suricata
detect-tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2011-2012 ANSSI
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  * 3. The name of the author may not be used to endorse or promote products
14  * derived from this software without specific prior written permission.
15  *
16  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
17  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
18  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
19  * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
20  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  */
27 
28 /**
29  * \file
30  *
31  * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
32  *
33  * Implements the tls.* keywords
34  */
35 
36 #include "suricata-common.h"
37 #include "threads.h"
38 #include "debug.h"
39 #include "decode.h"
40 
41 #include "detect.h"
42 #include "detect-parse.h"
43 
44 #include "detect-engine.h"
45 #include "detect-engine-mpm.h"
46 #include "detect-engine-state.h"
47 
48 #include "flow.h"
49 #include "flow-var.h"
50 #include "flow-util.h"
51 
52 #include "util-debug.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 
56 #include "app-layer.h"
57 
58 #include "app-layer-ssl.h"
59 #include "detect-tls.h"
60 
61 #include "stream-tcp.h"
62 
63 /**
64  * \brief Regex for parsing "id" option, matching number or "number"
65  */
66 
67 #define PARSE_REGEX "^([A-z0-9\\s\\-\\.=,\\*@]+|\"[A-z0-9\\s\\-\\.=,\\*@]+\")\\s*$"
68 #define PARSE_REGEX_FINGERPRINT "^([A-z0-9\\:\\*]+|\"[A-z0-9\\:\\* ]+\")\\s*$"
69 
70 static DetectParseRegex subject_parse_regex;
71 static DetectParseRegex issuerdn_parse_regex;
72 static DetectParseRegex fingerprint_parse_regex;
73 
74 static int DetectTlsSubjectMatch (DetectEngineThreadCtx *,
75  Flow *, uint8_t, void *, void *,
76  const Signature *, const SigMatchCtx *);
77 static int DetectTlsSubjectSetup (DetectEngineCtx *, Signature *, const char *);
78 static void DetectTlsSubjectFree(DetectEngineCtx *, void *);
79 
80 static int DetectTlsIssuerDNMatch (DetectEngineThreadCtx *,
81  Flow *, uint8_t, void *, void *,
82  const Signature *, const SigMatchCtx *);
83 static int DetectTlsIssuerDNSetup (DetectEngineCtx *, Signature *, const char *);
84 static void DetectTlsIssuerDNFree(DetectEngineCtx *, void *);
85 
86 static int DetectTlsFingerprintMatch (DetectEngineThreadCtx *,
87  Flow *, uint8_t, void *, void *,
88  const Signature *, const SigMatchCtx *);
89 static int DetectTlsFingerprintSetup (DetectEngineCtx *, Signature *, const char *);
90 static void DetectTlsFingerprintFree(DetectEngineCtx *, void *);
91 
92 static int DetectTlsStoreSetup (DetectEngineCtx *, Signature *, const char *);
93 static int DetectTlsStorePostMatch (DetectEngineThreadCtx *det_ctx,
94  Packet *, const Signature *s, const SigMatchCtx *unused);
95 
96 static int g_tls_cert_list_id = 0;
97 
98 static int InspectTlsCert(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
99  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
100  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
101 {
103  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
104 }
105 
106 /**
107  * \brief Registration function for keyword: tls.version
108  */
109 void DetectTlsRegister (void)
110 {
111  sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
112  sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
113  sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "/rules/tls-keywords.html#tls-subject";
114  sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
115  sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
116  sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
119 
120  sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
121  sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
122  sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "/rules/tls-keywords.html#tls-issuerdn";
123  sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
124  sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
125  sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
128 
129  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
130  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
131  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "/rules/tls-keywords.html#tls-fingerprint";
132  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerTxMatch = DetectTlsFingerprintMatch;
133  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
134  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
137 
138  sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store";
140  sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk";
141  sigmatch_table[DETECT_AL_TLS_STORE].url = "/rules/tls-keywords.html#tls-store";
142  sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch;
143  sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup;
145 
146  DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex);
147  DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex);
148  DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT, &fingerprint_parse_regex);
149 
150  g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert");
151 
153  "tls_cert", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, InspectTlsCert, NULL);
154 }
155 
156 /**
157  * \brief match the specified Subject on a tls session
158  *
159  * \param t pointer to thread vars
160  * \param det_ctx pointer to the pattern matcher thread
161  * \param p pointer to the current packet
162  * \param m pointer to the sigmatch that we will cast into DetectTlsData
163  *
164  * \retval 0 no match
165  * \retval 1 match
166  */
167 static int DetectTlsSubjectMatch (DetectEngineThreadCtx *det_ctx,
168  Flow *f, uint8_t flags, void *state, void *txv,
169  const Signature *s, const SigMatchCtx *m)
170 {
171  SCEnter();
172 
173  const DetectTlsData *tls_data = (const DetectTlsData *)m;
174  SSLState *ssl_state = (SSLState *)state;
175  if (ssl_state == NULL) {
176  SCLogDebug("no tls state, no match");
177  SCReturnInt(0);
178  }
179 
180  int ret = 0;
181 
182  SSLStateConnp *connp = NULL;
183  if (flags & STREAM_TOSERVER) {
184  connp = &ssl_state->client_connp;
185  } else {
186  connp = &ssl_state->server_connp;
187  }
188 
189  if (connp->cert0_subject != NULL) {
190  SCLogDebug("TLS: Subject is [%s], looking for [%s]\n",
191  connp->cert0_subject, tls_data->subject);
192 
193  if (strstr(connp->cert0_subject, tls_data->subject) != NULL) {
194  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
195  ret = 0;
196  } else {
197  ret = 1;
198  }
199  } else {
200  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
201  ret = 1;
202  } else {
203  ret = 0;
204  }
205  }
206  } else {
207  ret = 0;
208  }
209 
210  SCReturnInt(ret);
211 }
212 
213 /**
214  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
215  *
216  * \param de_ctx Pointer to the detection engine context
217  * \param str Pointer to the user provided id option
218  *
219  * \retval id_d pointer to DetectTlsData on success
220  * \retval NULL on failure
221  */
222 static DetectTlsData *DetectTlsSubjectParse (DetectEngineCtx *de_ctx, const char *str, bool negate)
223 {
224  DetectTlsData *tls = NULL;
225  int ret = 0, res = 0;
226  size_t pcre2_len;
227  const char *str_ptr;
228  char *orig = NULL;
229  char *tmp_str;
230  uint32_t flag = 0;
231 
232  ret = DetectParsePcreExec(&subject_parse_regex, str, 0, 0);
233  if (ret != 2) {
234  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.subject option");
235  goto error;
236  }
237 
238  if (negate)
239  flag = DETECT_CONTENT_NEGATED;
240 
241  res = pcre2_substring_get_bynumber(
242  subject_parse_regex.match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
243  if (res < 0) {
244  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
245  goto error;
246  }
247 
248  /* We have a correct id option */
249  tls = SCMalloc(sizeof(DetectTlsData));
250  if (unlikely(tls == NULL))
251  goto error;
252  tls->subject = NULL;
253  tls->flags = flag;
254 
255  orig = SCStrdup((char*)str_ptr);
256  if (unlikely(orig == NULL)) {
257  goto error;
258  }
259  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
260 
261  tmp_str=orig;
262 
263  /* Let's see if we need to escape "'s */
264  if (tmp_str[0] == '"') {
265  tmp_str[strlen(tmp_str) - 1] = '\0';
266  tmp_str += 1;
267  }
268 
269  tls->subject = SCStrdup(tmp_str);
270  if (unlikely(tls->subject == NULL)) {
271  goto error;
272  }
273 
274  SCFree(orig);
275 
276  SCLogDebug("will look for TLS subject %s", tls->subject);
277 
278  return tls;
279 
280 error:
281  if (orig != NULL)
282  SCFree(orig);
283  if (tls != NULL)
284  DetectTlsSubjectFree(de_ctx, tls);
285  return NULL;
286 
287 }
288 
289 /**
290  * \brief this function is used to add the parsed "id" option
291  * \brief into the current signature
292  *
293  * \param de_ctx pointer to the Detection Engine Context
294  * \param s pointer to the Current Signature
295  * \param idstr pointer to the user provided "id" option
296  *
297  * \retval 0 on Success
298  * \retval -1 on Failure
299  */
300 static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
301 {
302  DetectTlsData *tls = NULL;
303  SigMatch *sm = NULL;
304 
306  return -1;
307 
308  tls = DetectTlsSubjectParse(de_ctx, str, s->init_data->negated);
309  if (tls == NULL)
310  goto error;
311 
312  /* Okay so far so good, lets get this into a SigMatch
313  * and put it in the Signature. */
314  sm = SigMatchAlloc();
315  if (sm == NULL)
316  goto error;
317 
319  sm->ctx = (void *)tls;
320 
321  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
322  return 0;
323 
324 error:
325  if (tls != NULL)
326  DetectTlsSubjectFree(de_ctx, tls);
327  if (sm != NULL)
328  SCFree(sm);
329  return -1;
330 
331 }
332 
333 /**
334  * \brief this function will free memory associated with DetectTlsData
335  *
336  * \param id_d pointer to DetectTlsData
337  */
338 static void DetectTlsSubjectFree(DetectEngineCtx *de_ctx, void *ptr)
339 {
340  DetectTlsData *id_d = (DetectTlsData *)ptr;
341  if (ptr == NULL)
342  return;
343  if (id_d->subject != NULL)
344  SCFree(id_d->subject);
345  SCFree(id_d);
346 }
347 
348 /**
349  * \brief match the specified IssuerDN on a tls session
350  *
351  * \param t pointer to thread vars
352  * \param det_ctx pointer to the pattern matcher thread
353  * \param p pointer to the current packet
354  * \param m pointer to the sigmatch that we will cast into DetectTlsData
355  *
356  * \retval 0 no match
357  * \retval 1 match
358  */
359 static int DetectTlsIssuerDNMatch (DetectEngineThreadCtx *det_ctx,
360  Flow *f, uint8_t flags, void *state, void *txv,
361  const Signature *s, const SigMatchCtx *m)
362 {
363  SCEnter();
364 
365  const DetectTlsData *tls_data = (const DetectTlsData *)m;
366  SSLState *ssl_state = (SSLState *)state;
367  if (ssl_state == NULL) {
368  SCLogDebug("no tls state, no match");
369  SCReturnInt(0);
370  }
371 
372  int ret = 0;
373 
374  SSLStateConnp *connp = NULL;
375  if (flags & STREAM_TOSERVER) {
376  connp = &ssl_state->client_connp;
377  } else {
378  connp = &ssl_state->server_connp;
379  }
380 
381  if (connp->cert0_issuerdn != NULL) {
382  SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n",
383  connp->cert0_issuerdn, tls_data->issuerdn);
384 
385  if (strstr(connp->cert0_issuerdn, tls_data->issuerdn) != NULL) {
386  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
387  ret = 0;
388  } else {
389  ret = 1;
390  }
391  } else {
392  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
393  ret = 1;
394  } else {
395  ret = 0;
396  }
397  }
398  } else {
399  ret = 0;
400  }
401 
402  SCReturnInt(ret);
403 }
404 
405 /**
406  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
407  *
408  * \param de_ctx Pointer to the detection engine context
409  * \param str Pointer to the user provided id option
410  *
411  * \retval id_d pointer to DetectTlsData on success
412  * \retval NULL on failure
413  */
414 static DetectTlsData *DetectTlsIssuerDNParse(DetectEngineCtx *de_ctx, const char *str, bool negate)
415 {
416  DetectTlsData *tls = NULL;
417  int ret = 0, res = 0;
418  size_t pcre2_len;
419  const char *str_ptr;
420  char *orig = NULL;
421  char *tmp_str;
422  uint32_t flag = 0;
423 
424  ret = DetectParsePcreExec(&issuerdn_parse_regex, str, 0, 0);
425  if (ret != 2) {
426  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.issuerdn option");
427  goto error;
428  }
429 
430  if (negate)
431  flag = DETECT_CONTENT_NEGATED;
432 
433  res = pcre2_substring_get_bynumber(
434  issuerdn_parse_regex.match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
435  if (res < 0) {
436  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
437  goto error;
438  }
439 
440  /* We have a correct id option */
441  tls = SCMalloc(sizeof(DetectTlsData));
442  if (unlikely(tls == NULL))
443  goto error;
444  tls->issuerdn = NULL;
445  tls->flags = flag;
446 
447  orig = SCStrdup((char*)str_ptr);
448  if (unlikely(orig == NULL)) {
449  goto error;
450  }
451  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
452 
453  tmp_str=orig;
454 
455  /* Let's see if we need to escape "'s */
456  if (tmp_str[0] == '"')
457  {
458  tmp_str[strlen(tmp_str) - 1] = '\0';
459  tmp_str += 1;
460  }
461 
462  tls->issuerdn = SCStrdup(tmp_str);
463  if (unlikely(tls->issuerdn == NULL)) {
464  goto error;
465  }
466 
467  SCFree(orig);
468 
469  SCLogDebug("Will look for TLS issuerdn %s", tls->issuerdn);
470 
471  return tls;
472 
473 error:
474  if (orig != NULL)
475  SCFree(orig);
476  if (tls != NULL)
477  DetectTlsIssuerDNFree(de_ctx, tls);
478  return NULL;
479 
480 }
481 
482 /**
483  * \brief this function is used to add the parsed "id" option
484  * \brief into the current signature
485  *
486  * \param de_ctx pointer to the Detection Engine Context
487  * \param s pointer to the Current Signature
488  * \param idstr pointer to the user provided "id" option
489  *
490  * \retval 0 on Success
491  * \retval -1 on Failure
492  */
493 static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
494 {
495  DetectTlsData *tls = NULL;
496  SigMatch *sm = NULL;
497 
499  return -1;
500 
501  tls = DetectTlsIssuerDNParse(de_ctx, str, s->init_data->negated);
502  if (tls == NULL)
503  goto error;
504 
505  /* Okay so far so good, lets get this into a SigMatch
506  * and put it in the Signature. */
507  sm = SigMatchAlloc();
508  if (sm == NULL)
509  goto error;
510 
512  sm->ctx = (void *)tls;
513 
514  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
515  return 0;
516 
517 error:
518  if (tls != NULL)
519  DetectTlsIssuerDNFree(de_ctx, tls);
520  if (sm != NULL)
521  SCFree(sm);
522  return -1;
523 
524 }
525 
526 /**
527  * \brief this function will free memory associated with DetectTlsData
528  *
529  * \param id_d pointer to DetectTlsData
530  */
531 static void DetectTlsIssuerDNFree(DetectEngineCtx *de_ctx, void *ptr)
532 {
533  DetectTlsData *id_d = (DetectTlsData *)ptr;
534  SCFree(id_d->issuerdn);
535  SCFree(id_d);
536 }
537 
538 /**
539  * \brief This function is used to parse fingerprint passed via keyword: "fingerprint"
540  *
541  * \param de_ctx Pointer to the detection engine context
542  * \param str Pointer to the user provided fingerprint option
543  *
544  * \retval pointer to DetectTlsData on success
545  * \retval NULL on failure
546  */
547 static DetectTlsData *DetectTlsFingerprintParse (DetectEngineCtx *de_ctx, const char *str, bool negate)
548 {
549  DetectTlsData *tls = NULL;
550  int ret = 0, res = 0;
551  size_t pcre2_len;
552  const char *str_ptr;
553  char *orig;
554  char *tmp_str;
555  uint32_t flag = 0;
556 
557  ret = DetectParsePcreExec(&fingerprint_parse_regex, str, 0, 0);
558  if (ret != 2) {
559  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.fingerprint option");
560  goto error;
561  }
562 
563  if (negate)
564  flag = DETECT_CONTENT_NEGATED;
565 
566  res = pcre2_substring_get_bynumber(
567  fingerprint_parse_regex.match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
568  if (res < 0) {
569  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
570  goto error;
571  }
572 
573  /* We have a correct id option */
574  tls = SCMalloc(sizeof(DetectTlsData));
575  if (unlikely(tls == NULL))
576  goto error;
577  tls->fingerprint = NULL;
578  tls->flags = flag;
579 
580  orig = SCStrdup((char*)str_ptr);
581  if (unlikely(orig == NULL)) {
582  goto error;
583  }
584  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
585 
586  tmp_str=orig;
587 
588  /* Let's see if we need to escape "'s */
589  if (tmp_str[0] == '"')
590  {
591  tmp_str[strlen(tmp_str) - 1] = '\0';
592  tmp_str += 1;
593  }
594 
595  tls->fingerprint = SCStrdup(tmp_str);
596  if (tls->fingerprint == NULL) {
597  SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate fingerprint");
598  }
599 
600  SCFree(orig);
601 
602  SCLogDebug("will look for TLS fingerprint %s", tls->fingerprint);
603 
604  return tls;
605 
606 error:
607  if (tls != NULL)
608  DetectTlsFingerprintFree(de_ctx, tls);
609  return NULL;
610 
611 }
612 /**
613  * \brief match the specified fingerprint on a tls session
614  *
615  * \param t pointer to thread vars
616  * \param det_ctx pointer to the pattern matcher thread
617  * \param p pointer to the current packet
618  * \param m pointer to the sigmatch that we will cast into DetectTlsData
619  *
620  * \retval 0 no match
621  * \retval 1 match
622  */
623 static int DetectTlsFingerprintMatch (DetectEngineThreadCtx *det_ctx,
624  Flow *f, uint8_t flags, void *state, void *txv,
625  const Signature *s, const SigMatchCtx *m)
626 {
627  SCEnter();
628  const DetectTlsData *tls_data = (const DetectTlsData *)m;
629  SSLState *ssl_state = (SSLState *)state;
630  if (ssl_state == NULL) {
631  SCLogDebug("no tls state, no match");
632  SCReturnInt(0);
633  }
634 
635  int ret = 0;
636 
637  SSLStateConnp *connp = NULL;
638  if (flags & STREAM_TOSERVER) {
639  connp = &ssl_state->client_connp;
640  } else {
641  connp = &ssl_state->server_connp;
642  }
643 
644  if (connp->cert0_fingerprint != NULL) {
645  SCLogDebug("TLS: Fingerprint is [%s], looking for [%s]\n",
646  connp->cert0_fingerprint,
647  tls_data->fingerprint);
648 
649  if (tls_data->fingerprint &&
650  (strstr(connp->cert0_fingerprint,
651  tls_data->fingerprint) != NULL)) {
652  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
653  ret = 0;
654  } else {
655  ret = 1;
656 
657  }
658  } else {
659  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
660  ret = 1;
661  } else {
662  ret = 0;
663  }
664  }
665  } else {
666  ret = 0;
667  }
668 
669  SCReturnInt(ret);
670 }
671 
672 /**
673  * \brief this function is used to add the parsed "fingerprint" option
674  * \brief into the current signature
675  *
676  * \param de_ctx pointer to the Detection Engine Context
677  * \param s pointer to the Current Signature
678  * \param id pointer to the user provided "fingerprint" option
679  *
680  * \retval 0 on Success
681  * \retval -1 on Failure
682  */
683 static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
684 {
685  DetectTlsData *tls = NULL;
686  SigMatch *sm = NULL;
687 
689  return -1;
690 
691  tls = DetectTlsFingerprintParse(de_ctx, str, s->init_data->negated);
692  if (tls == NULL)
693  goto error;
694 
695  /* Okay so far so good, lets get this into a SigMatch
696  * and put it in the Signature. */
697  sm = SigMatchAlloc();
698  if (sm == NULL)
699  goto error;
700 
702  sm->ctx = (void *)tls;
703 
704  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
705  return 0;
706 
707 error:
708  if (tls != NULL)
709  DetectTlsFingerprintFree(de_ctx, tls);
710  if (sm != NULL)
711  SCFree(sm);
712  return -1;
713 
714 }
715 
716 /**
717  * \brief this function will free memory associated with DetectTlsData
718  *
719  * \param pointer to DetectTlsData
720  */
721 static void DetectTlsFingerprintFree(DetectEngineCtx *de_ctx, void *ptr)
722 {
723  DetectTlsData *id_d = (DetectTlsData *)ptr;
724  if (id_d->fingerprint)
725  SCFree(id_d->fingerprint);
726  SCFree(id_d);
727 }
728 
729 /**
730  * \brief this function is used to add the parsed "store" option
731  * \brief into the current signature
732  *
733  * \param de_ctx pointer to the Detection Engine Context
734  * \param s pointer to the Current Signature
735  * \param idstr pointer to the user provided "store" option
736  *
737  * \retval 0 on Success
738  * \retval -1 on Failure
739  */
740 static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
741 {
742  SigMatch *sm = NULL;
743 
745  return -1;
746 
747  sm = SigMatchAlloc();
748  if (sm == NULL)
749  return -1;
750 
752  s->flags |= SIG_FLAG_TLSSTORE;
753 
755  return 0;
756 }
757 
758 /** \warning modifies Flow::alstate */
759 static int DetectTlsStorePostMatch (DetectEngineThreadCtx *det_ctx,
760  Packet *p, const Signature *s, const SigMatchCtx *unused)
761 {
762  SCEnter();
763 
764  if (p->flow == NULL)
765  return 0;
766 
767  SSLState *ssl_state = FlowGetAppState(p->flow);
768  if (ssl_state == NULL) {
769  SCLogDebug("no tls state, no match");
770  SCReturnInt(0);
771  }
772 
774  SCReturnInt(1);
775 }
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:212
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:243
DetectTlsData_::fingerprint
char * fingerprint
Definition: detect-tls.h:42
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-tls.c:67
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
flow-util.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:260
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DetectTlsData_::issuerdn
char * issuerdn
Definition: detect-tls.h:41
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:261
SSLStateConnp_
Definition: app-layer-ssl.h:189
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1238
DetectTlsData_
Definition: detect-tls.h:37
m
SCMutex m
Definition: flow-hash.h:6
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
TLS_STATE_CERT_READY
@ TLS_STATE_CERT_READY
Definition: app-layer-ssl.h:80
DetectTlsData_::flags
uint32_t flags
Definition: detect-tls.h:39
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:213
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1125
util-unittest-helper.h
DETECT_AL_TLS_CERT_SUBJECT
@ DETECT_AL_TLS_CERT_SUBJECT
Definition: detect-engine-register.h:221
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1469
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
DetectTlsData_::subject
char * subject
Definition: detect-tls.h:40
PARSE_REGEX_FINGERPRINT
#define PARSE_REGEX_FINGERPRINT
Definition: detect-tls.c:68
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
DETECT_AL_TLS_CERT_ISSUER
@ DETECT_AL_TLS_CERT_ISSUER
Definition: detect-engine-register.h:220
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
DETECT_AL_TLS_SUBJECT
@ DETECT_AL_TLS_SUBJECT
Definition: detect-engine-register.h:111
detect-engine-mpm.h
detect.h
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1265
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
Signature_::flags
uint32_t flags
Definition: detect.h:549
Packet_
Definition: decode.h:427
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1473
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SignatureInitData_::negated
bool negated
Definition: detect.h:503
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DETECT_AL_TLS_CERT_FINGERPRINT
@ DETECT_AL_TLS_CERT_FINGERPRINT
Definition: detect-engine-register.h:223
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
DetectTlsRegister
void DetectTlsRegister(void)
Registration function for keyword: tls.version.
Definition: detect-tls.c:109
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1023
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1268
detect-tls.h
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
SSL_TLS_LOG_PEM
#define SSL_TLS_LOG_PEM
Definition: app-layer-ssl.h:135
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
SSLStateConnp_::cert_log_flag
uint32_t cert_log_flag
Definition: app-layer-ssl.h:226
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
DETECT_AL_TLS_STORE
@ DETECT_AL_TLS_STORE
Definition: detect-engine-register.h:118
DETECT_AL_TLS_FINGERPRINT
@ DETECT_AL_TLS_FINGERPRINT
Definition: detect-engine-register.h:117
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1453
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:217
SIG_FLAG_TLSSTORE
#define SIG_FLAG_TLSSTORE
Definition: detect.h:239
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
DETECT_AL_TLS_ISSUERDN
@ DETECT_AL_TLS_ISSUERDN
Definition: detect-engine-register.h:112
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
app-layer.h