suricata
detect-tls-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 /**
26  * \test DetectTlsVersionTestParse01 is a test to make sure that we parse the "id"
27  * option correctly when given valid id option
28  */
29 static int DetectTlsVersionTestParse01 (void)
30 {
31  DetectTlsVersionData *tls = NULL;
32  tls = DetectTlsVersionParse("1.0");
33  FAIL_IF_NULL(tls);
35  DetectTlsVersionFree(tls);
36  PASS;
37 }
38 
39 /**
40  * \test DetectTlsVersionTestParse02 is a test to make sure that we parse the "id"
41  * option correctly when given an invalid id option
42  * it should return id_d = NULL
43  */
44 static int DetectTlsVersionTestParse02 (void)
45 {
46  DetectTlsVersionData *tls = NULL;
47  tls = DetectTlsVersionParse("2.5");
48  FAIL_IF_NOT_NULL(tls);
49  DetectTlsVersionFree(tls);
50  PASS;
51 }
52 
53 #include "stream-tcp-reassemble.h"
54 
55 /** \test Send a get request in three chunks + more data. */
56 static int DetectTlsVersionTestDetect01(void)
57 {
58  Flow f;
59  uint8_t tlsbuf1[] = { 0x16 };
60  uint32_t tlslen1 = sizeof(tlsbuf1);
61  uint8_t tlsbuf2[] = { 0x03 };
62  uint32_t tlslen2 = sizeof(tlsbuf2);
63  uint8_t tlsbuf3[] = { 0x01 };
64  uint32_t tlslen3 = sizeof(tlsbuf3);
65  uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
66  uint32_t tlslen4 = sizeof(tlsbuf4);
67  TcpSession ssn;
68  Packet *p = NULL;
69  Signature *s = NULL;
70  ThreadVars th_v;
71  DetectEngineThreadCtx *det_ctx = NULL;
73 
74  memset(&th_v, 0, sizeof(th_v));
75  memset(&f, 0, sizeof(f));
76  memset(&ssn, 0, sizeof(ssn));
77 
78  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
79 
80  FLOW_INITIALIZE(&f);
81  f.protoctx = (void *)&ssn;
82  f.proto = IPPROTO_TCP;
83  p->flow = &f;
87  f.alproto = ALPROTO_TLS;
88 
90 
92  FAIL_IF_NULL(de_ctx);
93 
94  de_ctx->flags |= DE_QUIET;
95 
96  s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)");
97  FAIL_IF_NULL(s);
98 
99  SigGroupBuild(de_ctx);
100  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
101 
102  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
103  STREAM_TOSERVER, tlsbuf1, tlslen1);
104  FAIL_IF(r != 0);
105 
106  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
107  tlsbuf2, tlslen2);
108  FAIL_IF(r != 0);
109 
110  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
111  tlsbuf3, tlslen3);
112  FAIL_IF(r != 0);
113 
114  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
115  tlsbuf4, tlslen4);
116  FAIL_IF(r != 0);
117 
118  SSLState *ssl_state = f.alstate;
119  FAIL_IF_NULL(ssl_state);
120 
121  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
122 
124 
125  SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X "
126  "ssl_state->client_version 0x%02X",
127  ssl_state, ssl_state->server_connp.version,
128  ssl_state->client_connp.version);
129 
130  /* do detect */
131  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
132 
134 
135  AppLayerParserThreadCtxFree(alp_tctx);
136  SigGroupCleanup(de_ctx);
137  SigCleanSignatures(de_ctx);
138 
139  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
140  DetectEngineCtxFree(de_ctx);
141 
143  FLOW_DESTROY(&f);
144 
145  UTHFreePackets(&p, 1);
146 
147  PASS;
148 }
149 
150 static int DetectTlsVersionTestDetect02(void)
151 {
152  Flow f;
153  uint8_t tlsbuf1[] = { 0x16 };
154  uint32_t tlslen1 = sizeof(tlsbuf1);
155  uint8_t tlsbuf2[] = { 0x03 };
156  uint32_t tlslen2 = sizeof(tlsbuf2);
157  uint8_t tlsbuf3[] = { 0x01 };
158  uint32_t tlslen3 = sizeof(tlsbuf3);
159  uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
160  uint32_t tlslen4 = sizeof(tlsbuf4);
161  TcpSession ssn;
162  Packet *p = NULL;
163  Signature *s = NULL;
164  ThreadVars th_v;
165  DetectEngineThreadCtx *det_ctx = NULL;
167 
168  memset(&th_v, 0, sizeof(th_v));
169  memset(&f, 0, sizeof(f));
170  memset(&ssn, 0, sizeof(ssn));
171 
172  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
173 
174  FLOW_INITIALIZE(&f);
175  f.protoctx = (void *)&ssn;
176  f.proto = IPPROTO_TCP;
177  p->flow = &f;
181  f.alproto = ALPROTO_TLS;
182 
184 
186  FAIL_IF_NULL(de_ctx);
187 
188  de_ctx->flags |= DE_QUIET;
189 
190  s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)");
191  FAIL_IF_NULL(s);
192 
193  SigGroupBuild(de_ctx);
194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
195 
196  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
197  STREAM_TOSERVER, tlsbuf1, tlslen1);
198  FAIL_IF(r != 0);
199 
200  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
201  tlsbuf2, tlslen2);
202  FAIL_IF(r != 0);
203 
204  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
205  tlsbuf3, tlslen3);
206  FAIL_IF(r != 0);
207 
208  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
209  tlsbuf4, tlslen4);
210  FAIL_IF(r != 0);
211 
212  SSLState *ssl_state = f.alstate;
213  FAIL_IF_NULL(ssl_state);
214 
215  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
216 
218 
219  /* do detect */
220  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
221 
223 
224  AppLayerParserThreadCtxFree(alp_tctx);
225  SigGroupCleanup(de_ctx);
226  SigCleanSignatures(de_ctx);
227 
228  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
229  DetectEngineCtxFree(de_ctx);
230 
232  FLOW_DESTROY(&f);
233 
234  UTHFreePackets(&p, 1);
235 
236  PASS;
237 }
238 
239 /**
240  * \brief this function registers unit tests for DetectTlsVersion
241  */
242 static void DetectTlsVersionRegisterTests(void)
243 {
244  UtRegisterTest("DetectTlsVersionTestParse01", DetectTlsVersionTestParse01);
245  UtRegisterTest("DetectTlsVersionTestParse02", DetectTlsVersionTestParse02);
246  UtRegisterTest("DetectTlsVersionTestDetect01",
247  DetectTlsVersionTestDetect01);
248  UtRegisterTest("DetectTlsVersionTestDetect02",
249  DetectTlsVersionTestDetect02);
250 }
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:446
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
uint16_t version
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:767
SSLStateConnp server_connp
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:522
#define TRUE
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
uint8_t flags
Definition: detect.h:762
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:364
uint8_t flowflags
Definition: decode.h:440
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
int SigGroupCleanup(DetectEngineCtx *de_ctx)
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define PKT_HAS_FLOW
Definition: decode.h:1094
uint8_t content_type
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:444
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
SSLStateConnp client_connp
#define PKT_STREAM_EST
Definition: decode.h:1092
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)