suricata
detect-ssl-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  */
24 
25 static int DetectSslStateTest01(void)
26 {
27  DetectSslStateData *ssd = DetectSslStateParse("client_hello");
28  FAIL_IF_NULL(ssd);
30  SCFree(ssd);
31  PASS;
32 }
33 
34 static int DetectSslStateTest02(void)
35 {
36  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_hello");
37  FAIL_IF_NULL(ssd);
40  SCFree(ssd);
41  PASS;
42 }
43 
44 static int DetectSslStateTest03(void)
45 {
46  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
47  "client_hello");
48  FAIL_IF_NULL(ssd);
52  SCFree(ssd);
53  PASS;
54 }
55 
56 static int DetectSslStateTest04(void)
57 {
58  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
59  "client_hello , server_keyx , "
60  "unknown");
61  FAIL_IF_NULL(ssd);
67  SCFree(ssd);
68  PASS;
69 }
70 
71 static int DetectSslStateTest05(void)
72 {
73  DetectSslStateData *ssd = DetectSslStateParse(", server_hello , client_keyx , "
74  "client_hello , server_keyx , "
75  "unknown");
76 
77  FAIL_IF_NOT_NULL(ssd);
78  PASS;
79 }
80 
81 static int DetectSslStateTest06(void)
82 {
83  DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
84  "client_hello , server_keyx , "
85  "unknown , ");
86  FAIL_IF_NOT_NULL(ssd);
87  PASS;
88 }
89 
90 /**
91  * \test Test a valid dce_iface entry for a bind and bind_ack
92  */
93 static int DetectSslStateTest07(void)
94 {
95  uint8_t chello_buf[] = {
96  0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00,
97  0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00,
98  0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02,
99  0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39,
100  0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00,
101  0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00,
102  0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16,
103  0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00,
104  0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00,
105  0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64,
106  0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00,
107  0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a,
108  0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80,
109  0x21
110  };
111  uint32_t chello_buf_len = sizeof(chello_buf);
112 
113  uint8_t shello_buf[] = {
114  0x16, 0x03, 0x00, 0x00, 0x4a, 0x02,
115  0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94,
116  0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88,
117  0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6,
118  0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd,
119  0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb,
120  0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe,
121  0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6,
122  0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e,
123  0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35,
124  0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00,
125  0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a,
126  0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f,
127  0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01,
128  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
129  0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
130  0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
131  0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31,
132  0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08,
133  0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
134  0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13,
135  0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
136  0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54,
137  0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06,
138  0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e,
139  0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c,
140  0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c,
141  0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43,
142  0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
143  0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
144  0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13,
145  0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53,
146  0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c,
147  0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06,
148  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
149  0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73,
150  0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e,
151  0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30,
152  0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34,
153  0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38,
154  0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37,
155  0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b,
156  0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
157  0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06,
158  0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e,
159  0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65,
160  0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
161  0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61,
162  0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31,
163  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
164  0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
165  0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64,
166  0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
167  0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65,
168  0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61,
169  0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
170  0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
171  0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c,
172  0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d,
173  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
174  0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77,
175  0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69,
176  0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f,
177  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
178  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
179  0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
180  0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde,
181  0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6,
182  0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba,
183  0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73,
184  0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4,
185  0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f,
186  0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45,
187  0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12,
188  0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c,
189  0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b,
190  0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7,
191  0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd,
192  0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e,
193  0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53,
194  0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90,
195  0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89,
196  0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
197  0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55,
198  0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10,
199  0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b,
200  0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d,
201  0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
202  0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16,
203  0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c,
204  0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
205  0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f,
206  0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
207  0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
208  0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09,
209  0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01,
210  0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
211  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
212  0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81,
213  0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75,
214  0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e,
215  0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d,
216  0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23,
217  0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9,
218  0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5,
219  0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b,
220  0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f,
221  0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14,
222  0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23,
223  0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2,
224  0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34,
225  0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53,
226  0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad,
227  0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2,
228  0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e,
229  0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e,
230  0x00, 0x00, 0x00
231  };
232  uint32_t shello_buf_len = sizeof(shello_buf);
233 
234  uint8_t client_change_cipher_spec_buf[] = {
235  0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00,
236  0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38,
237  0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61,
238  0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a,
239  0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e,
240  0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f,
241  0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80,
242  0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a,
243  0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80,
244  0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59,
245  0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76,
246  0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84,
247  0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7,
248  0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7,
249  0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2,
250  0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7,
251  0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb,
252  0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16,
253  0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35,
254  0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a,
255  0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81,
256  0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90,
257  0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1,
258  0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76,
259  0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79,
260  0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18,
261  0x4c, 0xfc, 0x75, 0x56
262  };
263  uint32_t client_change_cipher_spec_buf_len =
264  sizeof(client_change_cipher_spec_buf);
265 
266  uint8_t server_change_cipher_spec_buf[] = {
267  0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03,
268  0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59,
269  0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a,
270  0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86,
271  0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7,
272  0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3,
273  0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89,
274  0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27,
275  0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2,
276  0x4d, 0x9f, 0x6b
277  };
278  uint32_t server_change_cipher_spec_buf_len =
279  sizeof(server_change_cipher_spec_buf);
280 
281  uint8_t toserver_app_data_buf[] = {
282  0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e,
283  0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c,
284  0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10,
285  0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb,
286  0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa,
287  0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5,
288  0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e,
289  0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20,
290  0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7,
291  0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f,
292  0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78,
293  0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c,
294  0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f,
295  0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0,
296  0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0,
297  0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0,
298  0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc,
299  0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1,
300  0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67,
301  0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f,
302  0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10,
303  0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4,
304  0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0,
305  0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68,
306  0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f,
307  0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4,
308  0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10,
309  0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f,
310  0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60,
311  0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8,
312  0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8,
313  0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09,
314  0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a,
315  0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd,
316  0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7,
317  0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a,
318  0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63,
319  0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b,
320  0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1,
321  0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60,
322  0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87,
323  0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7,
324  0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed,
325  0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc,
326  0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43,
327  0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58,
328  0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d,
329  0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39,
330  0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99,
331  0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92,
332  0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40,
333  0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef,
334  0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2,
335  0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6,
336  0x8a, 0xa2, 0x9e, 0xcd, 0xfa
337  };
338  uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf);
339 
340  Signature *s = NULL;
341  ThreadVars th_v;
342  Packet *p = NULL;
343  Flow f;
344  TcpSession ssn;
345  DetectEngineThreadCtx *det_ctx = NULL;
346  DetectEngineCtx *de_ctx = NULL;
347  SSLState *ssl_state = NULL;
348  int r = 0;
350 
351  memset(&th_v, 0, sizeof(th_v));
352  memset(&p, 0, sizeof(p));
353  memset(&f, 0, sizeof(f));
354  memset(&ssn, 0, sizeof(ssn));
355 
356  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
357 
358  FLOW_INITIALIZE(&f);
359  f.protoctx = (void *)&ssn;
360  f.proto = IPPROTO_TCP;
361  p->flow = &f;
365  f.alproto = ALPROTO_TLS;
366 
368 
369  de_ctx = DetectEngineCtxInit();
370  FAIL_IF_NULL(de_ctx);
371 
372  de_ctx->flags |= DE_QUIET;
373 
374  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
375  "(msg:\"ssl state\"; ssl_state:client_hello; "
376  "sid:1;)");
377  FAIL_IF_NULL(s);
378 
379  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
380  "(msg:\"ssl state\"; "
381  "ssl_state:server_hello; "
382  "sid:2;)");
383  FAIL_IF_NULL(s);
384 
385  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
386  "(msg:\"ssl state\"; "
387  "ssl_state:client_keyx; "
388  "sid:3;)");
389  FAIL_IF_NULL(s);
390 
391  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
392  "(msg:\"ssl state\"; "
393  "ssl_state:server_keyx; "
394  "sid:4;)");
395  FAIL_IF_NULL(s);
396 
397  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
398  "(msg:\"ssl state\"; "
399  "ssl_state:!client_hello; "
400  "sid:5;)");
401  FAIL_IF_NULL(s);
402 
403  SigGroupBuild(de_ctx);
404  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
405 
406  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
407  STREAM_TOSERVER | STREAM_START, chello_buf,
408  chello_buf_len);
409  FAIL_IF(r != 0);
410 
411  ssl_state = f.alstate;
412  FAIL_IF(ssl_state == NULL);
413 
414  /* do detect */
415  p->alerts.cnt = 0;
416  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
417 
418  FAIL_IF(!PacketAlertCheck(p, 1));
419  FAIL_IF(PacketAlertCheck(p, 2));
420  FAIL_IF(PacketAlertCheck(p, 3));
421  FAIL_IF(PacketAlertCheck(p, 4));
422  FAIL_IF(PacketAlertCheck(p, 5));
423 
424  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
425  shello_buf, shello_buf_len);
426  FAIL_IF(r != 0);
427 
428  /* do detect */
429  p->alerts.cnt = 0;
431 
432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
433 
434  FAIL_IF(PacketAlertCheck(p, 1));
435  FAIL_IF(!PacketAlertCheck(p, 2));
436  FAIL_IF(PacketAlertCheck(p, 3));
437  FAIL_IF(PacketAlertCheck(p, 4));
438  FAIL_IF(!PacketAlertCheck(p, 5));
439 
440  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
441  client_change_cipher_spec_buf,
442  client_change_cipher_spec_buf_len);
443  FAIL_IF(r != 0);
444 
445  /* do detect */
446  p->alerts.cnt = 0;
447  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
448 
449  FAIL_IF(PacketAlertCheck(p, 1));
450  FAIL_IF(PacketAlertCheck(p, 2));
451  FAIL_IF(!PacketAlertCheck(p, 3));
452  FAIL_IF(PacketAlertCheck(p, 4));
453 
454  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
455  server_change_cipher_spec_buf,
456  server_change_cipher_spec_buf_len);
457  FAIL_IF(r != 0);
458 
459  /* do detect */
460  p->alerts.cnt = 0;
461  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
462 
463  FAIL_IF(PacketAlertCheck(p, 1));
464  FAIL_IF(PacketAlertCheck(p, 2));
465  FAIL_IF(PacketAlertCheck(p, 3));
466  FAIL_IF(PacketAlertCheck(p, 4));
467 
468  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
469  toserver_app_data_buf, toserver_app_data_buf_len);
470  FAIL_IF(r != 0);
471 
472  /* do detect */
473  p->alerts.cnt = 0;
474  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
475 
476  FAIL_IF(PacketAlertCheck(p, 1));
477  FAIL_IF(PacketAlertCheck(p, 2));
478  FAIL_IF(PacketAlertCheck(p, 3));
479  FAIL_IF(PacketAlertCheck(p, 4));
480 
481  if (alp_tctx != NULL)
482  AppLayerParserThreadCtxFree(alp_tctx);
483  SigGroupCleanup(de_ctx);
484  SigCleanSignatures(de_ctx);
485 
486  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
487  DetectEngineCtxFree(de_ctx);
488 
490  FLOW_DESTROY(&f);
491  UTHFreePackets(&p, 1);
492  PASS;
493 }
494 
495 /**
496  * \brief Test that the "|" character still works as a separate for
497  * compatibility with older Suricata rules.
498  */
499 static int DetectSslStateTest08(void)
500 {
501  DetectSslStateData *ssd = DetectSslStateParse("server_hello|client_hello");
502  FAIL_IF_NULL(ssd);
505  SCFree(ssd);
506  PASS;
507 }
508 
509 /**
510  * \test Test parsing of negated states.
511  */
512 static int DetectSslStateTestParseNegate(void)
513 {
514  DetectSslStateData *ssd = DetectSslStateParse("!client_hello");
515  FAIL_IF_NULL(ssd);
516  uint32_t expected = DETECT_SSL_STATE_CLIENT_HELLO;
517  FAIL_IF(ssd->flags != expected || ssd->mask != expected);
518  SCFree(ssd);
519 
520  ssd = DetectSslStateParse("!client_hello,!server_hello");
521  FAIL_IF_NULL(ssd);
523  FAIL_IF(ssd->flags != expected || ssd->mask != expected);
524  SCFree(ssd);
525 
526  PASS;
527 }
528 
529 static void DetectSslStateRegisterTests(void)
530 {
531  UtRegisterTest("DetectSslStateTest01", DetectSslStateTest01);
532  UtRegisterTest("DetectSslStateTest02", DetectSslStateTest02);
533  UtRegisterTest("DetectSslStateTest03", DetectSslStateTest03);
534  UtRegisterTest("DetectSslStateTest04", DetectSslStateTest04);
535  UtRegisterTest("DetectSslStateTest05", DetectSslStateTest05);
536  UtRegisterTest("DetectSslStateTest06", DetectSslStateTest06);
537  UtRegisterTest("DetectSslStateTest07", DetectSslStateTest07);
538  UtRegisterTest("DetectSslStateTest08", DetectSslStateTest08);
539  UtRegisterTest("DetectSslStateTestParseNegate",
540  DetectSslStateTestParseNegate);
541 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
struct Flow_ * flow
Definition: decode.h:445
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:517
#define TRUE
#define DETECT_SSL_STATE_SERVER_KEYX
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:756
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:287
#define DETECT_SSL_STATE_SERVER_HELLO
uint8_t flags
Definition: detect.h:757
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define DETECT_SSL_STATE_CLIENT_KEYX
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:439
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define SCFree(a)
Definition: util-mem.h:322
#define DETECT_SSL_STATE_CLIENT_HELLO
#define STREAM_START
Definition: stream.h:29
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
PacketAlerts alerts
Definition: decode.h:555
#define DETECT_SSL_STATE_UNKNOWN
#define PKT_HAS_FLOW
Definition: decode.h:1090
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
uint16_t cnt
Definition: decode.h:293
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:443
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
#define PKT_STREAM_EST
Definition: decode.h:1088
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)