suricata
detect-tls-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the tls.version keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "app-layer-ssl.h"
50 #include "detect-tls-version.h"
51 
52 #include "stream-tcp.h"
53 
54 /**
55  * \brief Regex for parsing "id" option, matching number or "number"
56  */
57 #define PARSE_REGEX "^\\s*([A-z0-9\\.]+|\"[A-z0-9\\.]+\")\\s*$"
58 
59 static DetectParseRegex parse_regex;
60 
61 static int DetectTlsVersionMatch (DetectEngineThreadCtx *,
62  Flow *, uint8_t, void *, void *,
63  const Signature *, const SigMatchCtx *);
64 static int DetectTlsVersionSetup (DetectEngineCtx *, Signature *, const char *);
65 #ifdef UNITTESTS
66 static void DetectTlsVersionRegisterTests(void);
67 #endif
68 static void DetectTlsVersionFree(DetectEngineCtx *, void *);
69 static int g_tls_generic_list_id = 0;
70 
71 /**
72  * \brief Registration function for keyword: tls.version
73  */
75 {
76  sigmatch_table[DETECT_AL_TLS_VERSION].name = "tls.version";
77  sigmatch_table[DETECT_AL_TLS_VERSION].desc = "match on TLS/SSL version";
78  sigmatch_table[DETECT_AL_TLS_VERSION].url = "/rules/tls-keywords.html#tls-version";
79  sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerTxMatch = DetectTlsVersionMatch;
80  sigmatch_table[DETECT_AL_TLS_VERSION].Setup = DetectTlsVersionSetup;
81  sigmatch_table[DETECT_AL_TLS_VERSION].Free = DetectTlsVersionFree;
82 #ifdef UNITTESTS
83  sigmatch_table[DETECT_AL_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests;
84 #endif
85 
86  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
87 
88  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
89 }
90 
91 /**
92  * \brief match the specified version on a tls session
93  *
94  * \param t pointer to thread vars
95  * \param det_ctx pointer to the pattern matcher thread
96  * \param p pointer to the current packet
97  * \param m pointer to the sigmatch that we will cast into DetectTlsVersionData
98  *
99  * \retval 0 no match
100  * \retval 1 match
101  */
102 static int DetectTlsVersionMatch (DetectEngineThreadCtx *det_ctx,
103  Flow *f, uint8_t flags, void *state, void *txv,
104  const Signature *s, const SigMatchCtx *m)
105 {
106  SCEnter();
107 
108  const DetectTlsVersionData *tls_data = (const DetectTlsVersionData *)m;
109  SSLState *ssl_state = (SSLState *)state;
110  if (ssl_state == NULL) {
111  SCLogDebug("no tls state, no match");
112  SCReturnInt(0);
113  }
114 
115  int ret = 0;
116  uint16_t version = 0;
117  SCLogDebug("looking for tls_data->ver 0x%02X (flags 0x%02X)", tls_data->ver, flags);
118 
119  if (flags & STREAM_TOCLIENT) {
120  version = ssl_state->server_connp.version;
121  SCLogDebug("server (toclient) version is 0x%02X", version);
122  } else if (flags & STREAM_TOSERVER) {
123  version = ssl_state->client_connp.version;
124  SCLogDebug("client (toserver) version is 0x%02X", version);
125  }
126 
127  if ((tls_data->flags & DETECT_TLS_VERSION_FLAG_RAW) == 0) {
128  /* Match all TLSv1.3 drafts as TLSv1.3 */
129  if (((version >> 8) & 0xff) == 0x7f) {
131  }
132  }
133 
134  if (tls_data->ver == version) {
135  ret = 1;
136  }
137 
138  SCReturnInt(ret);
139 }
140 
141 /**
142  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
143  *
144  * \param de_ctx Pointer to the detection engine context
145  * \param idstr Pointer to the user provided id option
146  *
147  * \retval id_d pointer to DetectTlsVersionData on success
148  * \retval NULL on failure
149  */
150 static DetectTlsVersionData *DetectTlsVersionParse (DetectEngineCtx *de_ctx, const char *str)
151 {
152  uint16_t temp;
153  DetectTlsVersionData *tls = NULL;
154  int ret = 0, res = 0;
155  int ov[MAX_SUBSTRINGS];
156 
157  ret = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
158  if (ret < 1 || ret > 3) {
159  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.version option");
160  goto error;
161  }
162 
163  if (ret > 1) {
164  char ver_ptr[64];
165  char *tmp_str;
166  res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 1, ver_ptr, sizeof(ver_ptr));
167  if (res < 0) {
168  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
169  goto error;
170  }
171 
172  /* We have a correct id option */
173  tls = SCCalloc(1, sizeof(DetectTlsVersionData));
174  if (unlikely(tls == NULL))
175  goto error;
176 
177  tmp_str = ver_ptr;
178 
179  /* Let's see if we need to scape "'s */
180  if (tmp_str[0] == '"')
181  {
182  tmp_str[strlen(tmp_str) - 1] = '\0';
183  tmp_str += 1;
184  }
185 
186  if (strncmp("1.0", tmp_str, 3) == 0) {
187  temp = TLS_VERSION_10;
188  } else if (strncmp("1.1", tmp_str, 3) == 0) {
189  temp = TLS_VERSION_11;
190  } else if (strncmp("1.2", tmp_str, 3) == 0) {
191  temp = TLS_VERSION_12;
192  } else if (strncmp("1.3", tmp_str, 3) == 0) {
193  temp = TLS_VERSION_13;
194  } else if ((strncmp("0x", tmp_str, 2) == 0) && (strlen(str) == 6)) {
195  temp = (uint16_t)strtol(tmp_str, NULL, 0);
197  } else {
198  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
199  goto error;
200  }
201 
202  tls->ver = temp;
203 
204  SCLogDebug("will look for tls %"PRIu16"", tls->ver);
205  }
206 
207  return tls;
208 
209 error:
210  if (tls != NULL)
211  DetectTlsVersionFree(de_ctx, tls);
212  return NULL;
213 
214 }
215 
216 /**
217  * \brief this function is used to add the parsed "id" option
218  * \brief into the current signature
219  *
220  * \param de_ctx pointer to the Detection Engine Context
221  * \param s pointer to the Current Signature
222  * \param idstr pointer to the user provided "id" option
223  *
224  * \retval 0 on Success
225  * \retval -1 on Failure
226  */
227 static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
228 {
229  DetectTlsVersionData *tls = NULL;
230  SigMatch *sm = NULL;
231 
233  return -1;
234 
235  tls = DetectTlsVersionParse(de_ctx, str);
236  if (tls == NULL)
237  goto error;
238 
239  /* Okay so far so good, lets get this into a SigMatch
240  * and put it in the Signature. */
241  sm = SigMatchAlloc();
242  if (sm == NULL)
243  goto error;
244 
246  sm->ctx = (void *)tls;
247 
248  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
249 
250  return 0;
251 
252 error:
253  if (tls != NULL)
254  DetectTlsVersionFree(de_ctx, tls);
255  if (sm != NULL)
256  SCFree(sm);
257  return -1;
258 
259 }
260 
261 /**
262  * \brief this function will free memory associated with DetectTlsVersionData
263  *
264  * \param id_d pointer to DetectTlsVersionData
265  */
266 static void DetectTlsVersionFree(DetectEngineCtx *de_ctx, void *ptr)
267 {
269  SCFree(id_d);
270 }
271 
272 #ifdef UNITTESTS
274 #endif
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
detect-engine.h
detect-tls-version.c
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:250
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:251
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
m
SCMutex m
Definition: flow-hash.h:6
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
DetectTlsVersionData_::flags
uint8_t flags
Definition: detect-tls-version.h:31
util-unittest-helper.h
DETECT_TLS_VERSION_FLAG_RAW
#define DETECT_TLS_VERSION_FLAG_RAW
Definition: detect-tls-version.h:27
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectTlsVersionRegister
void DetectTlsVersionRegister(void)
Registration function for keyword: tls.version.
Definition: detect-tls-version.c:74
DetectEngineThreadCtx_
Definition: detect.h:1010
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
TLS_VERSION_11
@ TLS_VERSION_11
Definition: app-layer-ssl.h:148
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DetectTlsVersionData_::ver
uint16_t ver
Definition: detect-tls-version.h:30
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-tls-version.c:57
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
version
uint8_t version
Definition: decode-gre.h:1
TLS_VERSION_12
@ TLS_VERSION_12
Definition: app-layer-ssl.h:149
detect-tls-version.h
DETECT_AL_TLS_VERSION
@ DETECT_AL_TLS_VERSION
Definition: detect-engine-register.h:107
TLS_VERSION_13
@ TLS_VERSION_13
Definition: app-layer-ssl.h:150
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
TLS_VERSION_10
@ TLS_VERSION_10
Definition: app-layer-ssl.h:147
DetectTlsVersionData_
Definition: detect-tls-version.h:29
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer.h
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:189