tests_2detect-tls-ja3s-hash_8c_source.html

 /* Copyright (C) 2019 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \file
  *
  * \author Mats Klepsland <mats.klepsland@gmail.com>
  *
  */

 #ifndef HAVE_NSS

 static void DetectTlsJa3SHashRegisterTests(void)
 {
     /* Don't register any tests */
 }

 #else /* HAVE_NSS */

 /**
  * \test Test matching on a JA3S hash from a ServerHello record
  */
 static int DetectTlsJa3SHashTest01(void)
 {
     /* client hello */
     uint8_t client_hello[] = {
             0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
             0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
             0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
             0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
             0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
             0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
             0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
             0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
             0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
             0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
             0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
             0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
             0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
             0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
             0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
             0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
             0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
             0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
             0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
             0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
             0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
             0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
             0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
             0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
             0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
             0x03, 0x04, 0x02, 0x02, 0x02
     };

     /* server hello */
     uint8_t server_hello[] = {
             0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
             0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
             0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
             0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
             0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
             0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
             0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
             0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
             0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
             0x0b, 0x00, 0x02, 0x01, 0x00
     };

     Flow f;
     SSLState *ssl_state = NULL;
     TcpSession ssn;
     Packet *p1 = NULL;
     Packet *p2 = NULL;
     ThreadVars tv;
     DetectEngineThreadCtx *det_ctx = NULL;
     AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();

     memset(&tv, 0, sizeof(ThreadVars));
     memset(&f, 0, sizeof(Flow));
     memset(&ssn, 0, sizeof(TcpSession));

     p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
                             "192.168.1.5", "192.168.1.1", 51251, 443);
     p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
                             "192.168.1.1", "192.168.1.5", 443, 51251);

     FLOW_INITIALIZE(&f);
     f.flags |= FLOW_IPV4;
     f.proto = IPPROTO_TCP;
     f.protomap = FlowGetProtoMapping(f.proto);
     f.alproto = ALPROTO_TLS;

     p1->flow = &f;
     p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
     p1->flowflags |= FLOW_PKT_TOSERVER;
     p1->flowflags |= FLOW_PKT_ESTABLISHED;
     p1->pcap_cnt = 1;

     p2->flow = &f;
     p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
     p2->flowflags |= FLOW_PKT_TOCLIENT;
     p2->flowflags |= FLOW_PKT_ESTABLISHED;
     p2->pcap_cnt = 2;

     StreamTcpInitConfig(TRUE);

     DetectEngineCtx *de_ctx = DetectEngineCtxInit();
     FAIL_IF_NULL(de_ctx);

     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;

     Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
                                 "(msg:\"Test ja3s.hash\"; "
                                 "ja3s.hash; "
                                 "content:\"8217013c502e3461d19c75bb02a12aaf\"; "
                                 "sid:1;)");
     FAIL_IF_NULL(s);

     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);

     int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
                                 STREAM_TOSERVER, client_hello,
                                 sizeof(client_hello));

     FAIL_IF(r != 0);

     ssl_state = f.alstate;
     FAIL_IF_NULL(ssl_state);

     SigMatchSignatures(&tv, de_ctx, det_ctx, p1);

     FAIL_IF(PacketAlertCheck(p1, 1));

     r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
                             server_hello, sizeof(server_hello));

     FAIL_IF(r != 0);

     FAIL_IF_NULL(ssl_state->server_connp.ja3_hash);

     SigMatchSignatures(&tv, de_ctx, det_ctx, p2);

     FAIL_IF_NOT(PacketAlertCheck(p2, 1));

     AppLayerParserThreadCtxFree(alp_tctx);
     DetectEngineThreadCtxDeinit(&tv, det_ctx);
     DetectEngineCtxFree(de_ctx);
     StreamTcpFreeConfig(TRUE);
     FLOW_DESTROY(&f);
     UTHFreePacket(p1);
     UTHFreePacket(p2);

     PASS;
 }

 void DetectTlsJa3SHashRegisterTests(void)
 {
     UtRegisterTest("DetectTlsJa3SHashTest01", DetectTlsJa3SHashTest01);
 }

 #endif /* HAVE_NSS */
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2216

TcpSession_
Definition: stream-tcp-private.h:257

Packet_::flow
struct Flow_ * flow
Definition: decode.h:443

PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138

Flow_::proto
uint8_t proto
Definition: flow.h:344

SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:212

PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105

SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:249

FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71

AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:272

FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95

FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203

StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669

AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83

Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:561

DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2384

Signature_
Signature container.
Definition: detect.h:496

TRUE
#define TRUE
Definition: suricata-common.h:33

DetectEngineCtx_
main detection engine ctx
Definition: detect.h:724

DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2592

SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:226

Flow_::alstate
void * alstate
Definition: flow.h:438

DE_QUIET
#define DE_QUIET
Definition: detect.h:296

DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:725

FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119

SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892

DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:773

UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103

SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742

StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365

UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:167

Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437

STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32

FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201

AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:246

Packet_
Definition: decode.h:405

mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.h:170

FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39

STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31

UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:410

PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092

FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89

ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57

DetectEngineThreadCtx_
Definition: detect.h:966

FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202

Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409

Packet_::flags
uint32_t flags
Definition: decode.h:441

DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1686

Flow_::protomap
uint8_t protomap
Definition: flow.h:404

Flow_
Flow data structure.
Definition: flow.h:325

FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94

Flow_::flags
uint32_t flags
Definition: flow.h:379

PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090

ALPROTO_TLS
Definition: app-layer-protos.h:33

FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82

AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1131

DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1641