suricata
detect-tls-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 /**
26  * \test DetectTlsVersionTestParse01 is a test to make sure that we parse the "id"
27  * option correctly when given valid id option
28  */
29 static int DetectTlsVersionTestParse01 (void)
30 {
31  DetectTlsVersionData *tls = NULL;
32  tls = DetectTlsVersionParse(NULL, "1.0");
33  FAIL_IF_NULL(tls);
35  DetectTlsVersionFree(NULL, tls);
36  PASS;
37 }
38 
39 /**
40  * \test DetectTlsVersionTestParse02 is a test to make sure that we parse the "id"
41  * option correctly when given an invalid id option
42  * it should return id_d = NULL
43  */
44 static int DetectTlsVersionTestParse02 (void)
45 {
46  DetectTlsVersionData *tls = NULL;
47  tls = DetectTlsVersionParse(NULL, "2.5");
48  FAIL_IF_NOT_NULL(tls);
49  DetectTlsVersionFree(NULL, tls);
50  PASS;
51 }
52 
53 #include "stream-tcp-reassemble.h"
54 
55 /** \test Send a get request in three chunks + more data. */
56 static int DetectTlsVersionTestDetect01(void)
57 {
58  Flow f;
59  uint8_t tlsbuf1[] = { 0x16 };
60  uint32_t tlslen1 = sizeof(tlsbuf1);
61  uint8_t tlsbuf2[] = { 0x03 };
62  uint32_t tlslen2 = sizeof(tlsbuf2);
63  uint8_t tlsbuf3[] = { 0x01 };
64  uint32_t tlslen3 = sizeof(tlsbuf3);
65  uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
66  uint32_t tlslen4 = sizeof(tlsbuf4);
67  TcpSession ssn;
68  Packet *p = NULL;
69  Signature *s = NULL;
70  ThreadVars th_v;
71  DetectEngineThreadCtx *det_ctx = NULL;
73 
74  memset(&th_v, 0, sizeof(th_v));
75  memset(&f, 0, sizeof(f));
76  memset(&ssn, 0, sizeof(ssn));
77 
78  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
79 
80  FLOW_INITIALIZE(&f);
81  f.protoctx = (void *)&ssn;
82  f.proto = IPPROTO_TCP;
83  p->flow = &f;
87  f.alproto = ALPROTO_TLS;
88 
90 
93 
94  de_ctx->flags |= DE_QUIET;
95 
96  s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)");
97  FAIL_IF_NULL(s);
98 
100  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
101 
102  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
103  STREAM_TOSERVER, tlsbuf1, tlslen1);
104  FAIL_IF(r != 0);
105 
107  tlsbuf2, tlslen2);
108  FAIL_IF(r != 0);
109 
111  tlsbuf3, tlslen3);
112  FAIL_IF(r != 0);
113 
115  tlsbuf4, tlslen4);
116  FAIL_IF(r != 0);
117 
118  SSLState *ssl_state = f.alstate;
119  FAIL_IF_NULL(ssl_state);
120 
121  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
122 
124 
125  SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X "
126  "ssl_state->client_version 0x%02X",
127  ssl_state, ssl_state->server_connp.version,
128  ssl_state->client_connp.version);
129 
130  /* do detect */
131  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
132 
134 
138 
139  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
141 
143  FLOW_DESTROY(&f);
144 
145  UTHFreePackets(&p, 1);
146 
147  PASS;
148 }
149 
150 static int DetectTlsVersionTestDetect02(void)
151 {
152  Flow f;
153  uint8_t tlsbuf1[] = { 0x16 };
154  uint32_t tlslen1 = sizeof(tlsbuf1);
155  uint8_t tlsbuf2[] = { 0x03 };
156  uint32_t tlslen2 = sizeof(tlsbuf2);
157  uint8_t tlsbuf3[] = { 0x01 };
158  uint32_t tlslen3 = sizeof(tlsbuf3);
159  uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
160  uint32_t tlslen4 = sizeof(tlsbuf4);
161  TcpSession ssn;
162  Packet *p = NULL;
163  Signature *s = NULL;
164  ThreadVars th_v;
165  DetectEngineThreadCtx *det_ctx = NULL;
167 
168  memset(&th_v, 0, sizeof(th_v));
169  memset(&f, 0, sizeof(f));
170  memset(&ssn, 0, sizeof(ssn));
171 
172  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
173 
174  FLOW_INITIALIZE(&f);
175  f.protoctx = (void *)&ssn;
176  f.proto = IPPROTO_TCP;
177  p->flow = &f;
181  f.alproto = ALPROTO_TLS;
182 
184 
187 
188  de_ctx->flags |= DE_QUIET;
189 
190  s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)");
191  FAIL_IF_NULL(s);
192 
194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
195 
196  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
197  STREAM_TOSERVER, tlsbuf1, tlslen1);
198  FAIL_IF(r != 0);
199 
201  tlsbuf2, tlslen2);
202  FAIL_IF(r != 0);
203 
205  tlsbuf3, tlslen3);
206  FAIL_IF(r != 0);
207 
209  tlsbuf4, tlslen4);
210  FAIL_IF(r != 0);
211 
212  SSLState *ssl_state = f.alstate;
213  FAIL_IF_NULL(ssl_state);
214 
215  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
216 
218 
219  /* do detect */
220  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
221 
223 
227 
228  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
230 
232  FLOW_DESTROY(&f);
233 
234  UTHFreePackets(&p, 1);
235 
236  PASS;
237 }
238 
239 /**
240  * \brief this function registers unit tests for DetectTlsVersion
241  */
242 static void DetectTlsVersionRegisterTests(void)
243 {
244  UtRegisterTest("DetectTlsVersionTestParse01", DetectTlsVersionTestParse01);
245  UtRegisterTest("DetectTlsVersionTestParse02", DetectTlsVersionTestParse02);
246  UtRegisterTest("DetectTlsVersionTestDetect01",
247  DetectTlsVersionTestDetect01);
248  UtRegisterTest("DetectTlsVersionTestDetect02",
249  DetectTlsVersionTestDetect02);
250 }
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1087
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:255
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:256
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:446
Flow_
Flow data structure.
Definition: flow.h:343
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
Flow_::protoctx
void * protoctx
Definition: flow.h:416
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
Packet_
Definition: decode.h:411
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
DetectTlsVersionData_::ver
uint16_t ver
Definition: detect-tls-version.h:30
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1171
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
SSLStateConnp_::content_type
uint8_t content_type
Definition: app-layer-ssl.h:190
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
Flow_::alstate
void * alstate
Definition: flow.h:454
Signature_
Signature container.
Definition: detect.h:527
TLS_VERSION_10
@ TLS_VERSION_10
Definition: app-layer-ssl.h:147
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
DetectTlsVersionData_
Definition: detect-tls-version.h:29
TcpSession_
Definition: stream-tcp-private.h:260
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1085
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:189
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467