suricata
detect-tls-ja3-string.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 /**
26  * \test Test matching on a simple client hello packet
27  */
28 static int DetectTlsJa3StringTest01(void)
29 {
30  /* Client hello */
31  uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E,
32  0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
33  0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
34  0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
35  0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
36  0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
37  0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
38  0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
39  0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
40  0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
41  0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
42  0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
43  0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
44  0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
45  0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
46  0x6F, 0x6D, };
47 
48 
49  Flow f;
50  SSLState *ssl_state = NULL;
51  ThreadVars tv;
52  DetectEngineThreadCtx *det_ctx = NULL;
53  TcpSession ssn;
55 
56  memset(&tv, 0, sizeof(ThreadVars));
57  memset(&f, 0, sizeof(Flow));
58  memset(&ssn, 0, sizeof(TcpSession));
59 
60  Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
61  "192.168.1.5", "192.168.1.1",
62  41424, 443);
63 
64  FLOW_INITIALIZE(&f);
65  f.protoctx = (void *)&ssn;
66  f.flags |= FLOW_IPV4;
67  f.proto = IPPROTO_TCP;
69 
70  p->flow = &f;
73  f.alproto = ALPROTO_TLS;
74 
75  StreamTcpInitConfig(true);
76 
79 
81  de_ctx->flags |= DE_QUIET;
82 
83  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
84  "(msg:\"Test ja3.string\"; ja3.string; "
85  "content:\"-65-68-69-102-103-104-105-106-107-132-135-255,0,,\"; "
86  "sid:1;)");
87  FAIL_IF_NULL(s);
88 
90  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
91 
92  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
93  STREAM_TOSERVER, buf, sizeof(buf));
94  FAIL_IF(r != 0);
95 
96  ssl_state = f.alstate;
97  FAIL_IF_NULL(ssl_state);
98 
99  FAIL_IF_NULL(ssl_state->client_connp.ja3_str);
100  FAIL_IF_NULL(ssl_state->client_connp.ja3_str->data);
101 
102  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
103 
105 
107  DetectEngineThreadCtxDeinit(&tv, det_ctx);
109 
110  StreamTcpFreeConfig(true);
111  FLOW_DESTROY(&f);
112  UTHFreePacket(p);
113 
114  PASS;
115 }
116 
117 static void DetectTlsJa3StringRegisterTests(void)
118 {
119  UtRegisterTest("DetectTlsJa3StringTest01", DetectTlsJa3StringTest01);
120 }
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:243
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1185
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:260
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:477
Flow_
Flow data structure.
Definition: flow.h:356
Flow_::protomap
uint8_t protomap
Definition: flow.h:458
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:794
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2439
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:327
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:226
JA3Buffer_::data
char * data
Definition: util-ja3.h:30
DE_QUIET
#define DE_QUIET
Definition: detect.h:297
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1782
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:473
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
Flow_::protoctx
void * protoctx
Definition: flow.h:454
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1043
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:844
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
Packet_
Definition: decode.h:442
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:306
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2421
Packet_::flow
struct Flow_ * flow
Definition: decode.h:479
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3146
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:666
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1244
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3358
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:489
Flow_::flags
uint32_t flags
Definition: flow.h:434
Signature_
Signature container.
Definition: detect.h:549
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:228
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2400
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:795
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
TcpSession_
Definition: stream-tcp-private.h:274
SSLStateConnp_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:228
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:131
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1182