suricata
detect-tls-cert-serial.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 /**
26  * \test Test that a signature containing tls.cert_serial is correctly parsed
27  * and that the keyword is registered.
28  */
29 static int DetectTlsSerialTest01(void)
30 {
31  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
32  FAIL_IF_NULL(de_ctx);
33 
34  de_ctx->flags |= DE_QUIET;
35  de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
36  "(msg:\"Testing tls.cert_serial\"; "
37  "tls.cert_serial; content:\"XX:XX:XX\"; sid:1;)");
38  FAIL_IF_NULL(de_ctx->sig_list);
39 
40  /* sm should not be in the MATCH list */
41  SigMatch *sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
42  FAIL_IF_NOT_NULL(sm);
43 
44  sm = de_ctx->sig_list->sm_lists[g_tls_cert_serial_buffer_id];
45  FAIL_IF_NULL(sm);
46 
47  FAIL_IF(sm->type != DETECT_CONTENT);
48  FAIL_IF_NOT_NULL(sm->next);
49 
50  SigGroupCleanup(de_ctx);
51  DetectEngineCtxFree(de_ctx);
52 
53  PASS;
54 }
55 
56 /**
57  * \test Test matching for serial in a certificate.
58  */
59 static int DetectTlsSerialTest02(void)
60 {
61  /* client hello */
62  uint8_t client_hello[] = {
63  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
64  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
65  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
66  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
67  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
68  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
69  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
70  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
71  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
72  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
73  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
74  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
75  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
76  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
77  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
78  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
79  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
80  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
81  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
82  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
83  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
84  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
85  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
86  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
87  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
88  0x03, 0x04, 0x02, 0x02, 0x02
89  };
90 
91  /* server hello */
92  uint8_t server_hello[] = {
93  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
94  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
95  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
96  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
97  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
98  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
99  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
100  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
101  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
102  0x0b, 0x00, 0x02, 0x01, 0x00
103  };
104 
105  /* certificate */
106  uint8_t certificate[] = {
107  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
108  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
109  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
110  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
111  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
112  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
113  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
114  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
115  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
116  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
117  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
118  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
119  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
120  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
121  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
122  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
123  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
124  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
125  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
126  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
127  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
128  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
129  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
130  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
131  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
132  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
133  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
134  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
135  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
136  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
137  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
138  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
139  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
140  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
141  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
142  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
143  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
144  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
145  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
146  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
147  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
148  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
149  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
150  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
151  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
152  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
153  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
154  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
155  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
156  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
157  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
158  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
159  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
160  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
161  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
162  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
163  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
164  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
165  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
166  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
167  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
168  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
169  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
170  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
171  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
172  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
173  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
174  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
175  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
176  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
177  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
178  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
179  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
180  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
181  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
182  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
183  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
184  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
185  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
186  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
187  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
188  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
189  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
190  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
191  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
192  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
193  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
194  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
195  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
196  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
197  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
198  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
199  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
200  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
201  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
202  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
203  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
204  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
205  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
206  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
207  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
208  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
209  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
210  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
211  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
212  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
213  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
214  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
215  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
216  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
217  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
218  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
219  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
220  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
221  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
222  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
223  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
224  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
225  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
226  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
227  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
228  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
229  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
230  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
231  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
232  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
233  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
234  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
235  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
236  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
237  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
238  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
239  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
240  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
241  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
242  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
243  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
244  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
245  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
246  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
247  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
248  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
249  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
250  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
251  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
252  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
253  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
254  };
255 
256  Flow f;
257  SSLState *ssl_state = NULL;
258  TcpSession ssn;
259  Packet *p1 = NULL;
260  Packet *p2 = NULL;
261  Packet *p3 = NULL;
262  ThreadVars tv;
263  DetectEngineThreadCtx *det_ctx = NULL;
264  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
265 
266  memset(&tv, 0, sizeof(ThreadVars));
267  memset(&f, 0, sizeof(Flow));
268  memset(&ssn, 0, sizeof(TcpSession));
269 
270  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
271  "192.168.1.5", "192.168.1.1", 51251, 443);
272  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
273  "192.168.1.1", "192.168.1.5", 443, 51251);
274  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
275  "192.168.1.1", "192.168.1.5", 443, 51251);
276 
277  FLOW_INITIALIZE(&f);
278  f.flags |= FLOW_IPV4;
279  f.proto = IPPROTO_TCP;
280  f.protomap = FlowGetProtoMapping(f.proto);
281  f.alproto = ALPROTO_TLS;
282 
283  p1->flow = &f;
284  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
285  p1->flowflags |= FLOW_PKT_TOSERVER;
286  p1->flowflags |= FLOW_PKT_ESTABLISHED;
287  p1->pcap_cnt = 1;
288 
289  p2->flow = &f;
290  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
291  p2->flowflags |= FLOW_PKT_TOCLIENT;
292  p2->flowflags |= FLOW_PKT_ESTABLISHED;
293  p2->pcap_cnt = 2;
294 
295  p3->flow = &f;
296  p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
297  p3->flowflags |= FLOW_PKT_TOCLIENT;
298  p3->flowflags |= FLOW_PKT_ESTABLISHED;
299  p3->pcap_cnt = 3;
300 
301  StreamTcpInitConfig(TRUE);
302 
303  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
304  FAIL_IF_NULL(de_ctx);
305 
306  de_ctx->mpm_matcher = mpm_default_matcher;
307  de_ctx->flags |= DE_QUIET;
308 
309  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
310  "(msg:\"Test tls.cert_serial\"; "
311  "tls.cert_serial; "
312  "content:\"5C:19:B7:B1:32:3B:1C:A1\"; "
313  "sid:1;)");
314  FAIL_IF_NULL(s);
315 
316  SigGroupBuild(de_ctx);
317  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
318 
319  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
320  STREAM_TOSERVER, client_hello,
321  sizeof(client_hello));
322 
323  FAIL_IF(r != 0);
324 
325  ssl_state = f.alstate;
326  FAIL_IF_NULL(ssl_state);
327 
328  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
329 
330  FAIL_IF(PacketAlertCheck(p1, 1));
331 
332  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
333  server_hello, sizeof(server_hello));
334 
335  FAIL_IF(r != 0);
336 
337  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
338 
339  FAIL_IF(PacketAlertCheck(p2, 1));
340 
341  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
342  certificate, sizeof(certificate));
343 
344  FAIL_IF(r != 0);
345 
346  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
347 
348  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
349 
350  if (alp_tctx != NULL)
351  AppLayerParserThreadCtxFree(alp_tctx);
352  if (det_ctx != NULL)
353  DetectEngineThreadCtxDeinit(&tv, det_ctx);
354  if (de_ctx != NULL)
355  SigGroupCleanup(de_ctx);
356  if (de_ctx != NULL)
357  DetectEngineCtxFree(de_ctx);
358 
359  StreamTcpFreeConfig(TRUE);
360  FLOW_DESTROY(&f);
361  UTHFreePacket(p1);
362  UTHFreePacket(p2);
363  UTHFreePacket(p3);
364 
365  PASS;
366 }
367 
368 static void DetectTlsSerialRegisterTests(void)
369 {
370  UtRegisterTest("DetectTlsSerialTest01", DetectTlsSerialTest01);
371  UtRegisterTest("DetectTlsSerialTest02", DetectTlsSerialTest02);
372 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2228
TcpSession_
Definition: stream-tcp-private.h:257
Packet_::flow
struct Flow_ * flow
Definition: decode.h:445
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:344
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1936
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:762
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:274
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:561
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2761
Signature_
Signature container.
Definition: detect.h:517
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:756
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2969
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226
Flow_::alstate
void * alstate
Definition: flow.h:438
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:757
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1882
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:805
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:167
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:439
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:248
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
SigMatch_::type
uint8_t type
Definition: detect.h:314
Packet_
Definition: decode.h:407
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.h:170
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:410
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1090
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:996
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
Packet_::flags
uint32_t flags
Definition: decode.h:443
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2065
Flow_::protomap
uint8_t protomap
Definition: flow.h:404
Flow_
Flow data structure.
Definition: flow.h:325
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
Flow_::flags
uint32_t flags
Definition: flow.h:379
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1088
SigMatch_
a single match condition for a signature
Definition: detect.h:313
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1155
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2020