suricata
detect-tls-certs.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 #include "detect-engine-build.h"
26 #include "detect-engine-alert.h"
27 #include "app-layer-parser.h"
28 
29 /**
30  * \test Test that a signature containing tls.certs is correctly parsed
31  * and that the keyword is registered.
32  */
33 static int DetectTlsCertsTest01(void)
34 {
35  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
36  FAIL_IF_NULL(de_ctx);
37  de_ctx->flags |= DE_QUIET;
38  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
39  "(msg:\"Testing tls.certs\"; tls.certs; "
40  "content:\"|01 02 03 04 05|\"; sid:1;)");
41  FAIL_IF_NULL(de_ctx->sig_list);
42 
43  /* sm should not be in the MATCH list */
44  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
45  FAIL_IF_NOT_NULL(sm);
46 
47  sm = DetectBufferGetFirstSigMatch(s, g_tls_certs_buffer_id);
48  FAIL_IF_NULL(sm);
49 
50  FAIL_IF(sm->type != DETECT_CONTENT);
51  FAIL_IF_NOT_NULL(sm->next);
52 
53  DetectEngineCtxFree(de_ctx);
54  PASS;
55 }
56 
57 /**
58  * \test Test matching on bytes in a certificate
59  */
60 static int DetectTlsCertsTest02(void)
61 {
62  /* client hello */
63  uint8_t client_hello[] = {
64  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
65  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
66  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
67  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
68  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
69  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
70  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
71  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
72  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
73  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
74  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
75  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
76  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
77  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
78  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
79  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
80  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
81  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
82  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
83  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
84  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
85  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
86  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
87  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
88  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
89  0x03, 0x04, 0x02, 0x02, 0x02
90  };
91 
92  /* server hello */
93  uint8_t server_hello[] = {
94  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
95  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
96  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
97  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
98  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
99  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
100  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
101  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
102  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
103  0x0b, 0x00, 0x02, 0x01, 0x00
104  };
105 
106  /* certificate */
107  uint8_t certificate[] = {
108  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
109  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
110  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
111  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
112  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
113  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
114  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
115  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
116  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
117  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
118  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
119  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
120  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
121  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
122  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
123  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
124  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
125  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
126  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
127  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
128  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
129  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
130  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
131  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
132  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
133  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
134  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
135  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
136  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
137  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
138  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
139  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
140  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
141  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
142  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
143  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
144  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
145  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
146  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
147  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
148  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
149  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
150  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
151  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
152  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
153  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
154  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
155  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
156  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
157  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
158  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
159  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
160  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
161  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
162  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
163  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
164  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
165  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
166  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
167  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
168  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
169  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
170  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
171  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
172  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
173  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
174  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
175  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
176  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
177  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
178  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
179  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
180  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
181  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
182  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
183  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
184  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
185  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
186  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
187  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
188  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
189  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
190  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
191  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
192  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
193  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
194  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
195  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
196  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
197  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
198  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
199  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
200  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
201  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
202  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
203  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
204  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
205  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
206  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
207  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
208  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
209  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
210  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
211  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
212  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
213  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
214  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
215  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
216  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
217  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
218  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
219  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
220  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
221  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
222  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
223  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
224  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
225  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
226  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
227  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
228  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
229  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
230  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
231  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
232  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
233  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
234  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
235  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
236  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
237  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
238  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
239  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
240  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
241  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
242  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
243  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
244  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
245  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
246  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
247  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
248  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
249  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
250  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
251  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
252  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
253  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
254  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
255  };
256 
257  Flow f;
258  SSLState *ssl_state = NULL;
259  TcpSession ssn;
260  Packet *p1 = NULL;
261  Packet *p2 = NULL;
262  Packet *p3 = NULL;
263  ThreadVars tv;
264  DetectEngineThreadCtx *det_ctx = NULL;
265  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
266 
267  memset(&tv, 0, sizeof(ThreadVars));
268  memset(&f, 0, sizeof(Flow));
269  memset(&ssn, 0, sizeof(TcpSession));
270 
271  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
272  "192.168.1.5", "192.168.1.1", 51251, 443);
273  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
274  "192.168.1.1", "192.168.1.5", 443, 51251);
275  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
276  "192.168.1.1", "192.168.1.5", 443, 51251);
277 
278  FLOW_INITIALIZE(&f);
279  f.flags |= FLOW_IPV4;
280  f.proto = IPPROTO_TCP;
281  f.protomap = FlowGetProtoMapping(f.proto);
282  f.alproto = ALPROTO_TLS;
283 
284  p1->flow = &f;
285  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
286  p1->flowflags |= FLOW_PKT_TOSERVER;
287  p1->flowflags |= FLOW_PKT_ESTABLISHED;
288  p1->pcap_cnt = 1;
289 
290  p2->flow = &f;
291  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
292  p2->flowflags |= FLOW_PKT_TOCLIENT;
293  p2->flowflags |= FLOW_PKT_ESTABLISHED;
294  p2->pcap_cnt = 2;
295 
296  p3->flow = &f;
297  p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
298  p3->flowflags |= FLOW_PKT_TOCLIENT;
299  p3->flowflags |= FLOW_PKT_ESTABLISHED;
300  p3->pcap_cnt = 3;
301 
302  StreamTcpInitConfig(true);
303 
304  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
305  FAIL_IF_NULL(de_ctx);
306 
307  de_ctx->mpm_matcher = mpm_default_matcher;
308  de_ctx->flags |= DE_QUIET;
309 
310  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
311  "(msg:\"Test tls.certs\"; tls.certs; "
312  "content:\"|06 09 2a 86 48|\"; sid:1;)");
313  FAIL_IF_NULL(s);
314 
315  SigGroupBuild(de_ctx);
316  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
317 
318  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
319  STREAM_TOSERVER, client_hello,
320  sizeof(client_hello));
321 
322  FAIL_IF(r != 0);
323 
324  ssl_state = f.alstate;
325  FAIL_IF_NULL(ssl_state);
326 
327  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
328 
329  FAIL_IF(PacketAlertCheck(p1, 1));
330 
331  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
332  server_hello, sizeof(server_hello));
333 
334  FAIL_IF(r != 0);
335 
336  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
337 
338  FAIL_IF(PacketAlertCheck(p2, 1));
339 
340  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
341  certificate, sizeof(certificate));
342 
343  FAIL_IF(r != 0);
344 
345  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
346 
347  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
348  AppLayerParserThreadCtxFree(alp_tctx);
349  DetectEngineThreadCtxDeinit(&tv, det_ctx);
350  DetectEngineCtxFree(de_ctx);
351  StreamTcpFreeConfig(true);
352  FLOW_DESTROY(&f);
353  UTHFreePacket(p1);
354  UTHFreePacket(p2);
355  UTHFreePacket(p3);
356 
357  PASS;
358 }
359 
360 static void DetectTlsCertsRegisterTests(void)
361 {
362  UtRegisterTest("DetectTlsCertsTest01", DetectTlsCertsTest01);
363  UtRegisterTest("DetectTlsCertsTest02", DetectTlsCertsTest02);
364 }
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:296
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1325
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:586
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1264
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:70
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:592
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:510
Flow_
Flow data structure.
Definition: flow.h:356
Flow_::protomap
uint8_t protomap
Definition: flow.h:450
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:504
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:260
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3347
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:844
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
app-layer-parser.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
Packet_
Definition: decode.h:473
detect-engine-build.h
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
Packet_::flow
struct Flow_ * flow
Definition: decode.h:512
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
SigMatch_::type
uint16_t type
Definition: detect.h:350
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3574
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:601
SigMatch_
a single match condition for a signature
Definition: detect.h:349
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1261