlsCerts {
79  int list_id;
80  const MpmCtx *mpm_ctx;
83 
84 /**
85  * \brief Registration function for keyword: tls.certs
86  */
88 {
90  sigmatch_table[DETECT_AL_TLS_CERTS].desc = "content modifier to match the TLS certificate sticky buffer";
91  sigmatch_table[DETECT_AL_TLS_CERTS].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-certs";
92  sigmatch_table[DETECT_AL_TLS_CERTS].Setup = DetectTlsCertsSetup;
93 #ifdef UNITTESTS
94  sigmatch_table[DETECT_AL_TLS_CERTS].RegisterTests = DetectTlsCertsRegisterTests;
95 #endif
98 
101  DetectEngineInspectTlsCerts, NULL);
102 
104  PrefilterMpmTlsCertsRegister, NULL, ALPROTO_TLS,
106 
107  DetectBufferTypeSetDescriptionByName("tls.certs", "TLS certificate");
108 
109  g_tls_certs_buffer_id = DetectBufferTypeGetByName("tls.certs");
110 }
111 
112 /**
113  * \brief This function setup the tls.certs modifier keyword
114  *
115  * \param de_ctx Pointer to the Detect Engine Context
116  * \param s Pointer to the Signature to which the keyword belongs
117  * \param str Should hold an empty string always
118  *
119  * \retval 0 On success
120  * \retval -1 On failure
121  */
122 static int DetectTlsCertsSetup(DetectEngineCtx *de_ctx, Signature *s,
123  const char *str)
124 {
125  if (DetectBufferSetActiveList(s, g_tls_certs_buffer_id) < 0)
126  return -1;
127 
129  return -1;
130 
131  return 0;
132 }
133 
134 static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx,
135  const DetectEngineTransforms *transforms, Flow *f,
136  struct TlsCertsGetDataArgs *cbdata, int list_id)
137 {
138  SCEnter();
139 
142  if (buffer == NULL)
143  return NULL;
144 
145  const SSLState *ssl_state = (SSLState *)f->alstate;
146 
147  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
148  return NULL;
149  }
150 
151  if (cbdata->cert == NULL) {
152  cbdata->cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
153  } else {
154  cbdata->cert = TAILQ_NEXT(cbdata->cert, next);
155  }
156 
157  if (cbdata->cert == NULL) {
158  return NULL;
159  }
160 
161  InspectionBufferSetup(buffer, cbdata->cert->cert_data,
162  cbdata->cert->cert_len);
163  InspectionBufferApplyTransforms(buffer, transforms);
164 
165  SCReturnPtr(buffer, "InspectionBuffer");
166 }
167 
168 static int DetectEngineInspectTlsCerts(DetectEngineCtx *de_ctx,
169  DetectEngineThreadCtx *det_ctx,
170  const DetectEngineAppInspectionEngine *engine,
171  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv,
172  uint64_t tx_id)
173 {
174  const DetectEngineTransforms *transforms = NULL;
175  if (!engine->mpm) {
176  transforms = engine->v2.transforms;
177  }
178 
179  struct TlsCertsGetDataArgs cbdata = { 0, NULL };
180 
181  while (1)
182  {
183  InspectionBuffer *buffer = TlsCertsGetData(det_ctx, transforms, f,
184  &cbdata, engine->sm_list);
185  if (buffer == NULL || buffer->inspect == NULL)
186  break;
187 
188  det_ctx->buffer_offset = 0;
189  det_ctx->discontinue_matching = 0;
190  det_ctx->inspection_recursion_counter = 0;
191 
192  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
193  NULL, f, (uint8_t *)buffer->inspect,
194  buffer->inspect_len,
197  if (match == 1) {
199  }
200 
201  cbdata.local_id++;
202  }
203 
205 }
206 
207 static void PrefilterTxTlsCerts(DetectEngineThreadCtx *det_ctx,
208  const void *pectx, Packet *p, Flow *f, void *txv,
209  const uint64_t idx, const uint8_t flags)
210 {
211  SCEnter();
212 
213  const PrefilterMpmTlsCerts *ctx = (const PrefilterMpmTlsCerts *)pectx;
214  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
215  const int list_id = ctx->list_id;
216 
217  struct TlsCertsGetDataArgs cbdata = { 0, NULL };
218 
219  while (1)
220  {
221  InspectionBuffer *buffer = TlsCertsGetData(det_ctx, ctx->transforms,
222  f, &cbdata, list_id);
223  if (buffer == NULL)
224  break;
225 
226  if (buffer->inspect_len >= mpm_ctx->minlen) {
227  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
228  &det_ctx->mtcu, &det_ctx->pmq,
229  buffer->inspect, buffer->inspect_len);
230  }
231 
232  cbdata.local_id++;
233  }
234 }
235 
236 static void PrefilterMpmTlsCertsFree(void *ptr)
237 {
238  SCFree(ptr);
239 }
240 
241 static int PrefilterMpmTlsCertsRegister(DetectEngineCtx *de_ctx,
242  SigGroupHead *sgh, MpmCtx *mpm_ctx,
243  const DetectBufferMpmRegistery *mpm_reg, int list_id)
244 {
245  PrefilterMpmTlsCerts *pectx = SCCalloc(1, sizeof(*pectx));
246  if (pectx == NULL)
247  return -1;
248 
249  pectx->list_id = list_id;
250  pectx->mpm_ctx = mpm_ctx;
251  pectx->transforms = &mpm_reg->transforms;
252 
253  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxTlsCerts,
254  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
255  pectx, PrefilterMpmTlsCertsFree, mpm_reg->name);
256 }
257 
258 #ifdef UNITTESTS
259 #include "tests/detect-tls-certs.c"
260 #endif
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define TAILQ_FIRST(head)
Definition: queue.h:339
uint16_t minlen
Definition: util-mpm.h:99
struct PrefilterMpmTlsCerts PrefilterMpmTlsCerts
struct HtpBodyChunk_ * next
uint16_t discontinue_matching
Definition: detect.h:1060
DetectEngineTransforms transforms
Definition: detect.h:613
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
SSLStateConnp server_connp
Container for matching data for a signature group.
Definition: detect.h:1329
uint32_t buffer_offset
Definition: detect.h:1025
const char * name
Definition: detect.h:1193
Signature container.
Definition: detect.h:517
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
struct DetectEngineAppInspectionEngine_::@92 v2
main detection engine ctx
Definition: detect.h:756
const DetectEngineTransforms * transforms
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:438
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:253
#define SIG_FLAG_TOCLIENT
Definition: detect.h:233
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1386
#define DETECT_ENGINE_INSPECT_SIG_MATCH
uint64_t inspect_offset
Definition: detect.h:339
const MpmCtx * mpm_ctx
uint8_t mpm_type
Definition: util-mpm.h:90
one time registration of keywords at start up
Definition: detect.h:600
#define SCEnter(...)
Definition: util-debug.h:337
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
PrefilterRuleStore pmq
Definition: detect.h:1095
const char * desc
Definition: detect.h:1195
void DetectTlsCertsRegister(void)
Registration function for keyword: tls.certs.
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
#define SCFree(a)
Definition: util-mem.h:322
uint32_t cert_len
uint16_t tx_id
struct DetectBufferMpmRegistery_::@94::@96 app_v2
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
MpmThreadCtx mtcu
Definition: detect.h:1093
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
uint8_t * cert_data
#define SIGMATCH_NOOPT
Definition: detect.h:1362
const char * url
Definition: detect.h:1196
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
InspectionBufferMultipleForList * InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
int inspection_recursion_counter
Definition: detect.h:1072
#define DETECT_CI_FLAGS_SINGLE
uint32_t inspect_len
Definition: detect.h:340
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:338
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
#define TAILQ_NEXT(elm, field)
Definition: queue.h:341
SSLCertsChain * cert
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
#define TAILQ_EMPTY(head)
Definition: queue.h:347
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
#define DOC_VERSION
Definition: suricata.h:91
InspectionBuffer * InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
uint16_t flags
Definition: detect.h:1187
const char * name
Definition: detect.h:601
Flow data structure.
Definition: flow.h:325
void(* RegisterTests)(void)
Definition: detect.h:1185
const DetectEngineTransforms * transforms
Definition: detect.h:411