suricata
detect-tls-sni.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 /**
26  * \test Test matching on a simple google.com SNI
27  */
28 static int DetectTlsSniTest01(void)
29 {
30  /* client hello */
31  uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E,
32  0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
33  0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
34  0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
35  0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
36  0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
37  0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
38  0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
39  0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
40  0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
41  0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
42  0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
43  0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
44  0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
45  0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
46  0x6F, 0x6D, };
47 
48  Flow f;
49  SSLState *ssl_state = NULL;
50  ThreadVars tv;
51  DetectEngineThreadCtx *det_ctx = NULL;
52  TcpSession ssn;
54 
55  memset(&tv, 0, sizeof(ThreadVars));
56  memset(&f, 0, sizeof(Flow));
57  memset(&ssn, 0, sizeof(TcpSession));
58 
59  Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
60  "192.168.1.5", "192.168.1.1",
61  41424, 443);
62 
63  FLOW_INITIALIZE(&f);
64  f.protoctx = (void *)&ssn;
65  f.flags |= FLOW_IPV4;
66  f.proto = IPPROTO_TCP;
68 
69  p->flow = &f;
72  f.alproto = ALPROTO_TLS;
73 
75 
78 
80  de_ctx->flags |= DE_QUIET;
81 
82  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
83  "(msg:\"Test tls.sni option\"; "
84  "tls.sni; content:\"google.com\"; sid:1;)");
85  FAIL_IF_NULL(s);
86 
88  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
89 
90  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
91  STREAM_TOSERVER, buf, sizeof(buf));
92  FAIL_IF(r != 0);
93 
94  ssl_state = f.alstate;
95  FAIL_IF_NULL(ssl_state);
96 
97  /* do detect */
98  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
99 
101 
103  DetectEngineThreadCtxDeinit(&tv, det_ctx);
105 
107  FLOW_DESTROY(&f);
108  UTHFreePacket(p);
109 
110  PASS;
111 }
112 
113 /**
114  * \test Test matching on a simple google.com SNI with pcre
115  */
116 static int DetectTlsSniTest02(void)
117 {
118  /* client hello */
119  uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E,
120  0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
121  0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
122  0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
123  0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
124  0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
125  0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
126  0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
127  0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
128  0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
129  0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
130  0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
131  0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
132  0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
133  0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
134  0x6F, 0x6D, };
135 
136  Flow f;
137  SSLState *ssl_state = NULL;
138  ThreadVars tv;
139  DetectEngineThreadCtx *det_ctx = NULL;
140  TcpSession ssn;
142 
143  memset(&tv, 0, sizeof(ThreadVars));
144  memset(&f, 0, sizeof(Flow));
145  memset(&ssn, 0, sizeof(TcpSession));
146 
147  Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
148  "192.168.1.5", "192.168.1.1",
149  41424, 443);
150 
151  FLOW_INITIALIZE(&f);
152  f.protoctx = (void *)&ssn;
153  f.flags |= FLOW_IPV4;
154  f.proto = IPPROTO_TCP;
156 
157  p->flow = &f;
160  f.alproto = ALPROTO_TLS;
161 
163 
166 
168  de_ctx->flags |= DE_QUIET;
169 
170  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
171  "(msg:\"Test tls.sni option\"; "
172  "tls.sni; content:\"google\"; nocase; "
173  "pcre:\"/google\\.com$/i\"; sid:1;)");
174  FAIL_IF_NULL(s);
175 
176  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
177  "(msg:\"Test tls.sni option\"; "
178  "tls.sni; content:\"google\"; nocase; "
179  "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
180  FAIL_IF_NULL(s);
181 
183  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
184 
185  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
186  STREAM_TOSERVER, buf, sizeof(buf));
187  FAIL_IF(r != 0);
188 
189  ssl_state = f.alstate;
190  FAIL_IF_NULL(ssl_state);
191 
192  /* do detect */
193  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
194 
197 
199  DetectEngineThreadCtxDeinit(&tv, det_ctx);
201 
203  FLOW_DESTROY(&f);
204  UTHFreePacket(p);
205 
206  PASS;
207 }
208 
209 static void DetectTlsSniRegisterTests(void)
210 {
211  UtRegisterTest("DetectTlsSniTest01", DetectTlsSniTest01);
212  UtRegisterTest("DetectTlsSniTest02", DetectTlsSniTest02);
213 }
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1087
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:446
Flow_
Flow data structure.
Definition: flow.h:343
Flow_::protomap
uint8_t protomap
Definition: flow.h:420
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2092
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:276
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:241
Flow_::protoctx
void * protoctx
Definition: flow.h:416
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:815
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
Packet_
Definition: decode.h:411
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:250
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2340
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2796
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1166
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3004
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
Flow_::alstate
void * alstate
Definition: flow.h:454
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.c:49
Flow_::flags
uint32_t flags
Definition: flow.h:396
Signature_
Signature container.
Definition: detect.h:527
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2047
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
TcpSession_
Definition: stream-tcp-private.h:260
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1085