suricata
detect-tls-sni.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 /**
26  * \test Test matching on a simple google.com SNI
27  */
28 static int DetectTlsSniTest01(void)
29 {
30  /* client hello */
31  uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E,
32  0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
33  0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
34  0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
35  0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
36  0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
37  0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
38  0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
39  0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
40  0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
41  0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
42  0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
43  0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
44  0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
45  0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
46  0x6F, 0x6D, };
47 
48  Flow f;
49  SSLState *ssl_state = NULL;
50  ThreadVars tv;
51  DetectEngineThreadCtx *det_ctx = NULL;
52  TcpSession ssn;
54 
55  memset(&tv, 0, sizeof(ThreadVars));
56  memset(&f, 0, sizeof(Flow));
57  memset(&ssn, 0, sizeof(TcpSession));
58 
59  Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
60  "192.168.1.5", "192.168.1.1",
61  41424, 443);
62 
63  FLOW_INITIALIZE(&f);
64  f.protoctx = (void *)&ssn;
65  f.flags |= FLOW_IPV4;
66  f.proto = IPPROTO_TCP;
68 
69  p->flow = &f;
72  f.alproto = ALPROTO_TLS;
73 
75 
77  FAIL_IF_NULL(de_ctx);
78 
80  de_ctx->flags |= DE_QUIET;
81 
82  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
83  "(msg:\"Test tls.sni option\"; "
84  "tls.sni; content:\"google.com\"; sid:1;)");
85  FAIL_IF_NULL(s);
86 
87  SigGroupBuild(de_ctx);
88  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
89 
90  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
91  STREAM_TOSERVER, buf, sizeof(buf));
92  FAIL_IF(r != 0);
93 
94  ssl_state = f.alstate;
95  FAIL_IF_NULL(ssl_state);
96 
97  /* do detect */
98  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
99 
101 
102  AppLayerParserThreadCtxFree(alp_tctx);
103  DetectEngineThreadCtxDeinit(&tv, det_ctx);
104  DetectEngineCtxFree(de_ctx);
105 
107  FLOW_DESTROY(&f);
108  UTHFreePacket(p);
109 
110  PASS;
111 }
112 
113 /**
114  * \test Test matching on a simple google.com SNI with pcre
115  */
116 static int DetectTlsSniTest02(void)
117 {
118  /* client hello */
119  uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E,
120  0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
121  0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
122  0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
123  0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
124  0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
125  0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
126  0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
127  0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
128  0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
129  0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
130  0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
131  0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
132  0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
133  0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
134  0x6F, 0x6D, };
135 
136  Flow f;
137  SSLState *ssl_state = NULL;
138  ThreadVars tv;
139  DetectEngineThreadCtx *det_ctx = NULL;
140  TcpSession ssn;
142 
143  memset(&tv, 0, sizeof(ThreadVars));
144  memset(&f, 0, sizeof(Flow));
145  memset(&ssn, 0, sizeof(TcpSession));
146 
147  Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
148  "192.168.1.5", "192.168.1.1",
149  41424, 443);
150 
151  FLOW_INITIALIZE(&f);
152  f.protoctx = (void *)&ssn;
153  f.flags |= FLOW_IPV4;
154  f.proto = IPPROTO_TCP;
156 
157  p->flow = &f;
160  f.alproto = ALPROTO_TLS;
161 
163 
165  FAIL_IF_NULL(de_ctx);
166 
168  de_ctx->flags |= DE_QUIET;
169 
170  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
171  "(msg:\"Test tls.sni option\"; "
172  "tls.sni; content:\"google\"; nocase; "
173  "pcre:\"/google\\.com$/i\"; sid:1;)");
174  FAIL_IF_NULL(s);
175 
176  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
177  "(msg:\"Test tls.sni option\"; "
178  "tls.sni; content:\"google\"; nocase; "
179  "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
180  FAIL_IF_NULL(s);
181 
182  SigGroupBuild(de_ctx);
183  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
184 
185  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
186  STREAM_TOSERVER, buf, sizeof(buf));
187  FAIL_IF(r != 0);
188 
189  ssl_state = f.alstate;
190  FAIL_IF_NULL(ssl_state);
191 
192  /* do detect */
193  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
194 
197 
198  AppLayerParserThreadCtxFree(alp_tctx);
199  DetectEngineThreadCtxDeinit(&tv, det_ctx);
200  DetectEngineCtxFree(de_ctx);
201 
203  FLOW_DESTROY(&f);
204  UTHFreePacket(p);
205 
206  PASS;
207 }
208 
209 static void DetectTlsSniRegisterTests(void)
210 {
211  UtRegisterTest("DetectTlsSniTest01", DetectTlsSniTest01);
212  UtRegisterTest("DetectTlsSniTest02", DetectTlsSniTest02);
213 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
struct Flow_ * flow
Definition: decode.h:446
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:522
#define TRUE
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
uint8_t flags
Definition: detect.h:762
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint16_t mpm_matcher
Definition: detect.h:810
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:364
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
uint8_t flowflags
Definition: decode.h:440
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int mpm_default_matcher
Definition: util-mpm.h:170
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1094
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:444
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:404
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1092
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)