detect-tls-ja3-string_8c_source.html

 /* Copyright (C) 2017 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \file
  *
  * \author Mats Klepsland <mats.klepsland@gmail.com>
  *
  * Implements support for ja3.string keyword.
  */

 #include "suricata-common.h"
 #include "threads.h"
 #include "debug.h"
 #include "decode.h"
 #include "detect.h"

 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-mpm.h"
 #include "detect-engine-prefilter.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-tls-ja3-string.h"

 #include "flow.h"
 #include "flow-util.h"
 #include "flow-var.h"

 #include "conf.h"
 #include "conf-yaml-loader.h"

 #include "util-debug.h"
 #include "util-unittest.h"
 #include "util-spm.h"
 #include "util-print.h"
 #include "util-ja3.h"

 #include "stream-tcp.h"

 #include "app-layer.h"
 #include "app-layer-ssl.h"

 #include "util-unittest.h"
 #include "util-unittest-helper.h"

 static int DetectTlsJa3StringSetup(DetectEngineCtx *, Signature *, const char *);
 #ifdef UNITTESTS
 static void DetectTlsJa3StringRegisterTests(void);
 #endif
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *f, const uint8_t flow_flags,
        void *txv, const int list_id);
 static int g_tls_ja3_str_buffer_id = 0;

 /**
  * \brief Registration function for keyword: ja3.string
  */
 void DetectTlsJa3StringRegister(void)
 {
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3.string";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].alias = "ja3_string";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "content modifier to match the JA3 string buffer";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = DOC_URL DOC_VERSION "/rules/ja3-keywords.html#ja3-string";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].RegisterTests = DetectTlsJa3StringRegisterTests;
 #endif
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;

     DetectAppLayerInspectEngineRegister2("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectBufferGeneric, GetData);

     DetectAppLayerMpmRegister2("ja3.string", SIG_FLAG_TOSERVER, 2,
             PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

     DetectBufferTypeSetDescriptionByName("ja3.string", "TLS JA3 string");

     g_tls_ja3_str_buffer_id = DetectBufferTypeGetByName("ja3.string");
 }

 /**
  * \brief this function setup the ja3.string modifier keyword used in the rule
  *
  * \param de_ctx Pointer to the Detection Engine Context
  * \param s      Pointer to the Signature to which the current keyword belongs
  * \param str    Should hold an empty string always
  *
  * \retval 0  On success
  * \retval -1 On failure
  */
 static int DetectTlsJa3StringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
     if (DetectBufferSetActiveList(s, g_tls_ja3_str_buffer_id) < 0)
         return -1;

     if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0)
         return -1;

     /* Check if JA3 is disabled */
     if (!RunmodeIsUnittests() && Ja3IsDisabled("rule"))
         return -1;

     return 0;
 }

 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms, Flow *f,
         const uint8_t flow_flags, void *txv, const int list_id)
 {
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
         const SSLState *ssl_state = (SSLState *)f->alstate;

         if (ssl_state->client_connp.ja3_str == NULL ||
                 ssl_state->client_connp.ja3_str->data == NULL) {
             return NULL;
         }

         const uint32_t data_len = strlen(ssl_state->client_connp.ja3_str->data);
         const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_str->data;

         InspectionBufferSetup(buffer, data, data_len);
         InspectionBufferApplyTransforms(buffer, transforms);
     }

     return buffer;
 }

 #ifdef UNITTESTS
 #include "tests/detect-tls-ja3-string.c"
 #endif
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439

SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179

detect-content.h

DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1392

debug.h

DetectEngineTransforms
Definition: detect.h:364

detect-tls-ja3-string.c

JA3Buffer_::data
char * data
Definition: util-ja3.h:30

detect-pcre.h

Ja3IsDisabled
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:262

detect-engine-prefilter.h

InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1025

SigTableElmt_::name
const char * name
Definition: detect.h:1193

util-unittest.h

Signature_
Signature container.
Definition: detect.h:517

decode.h

DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89

detect-tls-ja3-string.h

DetectEngineCtx_
main detection engine ctx
Definition: detect.h:756

flow.h

SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226

Flow_::alstate
void * alstate
Definition: flow.h:438

DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:852

str
#define str(s)
Definition: suricata-common.h:258

threads.h

SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1386

util-debug.h

DETECT_AL_TLS_JA3_STRING
Definition: detect-engine-register.h:204

util-unittest-helper.h

SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:232

DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224

detect-engine-mpm.h

suricata-common.h

util-spm.h

detect-engine.h

RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:265

util-print.h

DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1562

SigTableElmt_::desc
const char * desc
Definition: detect.h:1195

PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611

util-ja3.h

app-layer-ssl.h

SigTableElmt_::alias
const char * alias
Definition: detect.h:1194

stream-tcp.h

detect-parse.h

InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1084

InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1132

DetectTlsJa3StringRegister
void DetectTlsJa3StringRegister(void)
Registration function for keyword: ja3.string.
Definition: detect-tls-ja3-string.c:74

SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1362

flow-util.h

SigTableElmt_::url
const char * url
Definition: detect.h:1196

flow-var.h

DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:964

InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338

DOC_URL
#define DOC_URL
Definition: suricata.h:86

DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:880

app-layer.h

SSLStateConnp_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:211

DetectEngineThreadCtx_
Definition: detect.h:996

DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91

SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1187

InspectionBuffer
Definition: detect.h:337

Flow_
Flow data structure.
Definition: flow.h:325

SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:248

SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1185

ALPROTO_TLS
Definition: app-layer-protos.h:33

conf.h

detect.h

conf-yaml-loader.h