suricata
detect-tls-certs.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements support for tls.certs keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
37 #include "detect-content.h"
38 #include "detect-pcre.h"
39 #include "detect-tls-certs.h"
40 
41 #include "flow.h"
42 #include "flow-util.h"
43 #include "flow-var.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-spm.h"
48 #include "util-print.h"
49 
50 #include "stream-tcp.h"
51 
52 #include "app-layer.h"
53 #include "app-layer-ssl.h"
54 
55 #include "util-unittest.h"
56 #include "util-unittest-helper.h"
57 
58 static int DetectTlsCertsSetup(DetectEngineCtx *, Signature *, const char *);
59 #ifdef UNITTESTS
60 static void DetectTlsCertsRegisterTests(void);
61 #endif
62 static int DetectEngineInspectTlsCerts(DetectEngineCtx *de_ctx,
63  DetectEngineThreadCtx *det_ctx,
64  const DetectEngineAppInspectionEngine *engine,
65  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv,
66  uint64_t tx_id);
67 static int PrefilterMpmTlsCertsRegister(DetectEngineCtx *de_ctx,
68  SigGroupHead *sgh, MpmCtx *mpm_ctx,
69  const DetectBufferMpmRegistery *mpm_reg, int list_id);
70 
71 static int g_tls_certs_buffer_id = 0;
72 
74  uint32_t local_id; /**< used as index into thread inspect array */
76 };
77 
78 typedef struct PrefilterMpmTlsCerts {
79  int list_id;
80  const MpmCtx *mpm_ctx;
83 
84 /**
85  * \brief Registration function for keyword: tls.certs
86  */
88 {
90  sigmatch_table[DETECT_AL_TLS_CERTS].desc = "content modifier to match the TLS certificate sticky buffer";
91  sigmatch_table[DETECT_AL_TLS_CERTS].url = "/rules/tls-keywords.html#tls-certs";
92  sigmatch_table[DETECT_AL_TLS_CERTS].Setup = DetectTlsCertsSetup;
93 #ifdef UNITTESTS
94  sigmatch_table[DETECT_AL_TLS_CERTS].RegisterTests = DetectTlsCertsRegisterTests;
95 #endif
98 
101  DetectEngineInspectTlsCerts, NULL);
102 
104  PrefilterMpmTlsCertsRegister, NULL, ALPROTO_TLS,
106 
107  DetectBufferTypeSetDescriptionByName("tls.certs", "TLS certificate");
108 
109  g_tls_certs_buffer_id = DetectBufferTypeGetByName("tls.certs");
110 }
111 
112 /**
113  * \brief This function setup the tls.certs modifier keyword
114  *
115  * \param de_ctx Pointer to the Detect Engine Context
116  * \param s Pointer to the Signature to which the keyword belongs
117  * \param str Should hold an empty string always
118  *
119  * \retval 0 On success
120  * \retval -1 On failure
121  */
122 static int DetectTlsCertsSetup(DetectEngineCtx *de_ctx, Signature *s,
123  const char *str)
124 {
125  if (DetectBufferSetActiveList(s, g_tls_certs_buffer_id) < 0)
126  return -1;
127 
129  return -1;
130 
131  return 0;
132 }
133 
134 static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx,
135  const DetectEngineTransforms *transforms, Flow *f,
136  struct TlsCertsGetDataArgs *cbdata, int list_id)
137 {
138  SCEnter();
139 
140  InspectionBuffer *buffer =
141  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
142  if (buffer == NULL)
143  return NULL;
144 
145  const SSLState *ssl_state = (SSLState *)f->alstate;
146 
147  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
148  return NULL;
149  }
150 
151  if (cbdata->cert == NULL) {
152  cbdata->cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
153  } else {
154  cbdata->cert = TAILQ_NEXT(cbdata->cert, next);
155  }
156  if (cbdata->cert == NULL) {
157  return NULL;
158  }
159 
160  InspectionBufferSetupMulti(buffer, transforms, cbdata->cert->cert_data, cbdata->cert->cert_len);
161 
162  SCReturnPtr(buffer, "InspectionBuffer");
163 }
164 
165 static int DetectEngineInspectTlsCerts(DetectEngineCtx *de_ctx,
166  DetectEngineThreadCtx *det_ctx,
167  const DetectEngineAppInspectionEngine *engine,
168  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv,
169  uint64_t tx_id)
170 {
171  const DetectEngineTransforms *transforms = NULL;
172  if (!engine->mpm) {
173  transforms = engine->v2.transforms;
174  }
175 
176  struct TlsCertsGetDataArgs cbdata = { 0, NULL };
177 
178  while (1)
179  {
180  InspectionBuffer *buffer = TlsCertsGetData(det_ctx, transforms, f,
181  &cbdata, engine->sm_list);
182  if (buffer == NULL || buffer->inspect == NULL)
183  break;
184 
185  det_ctx->buffer_offset = 0;
186  det_ctx->discontinue_matching = 0;
187  det_ctx->inspection_recursion_counter = 0;
188 
189  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
190  NULL, f, (uint8_t *)buffer->inspect,
191  buffer->inspect_len,
194  if (match == 1) {
196  }
197 
198  cbdata.local_id++;
199  }
200 
202 }
203 
204 static void PrefilterTxTlsCerts(DetectEngineThreadCtx *det_ctx,
205  const void *pectx, Packet *p, Flow *f, void *txv,
206  const uint64_t idx, const uint8_t flags)
207 {
208  SCEnter();
209 
210  const PrefilterMpmTlsCerts *ctx = (const PrefilterMpmTlsCerts *)pectx;
211  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
212  const int list_id = ctx->list_id;
213 
214  struct TlsCertsGetDataArgs cbdata = { 0, NULL };
215 
216  while (1)
217  {
218  InspectionBuffer *buffer = TlsCertsGetData(det_ctx, ctx->transforms,
219  f, &cbdata, list_id);
220  if (buffer == NULL)
221  break;
222 
223  if (buffer->inspect_len >= mpm_ctx->minlen) {
224  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
225  &det_ctx->mtcu, &det_ctx->pmq,
226  buffer->inspect, buffer->inspect_len);
227  }
228 
229  cbdata.local_id++;
230  }
231 }
232 
233 static void PrefilterMpmTlsCertsFree(void *ptr)
234 {
235  SCFree(ptr);
236 }
237 
238 static int PrefilterMpmTlsCertsRegister(DetectEngineCtx *de_ctx,
239  SigGroupHead *sgh, MpmCtx *mpm_ctx,
240  const DetectBufferMpmRegistery *mpm_reg, int list_id)
241 {
242  PrefilterMpmTlsCerts *pectx = SCCalloc(1, sizeof(*pectx));
243  if (pectx == NULL)
244  return -1;
245 
246  pectx->list_id = list_id;
247  pectx->mpm_ctx = mpm_ctx;
248  pectx->transforms = &mpm_reg->transforms;
249 
250  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxTlsCerts,
251  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
252  pectx, PrefilterMpmTlsCertsFree, mpm_reg->name);
253 }
254 
255 #ifdef UNITTESTS
256 #include "tests/detect-tls-certs.c"
257 #endif
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:243
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:402
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1088
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1477
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:184
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1425
DETECT_AL_TLS_CERTS
@ DETECT_AL_TLS_CERTS
Definition: detect-engine-register.h:219
DetectEngineTransforms
Definition: detect.h:379
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:261
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:648
InspectionBuffer
Definition: detect.h:345
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1167
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:249
TlsCertsGetDataArgs
Definition: detect-tls-certs.c:73
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:634
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:102
TLS_STATE_CERT_READY
@ TLS_STATE_CERT_READY
Definition: app-layer-ssl.h:80
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
PrefilterMpmTlsCerts
struct PrefilterMpmTlsCerts PrefilterMpmTlsCerts
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
detect-pcre.h
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1165
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:404
TlsCertsGetDataArgs::cert
SSLCertsChain * cert
Definition: detect-tls-certs.c:75
decode.h
util-debug.h
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:251
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
SSLCertsChain_
Definition: app-layer-ssl.h:182
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:347
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
DetectBufferMpmRegistery_::name
const char * name
Definition: detect.h:635
Packet_
Definition: decode.h:427
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
PrefilterMpmTlsCerts::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-tls-certs.c:80
DetectTlsCertsRegister
void DetectTlsCertsRegister(void)
Registration function for keyword: tls.certs.
Definition: detect-tls-certs.c:87
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:183
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1127
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
detect-tls-certs.c
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
PrefilterMpmTlsCerts::list_id
int list_id
Definition: detect-tls-certs.c:79
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1144
TAILQ_NEXT
#define TAILQ_NEXT(elm, field)
Definition: queue.h:308
util-spm.h
PrefilterMpmTlsCerts
Definition: detect-tls-certs.c:78
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1427
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
detect-tls-certs.h
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:348
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:346
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:486
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:412
PrefilterMpmTlsCerts::transforms
const DetectEngineTransforms * transforms
Definition: detect-tls-certs.c:81
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
TlsCertsGetDataArgs::local_id
uint32_t local_id
Definition: detect-tls-certs.c:74
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1380
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1453
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1291
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1174
MpmCtx_
Definition: util-mpm.h:88
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
flow-var.h
app-layer-ssl.h
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
app-layer.h