suricata
detect-tls-ja3s-hash.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 #ifndef HAVE_NSS
26 
27 static void DetectTlsJa3SHashRegisterTests(void)
28 {
29  /* Don't register any tests */
30 }
31 
32 #else /* HAVE_NSS */
33 
34 /**
35  * \test Test matching on a JA3S hash from a ServerHello record
36  */
37 static int DetectTlsJa3SHashTest01(void)
38 {
39  /* client hello */
40  uint8_t client_hello[] = {
41  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
42  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
43  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
44  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
45  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
46  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
47  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
48  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
49  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
50  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
51  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
52  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
53  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
54  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
55  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
56  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
57  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
58  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
59  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
60  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
61  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
62  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
63  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
64  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
65  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
66  0x03, 0x04, 0x02, 0x02, 0x02
67  };
68 
69  /* server hello */
70  uint8_t server_hello[] = {
71  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
72  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
73  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
74  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
75  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
76  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
77  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
78  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
79  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
80  0x0b, 0x00, 0x02, 0x01, 0x00
81  };
82 
83  Flow f;
84  SSLState *ssl_state = NULL;
85  TcpSession ssn;
86  Packet *p1 = NULL;
87  Packet *p2 = NULL;
88  ThreadVars tv;
89  DetectEngineThreadCtx *det_ctx = NULL;
90  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
91 
92  memset(&tv, 0, sizeof(ThreadVars));
93  memset(&f, 0, sizeof(Flow));
94  memset(&ssn, 0, sizeof(TcpSession));
95 
96  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
97  "192.168.1.5", "192.168.1.1", 51251, 443);
98  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
99  "192.168.1.1", "192.168.1.5", 443, 51251);
100 
101  FLOW_INITIALIZE(&f);
102  f.flags |= FLOW_IPV4;
103  f.proto = IPPROTO_TCP;
104  f.protomap = FlowGetProtoMapping(f.proto);
105  f.alproto = ALPROTO_TLS;
106 
107  p1->flow = &f;
108  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
109  p1->flowflags |= FLOW_PKT_TOSERVER;
110  p1->flowflags |= FLOW_PKT_ESTABLISHED;
111  p1->pcap_cnt = 1;
112 
113  p2->flow = &f;
114  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
115  p2->flowflags |= FLOW_PKT_TOCLIENT;
116  p2->flowflags |= FLOW_PKT_ESTABLISHED;
117  p2->pcap_cnt = 2;
118 
119  StreamTcpInitConfig(TRUE);
120 
121  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
122  FAIL_IF_NULL(de_ctx);
123 
124  de_ctx->mpm_matcher = mpm_default_matcher;
125  de_ctx->flags |= DE_QUIET;
126 
127  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
128  "(msg:\"Test ja3s.hash\"; "
129  "ja3s.hash; "
130  "content:\"8217013c502e3461d19c75bb02a12aaf\"; "
131  "sid:1;)");
132  FAIL_IF_NULL(s);
133 
134  SigGroupBuild(de_ctx);
135  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
136 
137  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
138  STREAM_TOSERVER, client_hello,
139  sizeof(client_hello));
140 
141  FAIL_IF(r != 0);
142 
143  ssl_state = f.alstate;
144  FAIL_IF_NULL(ssl_state);
145 
146  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
147 
148  FAIL_IF(PacketAlertCheck(p1, 1));
149 
150  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
151  server_hello, sizeof(server_hello));
152 
153  FAIL_IF(r != 0);
154 
155  FAIL_IF_NULL(ssl_state->server_connp.ja3_hash);
156 
157  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
158 
159  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
160 
161  AppLayerParserThreadCtxFree(alp_tctx);
162  DetectEngineThreadCtxDeinit(&tv, det_ctx);
163  DetectEngineCtxFree(de_ctx);
164  StreamTcpFreeConfig(TRUE);
165  FLOW_DESTROY(&f);
166  UTHFreePacket(p1);
167  UTHFreePacket(p2);
168 
169  PASS;
170 }
171 
172 void DetectTlsJa3SHashRegisterTests(void)
173 {
174  UtRegisterTest("DetectTlsJa3SHashTest01", DetectTlsJa3SHashTest01);
175 }
176 
177 #endif /* HAVE_NSS */
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1087
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:564
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:256
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:219
Packet_::flags
uint32_t flags
Definition: decode.h:446
Flow_
Flow data structure.
Definition: flow.h:343
Flow_::protomap
uint8_t protomap
Definition: flow.h:420
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:241
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:815
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
Packet_
Definition: decode.h:411
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2338
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1171
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
Flow_::alstate
void * alstate
Definition: flow.h:454
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.c:49
Flow_::flags
uint32_t flags
Definition: flow.h:396
Signature_
Signature container.
Definition: detect.h:527
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
TcpSession_
Definition: stream-tcp-private.h:260
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1085