detect-tls-ja3-string_8c_source.html

 /* Copyright (C) 2017 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \file
  *
  * \author Mats Klepsland <mats.klepsland@gmail.com>
  *
  * Implements support for ja3_string keyword.
  */

 #include "suricata-common.h"
 #include "threads.h"
 #include "debug.h"
 #include "decode.h"
 #include "detect.h"

 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-mpm.h"
 #include "detect-engine-prefilter.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-tls-ja3-string.h"

 #include "flow.h"
 #include "flow-util.h"
 #include "flow-var.h"

 #include "conf.h"
 #include "conf-yaml-loader.h"

 #include "util-debug.h"
 #include "util-unittest.h"
 #include "util-spm.h"
 #include "util-print.h"
 #include "util-ja3.h"

 #include "stream-tcp.h"

 #include "app-layer.h"
 #include "app-layer-ssl.h"

 #include "util-unittest.h"
 #include "util-unittest-helper.h"

 static int DetectTlsJa3StringSetup(DetectEngineCtx *, Signature *, const char *);
 static void DetectTlsJa3StringRegisterTests(void);
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *_f, const uint8_t _flow_flags,
        void *txv, const int list_id);
 static int g_tls_ja3_str_buffer_id = 0;

 /**
  * \brief Registration function for keyword: ja3_string
  */
 void DetectTlsJa3StringRegister(void)
 {
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3_string";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "content modifier to match the JA3 string buffer";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = DOC_URL DOC_VERSION "/rules/ja3-keywords.html#ja3-string";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].Match = NULL;
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup;
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].Free = NULL;
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].RegisterTests = DetectTlsJa3StringRegisterTests;

     sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT;

     DetectAppLayerInspectEngineRegister2("ja3_string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectBufferGeneric, GetData);

     DetectAppLayerMpmRegister2("ja3_string", SIG_FLAG_TOSERVER, 2,
             PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

     DetectBufferTypeSetDescriptionByName("ja3_string", "TLS JA3 string");

     g_tls_ja3_str_buffer_id = DetectBufferTypeGetByName("ja3_string");
 }

 /**
  * \brief this function setup the ja3_string modifier keyword used in the rule
  *
  * \param de_ctx Pointer to the Detection Engine Context
  * \param s      Pointer to the Signature to which the current keyword belongs
  * \param str    Should hold an empty string always
  *
  * \retval 0 On success
  */
 static int DetectTlsJa3StringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
     DetectBufferSetActiveList(s, g_tls_ja3_str_buffer_id);
     s->alproto = ALPROTO_TLS;

     if (RunmodeIsUnittests())
         return 0;

     /* Check if JA3 is disabled */
     if (Ja3IsDisabled("rule"))
         return -1;

     return 0;
 }

 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms, Flow *_f,
         const uint8_t _flow_flags, void *txv, const int list_id)
 {
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
         SSLState *ssl_state = (SSLState *)_f->alstate;

         if (ssl_state->ja3_str == NULL ||
                 ssl_state->ja3_str->data == NULL) {
             return NULL;
         }

         const uint32_t data_len = strlen(ssl_state->ja3_str->data);
         const uint8_t *data = (uint8_t *)ssl_state->ja3_str->data;

         InspectionBufferSetup(buffer, data, data_len);
         InspectionBufferApplyTransforms(buffer, transforms);
     }

     return buffer;
 }

 #ifndef HAVE_NSS

 static void DetectTlsJa3StringRegisterTests(void)
 {
     /* Don't register any tests */
 }

 #else /* HAVE_NSS */

 #ifdef UNITTESTS

 /**
  * \test Test matching on a simple client hello packet
  */
 static int DetectTlsJa3StringTest01(void)
 {
     /* Client hello */
     uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E,
                       0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
                       0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
                       0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
                       0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
                       0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
                       0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
                       0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
                       0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
                       0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
                       0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
                       0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
                       0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
                       0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
                       0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
                       0x6F, 0x6D, };


     Flow f;
     SSLState *ssl_state = NULL;
     Packet *p = NULL;
     Signature *s = NULL;
     ThreadVars tv;
     DetectEngineThreadCtx *det_ctx = NULL;
     TcpSession ssn;
     AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();

     memset(&tv, 0, sizeof(ThreadVars));
     memset(&f, 0, sizeof(Flow));
     memset(&ssn, 0, sizeof(TcpSession));

     p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
                            "192.168.1.5", "192.168.1.1",
                            41424, 443);

     FLOW_INITIALIZE(&f);
     f.protoctx = (void *)&ssn;
     f.flags |= FLOW_IPV4;
     f.proto = IPPROTO_TCP;
     f.protomap = FlowGetProtoMapping(f.proto);

     p->flow = &f;
     p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
     p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
     f.alproto = ALPROTO_TLS;

     StreamTcpInitConfig(TRUE);

     DetectEngineCtx *de_ctx = DetectEngineCtxInit();
     FAIL_IF_NULL(de_ctx);

     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;

     s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
             "(msg:\"Test ja3_string\"; ja3_string; "
             "content:\"-65-68-69-102-103-104-105-106-107-132-135-255,0,,\"; "
             "sid:1;)");
     FAIL_IF_NULL(s);

     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);

     FLOWLOCK_WRLOCK(&f);
     int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
                                 STREAM_TOSERVER, buf, sizeof(buf));
     FLOWLOCK_UNLOCK(&f);
     FAIL_IF(r != 0);

     ssl_state = f.alstate;
     FAIL_IF_NULL(ssl_state);

     FAIL_IF_NULL(ssl_state->ja3_str);
     FAIL_IF_NULL(ssl_state->ja3_str->data);

     SigMatchSignatures(&tv, de_ctx, det_ctx, p);

     FAIL_IF_NOT(PacketAlertCheck(p, 1));

     AppLayerParserThreadCtxFree(alp_tctx);
     DetectEngineThreadCtxDeinit(&tv, det_ctx);
     DetectEngineCtxFree(de_ctx);

     StreamTcpFreeConfig(TRUE);
     FLOW_DESTROY(&f);
     UTHFreePacket(p);

     PASS;
 }

 #endif /* UNITTESTS */

 static void DetectTlsJa3StringRegisterTests(void)
 {
 #ifdef UNITTESTS
     UtRegisterTest("DetectTlsJa3StringTest01", DetectTlsJa3StringTest01);
 #endif /* UNITTESTS */
 }

 #endif /* HAVE_NSS */
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2200

sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406

SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149

TcpSession_
Definition: stream-tcp-private.h:257

detect-content.h

Packet_::flow
struct Flow_ * flow
Definition: decode.h:443

PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138

Flow_::proto
uint8_t proto
Definition: flow.h:343

debug.h

FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242

DetectEngineTransforms
Definition: detect.h:372

PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105

PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:608

FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71

AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:271

FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95

FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202

JA3Buffer_::data
char * data
Definition: util-ja3.h:30

detect-pcre.h

StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669

AppLayerParserThreadCtx_
Definition: app-layer-parser.c:82

FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239

Ja3IsDisabled
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:262

detect-engine-prefilter.h

DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383

InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:871

SigTableElmt_::name
const char * name
Definition: detect.h:1163

util-unittest.h

Signature_
Signature container.
Definition: detect.h:495

decode.h

TRUE
#define TRUE
Definition: suricata-common.h:33

detect-tls-ja3-string.h

Flow_::protoctx
void * protoctx
Definition: flow.h:395

DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723

DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591

flow.h

SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:223

Flow_::alstate
void * alstate
Definition: flow.h:433

DE_QUIET
#define DE_QUIET
Definition: detect.h:296

DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:698

str
#define str(s)
Definition: suricata-common.h:258

threads.h

DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:724

SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1154

FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115

util-debug.h

SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892

DETECT_AL_TLS_JA3_STRING
Definition: detect-engine-register.h:202

DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:772

UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103

SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743

util-unittest-helper.h

SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:241

StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365

DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:183

UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:167

detect-engine-mpm.h

Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437

suricata-common.h

FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:200

Signature_::alproto
AppProto alproto
Definition: detect.h:499

AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:245

util-spm.h

detect-engine.h

SSLState_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:243

RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:259

util-print.h

DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1242

Packet_
Definition: decode.h:405

SigTableElmt_::desc
const char * desc
Definition: detect.h:1165

util-ja3.h

app-layer-ssl.h

stream-tcp.h

mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.h:170

detect-parse.h

InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:930

InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:978

DetectTlsJa3StringRegister
void DetectTlsJa3StringRegister(void)
Registration function for keyword: ja3_string.
Definition: detect-tls-ja3-string.c:72

SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1331

SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132

flow-util.h

SigTableElmt_::url
const char * url
Definition: detect.h:1166

FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39

STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31

flow-var.h

UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:410

PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092

FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89

DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:810

InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:347

DOC_URL
#define DOC_URL
Definition: suricata.h:86

DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:726

app-layer.h

ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57

DetectEngineThreadCtx_
Definition: detect.h:965

Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:404

Packet_::flags
uint32_t flags
Definition: decode.h:441

DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91

SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1157

InspectionBuffer
Definition: detect.h:346

DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685

Flow_::protomap
uint8_t protomap
Definition: flow.h:399

Flow_
Flow data structure.
Definition: flow.h:324

FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:93

Flow_::flags
uint32_t flags
Definition: flow.h:374

PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090

SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1155

ALPROTO_TLS
Definition: app-layer-protos.h:33

FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82

AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1130

DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640

DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:85

conf.h

detect.h

conf-yaml-loader.h