suricata
util-lua-ja3.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author Mats Klepsland <mats.klepsland@gmail.com>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "pkt-var.h"
29 #include "conf.h"
30 
31 #include "threads.h"
32 #include "threadvars.h"
33 #include "tm-threads.h"
34 
35 #include "util-print.h"
36 #include "util-unittest.h"
37 
38 #include "util-debug.h"
39 
40 #include "output.h"
41 #include "app-layer.h"
42 #include "app-layer-parser.h"
43 #include "app-layer-ssl.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 #include "util-proto-name.h"
47 #include "util-logopenfile.h"
48 #include "util-time.h"
49 
50 #include "lua.h"
51 #include "lualib.h"
52 #include "lauxlib.h"
53 
54 #include "util-lua.h"
55 #include "util-lua-common.h"
56 #include "util-lua-ja3.h"
57 
58 static int Ja3GetHash(lua_State *luastate)
59 {
60  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
61  return LuaCallbackError(luastate, "error: protocol is not tls");
62 
63  Flow *f = LuaStateGetFlow(luastate);
64  if (f == NULL)
65  return LuaCallbackError(luastate, "internal error: no flow");
66 
67  void *state = FlowGetAppState(f);
68  if (state == NULL)
69  return LuaCallbackError(luastate, "error: no app layer state");
70 
71  SSLState *ssl_state = (SSLState *)state;
72 
73  if (ssl_state->client_connp.ja3_hash == NULL)
74  return LuaCallbackError(luastate, "error: no JA3 hash");
75 
76  return LuaPushStringBuffer(luastate,
77  (uint8_t *)ssl_state->client_connp.ja3_hash,
78  strlen(ssl_state->client_connp.ja3_hash));
79 }
80 
81 static int Ja3GetString(lua_State *luastate)
82 {
83  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
84  return LuaCallbackError(luastate, "error: protocol is not tls");
85 
86  Flow *f = LuaStateGetFlow(luastate);
87  if (f == NULL)
88  return LuaCallbackError(luastate, "internal error: no flow");
89 
90  void *state = FlowGetAppState(f);
91  if (state == NULL)
92  return LuaCallbackError(luastate, "error: no app layer state");
93 
94  SSLState *ssl_state = (SSLState *)state;
95 
96  if (ssl_state->client_connp.ja3_str == NULL ||
97  ssl_state->client_connp.ja3_str->data == NULL)
98  return LuaCallbackError(luastate, "error: no JA3 str");
99 
100  return LuaPushStringBuffer(luastate,
101  (uint8_t *)ssl_state->client_connp.ja3_str->data,
102  ssl_state->client_connp.ja3_str->used);
103 }
104 
105 static int Ja3SGetHash(lua_State *luastate)
106 {
107  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
108  return LuaCallbackError(luastate, "error: protocol is not tls");
109 
110  Flow *f = LuaStateGetFlow(luastate);
111  if (f == NULL)
112  return LuaCallbackError(luastate, "internal error: no flow");
113 
114  void *state = FlowGetAppState(f);
115  if (state == NULL)
116  return LuaCallbackError(luastate, "error: no app layer state");
117 
118  SSLState *ssl_state = (SSLState *)state;
119 
120  if (ssl_state->server_connp.ja3_hash == NULL)
121  return LuaCallbackError(luastate, "error: no JA3S hash");
122 
123  return LuaPushStringBuffer(luastate,
124  (uint8_t *)ssl_state->server_connp.ja3_hash,
125  strlen(ssl_state->server_connp.ja3_hash));
126 }
127 
128 static int Ja3SGetString(lua_State *luastate)
129 {
130  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
131  return LuaCallbackError(luastate, "error: protocol is not tls");
132 
133  Flow *f = LuaStateGetFlow(luastate);
134  if (f == NULL)
135  return LuaCallbackError(luastate, "internal error: no flow");
136 
137  void *state = FlowGetAppState(f);
138  if (state == NULL)
139  return LuaCallbackError(luastate, "error: no app layer state");
140 
141  SSLState *ssl_state = (SSLState *)state;
142 
143  if (ssl_state->server_connp.ja3_str == NULL ||
144  ssl_state->server_connp.ja3_str->data == NULL)
145  return LuaCallbackError(luastate, "error: no JA3S str");
146 
147  return LuaPushStringBuffer(luastate,
148  (uint8_t *)ssl_state->server_connp.ja3_str->data,
149  ssl_state->server_connp.ja3_str->used);
150 }
151 
152 /** *\brief Register JA3 Lua extensions */
154 {
155  lua_pushcfunction(luastate, Ja3GetHash);
156  lua_setglobal(luastate, "Ja3GetHash");
157 
158  lua_pushcfunction(luastate, Ja3GetString);
159  lua_setglobal(luastate, "Ja3GetString");
160 
161  lua_pushcfunction(luastate, Ja3SGetHash);
162  lua_setglobal(luastate, "Ja3SGetHash");
163 
164  lua_pushcfunction(luastate, Ja3SGetString);
165  lua_setglobal(luastate, "Ja3SGetString");
166 
167  return 0;
168 }
tm-threads.h
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:290
util-lua-common.h
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:308
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:309
util-lua.h
LuaCallbackError
int LuaCallbackError(lua_State *luastate, const char *msg)
Definition: util-lua-common.c:59
SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:272
threads.h
Flow_
Flow data structure.
Definition: flow.h:360
util-lua-ja3.h
JA3Buffer_::data
char * data
Definition: util-ja3.h:32
util-privs.h
util-unittest.h
lua_State
struct lua_State lua_State
Definition: suricata-common.h:500
JA3Buffer_::used
size_t used
Definition: util-ja3.h:34
util-debug.h
util-print.h
detect.h
pkt-var.h
util-time.h
app-layer-parser.h
conf.h
util-proto-name.h
LuaRegisterJa3Functions
int LuaRegisterJa3Functions(lua_State *luastate)
Register JA3 Lua extensions.
Definition: util-lua-ja3.c:153
suricata-common.h
threadvars.h
util-logopenfile.h
util-buffer.h
LuaStateGetFlow
Flow * LuaStateGetFlow(lua_State *luastate)
get flow pointer from lua state
Definition: util-lua.c:161
SSLStateConnp_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:271
LuaStateNeedProto
int LuaStateNeedProto(lua_State *luastate, AppProto alproto)
Definition: util-lua-common.c:995
app-layer-ssl.h
output.h
LuaPushStringBuffer
int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len)
Definition: util-lua.c:319
app-layer.h