suricata
detect-tls-ja3-string.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 #ifndef HAVE_NSS
26 
27 static void DetectTlsJa3StringRegisterTests(void)
28 {
29  /* Don't register any tests */
30 }
31 
32 #else /* HAVE_NSS */
33 
34 /**
35  * \test Test matching on a simple client hello packet
36  */
37 static int DetectTlsJa3StringTest01(void)
38 {
39  /* Client hello */
40  uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E,
41  0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
42  0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
43  0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
44  0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
45  0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
46  0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
47  0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
48  0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
49  0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
50  0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
51  0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
52  0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
53  0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
54  0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
55  0x6F, 0x6D, };
56 
57 
58  Flow f;
59  SSLState *ssl_state = NULL;
60  ThreadVars tv;
61  DetectEngineThreadCtx *det_ctx = NULL;
62  TcpSession ssn;
64 
65  memset(&tv, 0, sizeof(ThreadVars));
66  memset(&f, 0, sizeof(Flow));
67  memset(&ssn, 0, sizeof(TcpSession));
68 
69  Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
70  "192.168.1.5", "192.168.1.1",
71  41424, 443);
72 
73  FLOW_INITIALIZE(&f);
74  f.protoctx = (void *)&ssn;
75  f.flags |= FLOW_IPV4;
76  f.proto = IPPROTO_TCP;
78 
79  p->flow = &f;
82  f.alproto = ALPROTO_TLS;
83 
85 
87  FAIL_IF_NULL(de_ctx);
88 
90  de_ctx->flags |= DE_QUIET;
91 
92  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
93  "(msg:\"Test ja3.string\"; ja3.string; "
94  "content:\"-65-68-69-102-103-104-105-106-107-132-135-255,0,,\"; "
95  "sid:1;)");
96  FAIL_IF_NULL(s);
97 
98  SigGroupBuild(de_ctx);
99  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
100 
101  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
102  STREAM_TOSERVER, buf, sizeof(buf));
103  FAIL_IF(r != 0);
104 
105  ssl_state = f.alstate;
106  FAIL_IF_NULL(ssl_state);
107 
108  FAIL_IF_NULL(ssl_state->client_connp.ja3_str);
109  FAIL_IF_NULL(ssl_state->client_connp.ja3_str->data);
110 
111  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
112 
114 
115  AppLayerParserThreadCtxFree(alp_tctx);
116  DetectEngineThreadCtxDeinit(&tv, det_ctx);
117  DetectEngineCtxFree(de_ctx);
118 
120  FLOW_DESTROY(&f);
121  UTHFreePacket(p);
122 
123  PASS;
124 }
125 
126 static void DetectTlsJa3StringRegisterTests(void)
127 {
128  UtRegisterTest("DetectTlsJa3StringTest01", DetectTlsJa3StringTest01);
129 }
130 
131 #endif /* HAVE_NSS */
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
struct Flow_ * flow
Definition: decode.h:445
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
char * data
Definition: util-ja3.h:30
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:522
#define TRUE
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
uint8_t flags
Definition: detect.h:762
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint16_t mpm_matcher
Definition: detect.h:810
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
uint8_t flowflags
Definition: decode.h:439
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int mpm_default_matcher
Definition: util-mpm.h:170
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1093
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Per thread variable structure.
Definition: threadvars.h:57
JA3Buffer * ja3_str
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:443
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:404
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint32_t flags
Definition: flow.h:379
SSLStateConnp client_connp
#define PKT_STREAM_EST
Definition: decode.h:1091
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)