suricata
detect-tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2011-2012 ANSSI
3  * Copyright (C) 2022 Open Information Security Foundation
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in the
13  * documentation and/or other materials provided with the distribution.
14  * 3. The name of the author may not be used to endorse or promote products
15  * derived from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
18  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
19  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
20  * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
21  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
22  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
23  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
24  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
26  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /**
30  * \file
31  *
32  * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
33  *
34  * Implements the tls.* keywords
35  */
36 
37 #include "suricata-common.h"
38 #include "threads.h"
39 #include "decode.h"
40 
41 #include "detect.h"
42 #include "detect-parse.h"
43 #include "detect-content.h"
44 
45 #include "detect-engine.h"
46 #include "detect-engine-mpm.h"
47 #include "detect-engine-state.h"
48 
49 #include "flow.h"
50 #include "flow-var.h"
51 #include "flow-util.h"
52 
53 #include "util-debug.h"
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 #include "app-layer.h"
58 
59 #include "app-layer-ssl.h"
60 #include "detect-tls.h"
62 
63 #include "stream-tcp.h"
64 
65 /**
66  * \brief Regex for parsing "id" option, matching number or "number"
67  */
68 
69 #define PARSE_REGEX "^([A-z0-9\\s\\-\\.=,\\*@]+|\"[A-z0-9\\s\\-\\.=,\\*@]+\")\\s*$"
70 #define PARSE_REGEX_FINGERPRINT "^([A-z0-9\\:\\*]+|\"[A-z0-9\\:\\* ]+\")\\s*$"
71 
72 static DetectParseRegex subject_parse_regex;
73 static DetectParseRegex issuerdn_parse_regex;
74 static DetectParseRegex fingerprint_parse_regex;
75 
76 static int DetectTlsSubjectMatch (DetectEngineThreadCtx *,
77  Flow *, uint8_t, void *, void *,
78  const Signature *, const SigMatchCtx *);
79 static int DetectTlsSubjectSetup (DetectEngineCtx *, Signature *, const char *);
80 static void DetectTlsSubjectFree(DetectEngineCtx *, void *);
81 
82 static int DetectTlsIssuerDNMatch (DetectEngineThreadCtx *,
83  Flow *, uint8_t, void *, void *,
84  const Signature *, const SigMatchCtx *);
85 static int DetectTlsIssuerDNSetup (DetectEngineCtx *, Signature *, const char *);
86 static void DetectTlsIssuerDNFree(DetectEngineCtx *, void *);
87 
88 static int DetectTlsFingerprintSetup (DetectEngineCtx *, Signature *, const char *);
89 static void DetectTlsFingerprintFree(DetectEngineCtx *, void *);
90 
91 static int DetectTlsStoreSetup (DetectEngineCtx *, Signature *, const char *);
92 static int DetectTlsStorePostMatch (DetectEngineThreadCtx *det_ctx,
93  Packet *, const Signature *s, const SigMatchCtx *unused);
94 
95 static int g_tls_cert_list_id = 0;
96 static int g_tls_cert_fingerprint_list_id = 0;
97 
98 /**
99  * \brief Registration function for keyword: tls.version
100  */
101 void DetectTlsRegister (void)
102 {
103  sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
104  sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
105  sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "/rules/tls-keywords.html#tls-subject";
106  sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
107  sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
108  sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
111 
112  sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
113  sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
114  sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "/rules/tls-keywords.html#tls-issuerdn";
115  sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
116  sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
117  sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
120 
121  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
122  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
123  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "/rules/tls-keywords.html#tls-fingerprint";
124  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
125  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
128 
129  sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store";
131  sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk";
132  sigmatch_table[DETECT_AL_TLS_STORE].url = "/rules/tls-keywords.html#tls-store";
133  sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch;
134  sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup;
136 
137  DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex);
138  DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex);
139  DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT, &fingerprint_parse_regex);
140 
141  g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert");
142  g_tls_cert_fingerprint_list_id = DetectBufferTypeRegister("tls.cert_fingerprint");
143 
146 }
147 
148 /**
149  * \brief match the specified Subject on a tls session
150  *
151  * \param t pointer to thread vars
152  * \param det_ctx pointer to the pattern matcher thread
153  * \param p pointer to the current packet
154  * \param m pointer to the sigmatch that we will cast into DetectTlsData
155  *
156  * \retval 0 no match
157  * \retval 1 match
158  */
159 static int DetectTlsSubjectMatch (DetectEngineThreadCtx *det_ctx,
160  Flow *f, uint8_t flags, void *state, void *txv,
161  const Signature *s, const SigMatchCtx *m)
162 {
163  SCEnter();
164 
165  const DetectTlsData *tls_data = (const DetectTlsData *)m;
166  SSLState *ssl_state = (SSLState *)state;
167  if (ssl_state == NULL) {
168  SCLogDebug("no tls state, no match");
169  SCReturnInt(0);
170  }
171 
172  int ret = 0;
173 
174  SSLStateConnp *connp = NULL;
175  if (flags & STREAM_TOSERVER) {
176  connp = &ssl_state->client_connp;
177  } else {
178  connp = &ssl_state->server_connp;
179  }
180 
181  if (connp->cert0_subject != NULL) {
182  SCLogDebug("TLS: Subject is [%s], looking for [%s]\n",
183  connp->cert0_subject, tls_data->subject);
184 
185  if (strstr(connp->cert0_subject, tls_data->subject) != NULL) {
186  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
187  ret = 0;
188  } else {
189  ret = 1;
190  }
191  } else {
192  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
193  ret = 1;
194  } else {
195  ret = 0;
196  }
197  }
198  } else {
199  ret = 0;
200  }
201 
202  SCReturnInt(ret);
203 }
204 
205 /**
206  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
207  *
208  * \param de_ctx Pointer to the detection engine context
209  * \param str Pointer to the user provided id option
210  *
211  * \retval id_d pointer to DetectTlsData on success
212  * \retval NULL on failure
213  */
214 static DetectTlsData *DetectTlsSubjectParse (DetectEngineCtx *de_ctx, const char *str, bool negate)
215 {
216  DetectTlsData *tls = NULL;
217  int ret = 0, res = 0;
218  size_t pcre2_len;
219  const char *str_ptr;
220  char *orig = NULL;
221  char *tmp_str;
222  uint32_t flag = 0;
223 
224  ret = DetectParsePcreExec(&subject_parse_regex, str, 0, 0);
225  if (ret != 2) {
226  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.subject option");
227  goto error;
228  }
229 
230  if (negate)
231  flag = DETECT_CONTENT_NEGATED;
232 
233  res = pcre2_substring_get_bynumber(
234  subject_parse_regex.match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
235  if (res < 0) {
236  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
237  goto error;
238  }
239 
240  /* We have a correct id option */
241  tls = SCMalloc(sizeof(DetectTlsData));
242  if (unlikely(tls == NULL))
243  goto error;
244  tls->subject = NULL;
245  tls->flags = flag;
246 
247  orig = SCStrdup((char*)str_ptr);
248  if (unlikely(orig == NULL)) {
249  goto error;
250  }
251  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
252 
253  tmp_str=orig;
254 
255  /* Let's see if we need to escape "'s */
256  if (tmp_str[0] == '"') {
257  tmp_str[strlen(tmp_str) - 1] = '\0';
258  tmp_str += 1;
259  }
260 
261  tls->subject = SCStrdup(tmp_str);
262  if (unlikely(tls->subject == NULL)) {
263  goto error;
264  }
265 
266  SCFree(orig);
267 
268  SCLogDebug("will look for TLS subject %s", tls->subject);
269 
270  return tls;
271 
272 error:
273  if (orig != NULL)
274  SCFree(orig);
275  if (tls != NULL)
276  DetectTlsSubjectFree(de_ctx, tls);
277  return NULL;
278 
279 }
280 
281 /**
282  * \brief this function is used to add the parsed "id" option
283  * \brief into the current signature
284  *
285  * \param de_ctx pointer to the Detection Engine Context
286  * \param s pointer to the Current Signature
287  * \param idstr pointer to the user provided "id" option
288  *
289  * \retval 0 on Success
290  * \retval -1 on Failure
291  */
292 static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
293 {
294  DetectTlsData *tls = NULL;
295  SigMatch *sm = NULL;
296 
298  return -1;
299 
300  tls = DetectTlsSubjectParse(de_ctx, str, s->init_data->negated);
301  if (tls == NULL)
302  goto error;
303 
304  /* Okay so far so good, lets get this into a SigMatch
305  * and put it in the Signature. */
306  sm = SigMatchAlloc();
307  if (sm == NULL)
308  goto error;
309 
311  sm->ctx = (void *)tls;
312 
313  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
314  return 0;
315 
316 error:
317  if (tls != NULL)
318  DetectTlsSubjectFree(de_ctx, tls);
319  if (sm != NULL)
320  SCFree(sm);
321  return -1;
322 
323 }
324 
325 /**
326  * \brief this function will free memory associated with DetectTlsData
327  *
328  * \param id_d pointer to DetectTlsData
329  */
330 static void DetectTlsSubjectFree(DetectEngineCtx *de_ctx, void *ptr)
331 {
332  DetectTlsData *id_d = (DetectTlsData *)ptr;
333  if (ptr == NULL)
334  return;
335  if (id_d->subject != NULL)
336  SCFree(id_d->subject);
337  SCFree(id_d);
338 }
339 
340 /**
341  * \brief match the specified IssuerDN on a tls session
342  *
343  * \param t pointer to thread vars
344  * \param det_ctx pointer to the pattern matcher thread
345  * \param p pointer to the current packet
346  * \param m pointer to the sigmatch that we will cast into DetectTlsData
347  *
348  * \retval 0 no match
349  * \retval 1 match
350  */
351 static int DetectTlsIssuerDNMatch (DetectEngineThreadCtx *det_ctx,
352  Flow *f, uint8_t flags, void *state, void *txv,
353  const Signature *s, const SigMatchCtx *m)
354 {
355  SCEnter();
356 
357  const DetectTlsData *tls_data = (const DetectTlsData *)m;
358  SSLState *ssl_state = (SSLState *)state;
359  if (ssl_state == NULL) {
360  SCLogDebug("no tls state, no match");
361  SCReturnInt(0);
362  }
363 
364  int ret = 0;
365 
366  SSLStateConnp *connp = NULL;
367  if (flags & STREAM_TOSERVER) {
368  connp = &ssl_state->client_connp;
369  } else {
370  connp = &ssl_state->server_connp;
371  }
372 
373  if (connp->cert0_issuerdn != NULL) {
374  SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n",
375  connp->cert0_issuerdn, tls_data->issuerdn);
376 
377  if (strstr(connp->cert0_issuerdn, tls_data->issuerdn) != NULL) {
378  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
379  ret = 0;
380  } else {
381  ret = 1;
382  }
383  } else {
384  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
385  ret = 1;
386  } else {
387  ret = 0;
388  }
389  }
390  } else {
391  ret = 0;
392  }
393 
394  SCReturnInt(ret);
395 }
396 
397 /**
398  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
399  *
400  * \param de_ctx Pointer to the detection engine context
401  * \param str Pointer to the user provided id option
402  *
403  * \retval id_d pointer to DetectTlsData on success
404  * \retval NULL on failure
405  */
406 static DetectTlsData *DetectTlsIssuerDNParse(DetectEngineCtx *de_ctx, const char *str, bool negate)
407 {
408  DetectTlsData *tls = NULL;
409  int ret = 0, res = 0;
410  size_t pcre2_len;
411  const char *str_ptr;
412  char *orig = NULL;
413  char *tmp_str;
414  uint32_t flag = 0;
415 
416  ret = DetectParsePcreExec(&issuerdn_parse_regex, str, 0, 0);
417  if (ret != 2) {
418  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.issuerdn option");
419  goto error;
420  }
421 
422  if (negate)
423  flag = DETECT_CONTENT_NEGATED;
424 
425  res = pcre2_substring_get_bynumber(
426  issuerdn_parse_regex.match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
427  if (res < 0) {
428  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
429  goto error;
430  }
431 
432  /* We have a correct id option */
433  tls = SCMalloc(sizeof(DetectTlsData));
434  if (unlikely(tls == NULL))
435  goto error;
436  tls->issuerdn = NULL;
437  tls->flags = flag;
438 
439  orig = SCStrdup((char*)str_ptr);
440  if (unlikely(orig == NULL)) {
441  goto error;
442  }
443  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
444 
445  tmp_str=orig;
446 
447  /* Let's see if we need to escape "'s */
448  if (tmp_str[0] == '"')
449  {
450  tmp_str[strlen(tmp_str) - 1] = '\0';
451  tmp_str += 1;
452  }
453 
454  tls->issuerdn = SCStrdup(tmp_str);
455  if (unlikely(tls->issuerdn == NULL)) {
456  goto error;
457  }
458 
459  SCFree(orig);
460 
461  SCLogDebug("Will look for TLS issuerdn %s", tls->issuerdn);
462 
463  return tls;
464 
465 error:
466  if (orig != NULL)
467  SCFree(orig);
468  if (tls != NULL)
469  DetectTlsIssuerDNFree(de_ctx, tls);
470  return NULL;
471 
472 }
473 
474 /**
475  * \brief this function is used to add the parsed "id" option
476  * \brief into the current signature
477  *
478  * \param de_ctx pointer to the Detection Engine Context
479  * \param s pointer to the Current Signature
480  * \param idstr pointer to the user provided "id" option
481  *
482  * \retval 0 on Success
483  * \retval -1 on Failure
484  */
485 static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
486 {
487  DetectTlsData *tls = NULL;
488  SigMatch *sm = NULL;
489 
491  return -1;
492 
493  tls = DetectTlsIssuerDNParse(de_ctx, str, s->init_data->negated);
494  if (tls == NULL)
495  goto error;
496 
497  /* Okay so far so good, lets get this into a SigMatch
498  * and put it in the Signature. */
499  sm = SigMatchAlloc();
500  if (sm == NULL)
501  goto error;
502 
504  sm->ctx = (void *)tls;
505 
506  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
507  return 0;
508 
509 error:
510  if (tls != NULL)
511  DetectTlsIssuerDNFree(de_ctx, tls);
512  if (sm != NULL)
513  SCFree(sm);
514  return -1;
515 
516 }
517 
518 /**
519  * \brief this function will free memory associated with DetectTlsData
520  *
521  * \param id_d pointer to DetectTlsData
522  */
523 static void DetectTlsIssuerDNFree(DetectEngineCtx *de_ctx, void *ptr)
524 {
525  DetectTlsData *id_d = (DetectTlsData *)ptr;
526  SCFree(id_d->issuerdn);
527  SCFree(id_d);
528 }
529 
530 /**
531  * \brief This function is used to parse fingerprint passed via keyword: "fingerprint"
532  *
533  * \param de_ctx Pointer to the detection engine context
534  * \param str Pointer to the user provided fingerprint option
535  *
536  * \retval pointer to DetectTlsData on success
537  * \retval NULL on failure
538  */
539 
540 /**
541  * \brief this function is used to add the parsed "fingerprint" option
542  * \brief into the current signature
543  *
544  * \param de_ctx pointer to the Detection Engine Context
545  * \param s pointer to the Current Signature
546  * \param id pointer to the user provided "fingerprint" option
547  *
548  * \retval 0 on Success
549  * \retval -1 on Failure
550  */
551 static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
552 {
553 
554  if (DetectContentSetup(de_ctx, s, str) < 0) {
555  return -1;
556  }
557 
559  g_tls_cert_fingerprint_list_id, ALPROTO_TLS) < 0)
560  return -1;
561 
562  return 0;
563 }
564 
565 /**
566  * \brief this function will free memory associated with DetectTlsData
567  *
568  * \param pointer to DetectTlsData
569  */
570 static void DetectTlsFingerprintFree(DetectEngineCtx *de_ctx, void *ptr)
571 {
572  DetectTlsData *id_d = (DetectTlsData *)ptr;
573  if (id_d->fingerprint)
574  SCFree(id_d->fingerprint);
575  SCFree(id_d);
576 }
577 
578 /**
579  * \brief this function is used to add the parsed "store" option
580  * \brief into the current signature
581  *
582  * \param de_ctx pointer to the Detection Engine Context
583  * \param s pointer to the Current Signature
584  * \param idstr pointer to the user provided "store" option
585  *
586  * \retval 0 on Success
587  * \retval -1 on Failure
588  */
589 static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
590 {
591  SigMatch *sm = NULL;
592 
594  return -1;
595 
596  sm = SigMatchAlloc();
597  if (sm == NULL)
598  return -1;
599 
601  s->flags |= SIG_FLAG_TLSSTORE;
602 
604  return 0;
605 }
606 
607 /** \warning modifies Flow::alstate */
608 static int DetectTlsStorePostMatch (DetectEngineThreadCtx *det_ctx,
609  Packet *p, const Signature *s, const SigMatchCtx *unused)
610 {
611  SCEnter();
612 
613  if (p->flow == NULL)
614  return 0;
615 
616  SSLState *ssl_state = FlowGetAppState(p->flow);
617  if (ssl_state == NULL) {
618  SCLogDebug("no tls state, no match");
619  SCReturnInt(0);
620  }
621 
623  SCReturnInt(1);
624 }
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1238
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:252
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1493
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:288
detect-content.h
DetectTlsData_::fingerprint
char * fingerprint
Definition: detect-tls.h:42
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-tls.c:69
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
flow-util.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1235
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
detect-tls-cert-fingerprint.h
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:306
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DetectTlsData_::issuerdn
char * issuerdn
Definition: detect-tls.h:41
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:307
SSLStateConnp_
Definition: app-layer-ssl.h:231
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
DetectTlsData_
Definition: detect-tls.h:37
m
SCMutex m
Definition: flow-hash.h:6
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
TLS_STATE_CERT_READY
@ TLS_STATE_CERT_READY
Definition: app-layer-ssl.h:78
DetectTlsData_::flags
uint32_t flags
Definition: detect-tls.h:39
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:253
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1148
util-unittest-helper.h
DETECT_AL_TLS_CERT_SUBJECT
@ DETECT_AL_TLS_CERT_SUBJECT
Definition: detect-engine-register.h:228
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1437
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:87
DetectTlsData_::subject
char * subject
Definition: detect-tls.h:40
PARSE_REGEX_FINGERPRINT
#define PARSE_REGEX_FINGERPRINT
Definition: detect-tls.c:70
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectContentSetup
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
Definition: detect-content.c:327
DetectEngineThreadCtx_
Definition: detect.h:1024
DETECT_AL_TLS_CERT_ISSUER
@ DETECT_AL_TLS_CERT_ISSUER
Definition: detect-engine-register.h:227
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2611
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
DETECT_AL_TLS_SUBJECT
@ DETECT_AL_TLS_SUBJECT
Definition: detect-engine-register.h:115
detect-engine-mpm.h
detect.h
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1233
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
Signature_::flags
uint32_t flags
Definition: detect.h:540
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:149
Packet_
Definition: decode.h:425
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:228
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1441
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:610
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SignatureInitData_::negated
bool negated
Definition: detect.h:494
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DETECT_AL_TLS_CERT_FINGERPRINT
@ DETECT_AL_TLS_CERT_FINGERPRINT
Definition: detect-engine-register.h:230
DetectTlsRegister
void DetectTlsRegister(void)
Registration function for keyword: tls.version.
Definition: detect-tls.c:101
Packet_::flow
struct Flow_ * flow
Definition: decode.h:462
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1032
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1236
detect-tls.h
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1951
SSL_TLS_LOG_PEM
#define SSL_TLS_LOG_PEM
Definition: app-layer-ssl.h:141
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:280
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
SSLStateConnp_::cert_log_flag
uint32_t cert_log_flag
Definition: app-layer-ssl.h:269
DETECT_AL_TLS_STORE
@ DETECT_AL_TLS_STORE
Definition: detect-engine-register.h:122
DETECT_AL_TLS_FINGERPRINT
@ DETECT_AL_TLS_FINGERPRINT
Definition: detect-engine-register.h:121
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1421
SIG_FLAG_TLSSTORE
#define SIG_FLAG_TLSSTORE
Definition: detect.h:231
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
flow-var.h
DETECT_AL_TLS_ISSUERDN
@ DETECT_AL_TLS_ISSUERDN
Definition: detect-engine-register.h:116
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
app-layer.h