suricata
detect-tls-cert-fingerprint.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 /**
26  * \test Test that a signature containing tls_cert_fingerprint is correctly parsed
27  * and that the keyword is registered.
28  */
29 static int DetectTlsFingerprintTest01(void)
30 {
31  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
32  FAIL_IF_NULL(de_ctx);
33 
34  de_ctx->flags |= DE_QUIET;
35  de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
36  "(msg:\"Testing tls.cert_fingerprint\"; "
37  "tls.cert_fingerprint; "
38  "content:\"11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99:00\"; "
39  "sid:1;)");
40  FAIL_IF_NULL(de_ctx->sig_list);
41 
42  /* sm should not be in the MATCH list */
43  SigMatch *sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
44  FAIL_IF_NOT_NULL(sm);
45 
46  sm = de_ctx->sig_list->sm_lists[g_tls_cert_fingerprint_buffer_id];
47  FAIL_IF_NULL(sm);
48 
49  FAIL_IF(sm->type != DETECT_CONTENT);
50  FAIL_IF_NOT_NULL(sm->next);
51 
52  SigGroupCleanup(de_ctx);
53  DetectEngineCtxFree(de_ctx);
54 
55  PASS;
56 }
57 
58 /**
59  * \test Test matching for fingerprint of a certificate.
60  */
61 static int DetectTlsFingerprintTest02(void)
62 {
63  /* client hello */
64  uint8_t client_hello[] = {
65  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
66  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
67  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
68  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
69  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
70  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
71  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
72  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
73  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
74  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
75  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
76  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
77  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
78  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
79  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
80  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
81  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
82  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
83  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
84  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
85  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
86  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
87  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
88  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
89  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
90  0x03, 0x04, 0x02, 0x02, 0x02
91  };
92 
93  /* server hello */
94  uint8_t server_hello[] = {
95  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
96  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
97  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
98  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
99  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
100  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
101  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
102  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
103  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
104  0x0b, 0x00, 0x02, 0x01, 0x00
105  };
106 
107  /* certificate */
108  uint8_t certificate[] = {
109  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
110  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
111  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
112  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
113  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
114  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
115  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
116  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
117  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
118  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
119  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
120  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
121  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
122  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
123  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
124  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
125  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
126  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
127  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
128  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
129  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
130  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
131  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
132  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
133  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
134  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
135  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
136  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
137  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
138  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
139  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
140  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
141  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
142  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
143  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
144  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
145  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
146  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
147  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
148  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
149  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
150  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
151  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
152  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
153  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
154  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
155  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
156  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
157  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
158  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
159  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
160  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
161  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
162  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
163  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
164  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
165  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
166  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
167  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
168  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
169  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
170  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
171  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
172  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
173  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
174  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
175  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
176  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
177  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
178  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
179  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
180  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
181  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
182  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
183  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
184  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
185  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
186  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
187  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
188  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
189  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
190  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
191  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
192  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
193  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
194  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
195  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
196  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
197  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
198  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
199  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
200  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
201  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
202  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
203  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
204  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
205  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
206  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
207  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
208  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
209  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
210  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
211  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
212  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
213  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
214  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
215  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
216  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
217  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
218  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
219  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
220  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
221  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
222  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
223  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
224  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
225  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
226  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
227  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
228  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
229  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
230  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
231  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
232  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
233  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
234  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
235  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
236  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
237  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
238  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
239  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
240  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
241  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
242  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
243  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
244  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
245  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
246  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
247  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
248  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
249  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
250  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
251  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
252  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
253  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
254  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
255  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
256  };
257 
258  Flow f;
259  SSLState *ssl_state = NULL;
260  TcpSession ssn;
261  Packet *p1 = NULL;
262  Packet *p2 = NULL;
263  Packet *p3 = NULL;
264  ThreadVars tv;
265  DetectEngineThreadCtx *det_ctx = NULL;
266  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
267 
268  memset(&tv, 0, sizeof(ThreadVars));
269  memset(&f, 0, sizeof(Flow));
270  memset(&ssn, 0, sizeof(TcpSession));
271 
272  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
273  "192.168.1.5", "192.168.1.1", 51251, 443);
274  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
275  "192.168.1.1", "192.168.1.5", 443, 51251);
276  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
277  "192.168.1.1", "192.168.1.5", 443, 51251);
278 
279  FLOW_INITIALIZE(&f);
280  f.flags |= FLOW_IPV4;
281  f.proto = IPPROTO_TCP;
282  f.protomap = FlowGetProtoMapping(f.proto);
283  f.alproto = ALPROTO_TLS;
284 
285  p1->flow = &f;
286  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
287  p1->flowflags |= FLOW_PKT_TOSERVER;
288  p1->flowflags |= FLOW_PKT_ESTABLISHED;
289  p1->pcap_cnt = 1;
290 
291  p2->flow = &f;
292  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
293  p2->flowflags |= FLOW_PKT_TOCLIENT;
294  p2->flowflags |= FLOW_PKT_ESTABLISHED;
295  p2->pcap_cnt = 2;
296 
297  p3->flow = &f;
298  p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
299  p3->flowflags |= FLOW_PKT_TOCLIENT;
300  p3->flowflags |= FLOW_PKT_ESTABLISHED;
301  p3->pcap_cnt = 3;
302 
303  StreamTcpInitConfig(TRUE);
304 
305  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
306  FAIL_IF_NULL(de_ctx);
307 
308  de_ctx->mpm_matcher = mpm_default_matcher;
309  de_ctx->flags |= DE_QUIET;
310 
311  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
312  "(msg:\"Test tls.cert_fingerprint\"; "
313  "tls.cert_fingerprint; "
314  "content:\"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18\"; "
315  "sid:1;)");
316  FAIL_IF_NULL(s);
317 
318  SigGroupBuild(de_ctx);
319  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
320 
321  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
322  STREAM_TOSERVER, client_hello,
323  sizeof(client_hello));
324 
325  FAIL_IF(r != 0);
326 
327  ssl_state = f.alstate;
328  FAIL_IF_NULL(ssl_state);
329 
330  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
331 
332  FAIL_IF(PacketAlertCheck(p1, 1));
333 
334  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
335  server_hello, sizeof(server_hello));
336 
337  FAIL_IF(r != 0);
338 
339  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
340 
341  FAIL_IF(PacketAlertCheck(p2, 1));
342 
343  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
344  certificate, sizeof(certificate));
345 
346  FAIL_IF(r != 0);
347 
348  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
349 
350  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
351 
352  AppLayerParserThreadCtxFree(alp_tctx);
353  DetectEngineThreadCtxDeinit(&tv, det_ctx);
354  SigGroupCleanup(de_ctx);
355  DetectEngineCtxFree(de_ctx);
356  StreamTcpFreeConfig(TRUE);
357  FLOW_DESTROY(&f);
358  UTHFreePacket(p1);
359  UTHFreePacket(p2);
360  UTHFreePacket(p3);
361 
362  PASS;
363 }
364 
365 static void DetectTlsFingerprintRegisterTests(void)
366 {
367  UtRegisterTest("DetectTlsFingerprintTest01", DetectTlsFingerprintTest01);
368  UtRegisterTest("DetectTlsFingerprintTest02", DetectTlsFingerprintTest02);
369 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2216
TcpSession_
Definition: stream-tcp-private.h:257
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:344
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1936
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:730
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:272
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:561
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2384
Signature_
Signature container.
Definition: detect.h:496
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:326
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:724
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2592
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226
Flow_::alstate
void * alstate
Definition: flow.h:438
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:725
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:773
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:167
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:246
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1964
SigMatch_::type
uint8_t type
Definition: detect.h:323
Packet_
Definition: decode.h:405
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.h:170
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:410
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:966
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
Packet_::flags
uint32_t flags
Definition: decode.h:441
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1686
Flow_::protomap
uint8_t protomap
Definition: flow.h:404
Flow_
Flow data structure.
Definition: flow.h:325
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
Flow_::flags
uint32_t flags
Definition: flow.h:379
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
SigMatch_
a single match condition for a signature
Definition: detect.h:322
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1131
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1641