/src/suricata7/src/detect-tls-sni.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2016 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Mats Klepsland <mats.klepsland@gmail.com> |
22 | | * |
23 | | * Implements support for tls.sni keyword. |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | #include "threads.h" |
28 | | #include "decode.h" |
29 | | #include "detect.h" |
30 | | |
31 | | #include "detect-parse.h" |
32 | | #include "detect-engine.h" |
33 | | #include "detect-engine-mpm.h" |
34 | | #include "detect-content.h" |
35 | | #include "detect-pcre.h" |
36 | | |
37 | | #include "flow.h" |
38 | | #include "flow-util.h" |
39 | | #include "flow-var.h" |
40 | | |
41 | | #include "util-debug.h" |
42 | | #include "util-spm.h" |
43 | | #include "util-print.h" |
44 | | |
45 | | #include "stream-tcp.h" |
46 | | |
47 | | #include "app-layer.h" |
48 | | #include "app-layer-ssl.h" |
49 | | #include "detect-engine-prefilter.h" |
50 | | #include "detect-tls-sni.h" |
51 | | |
52 | | #include "util-unittest.h" |
53 | | #include "util-unittest-helper.h" |
54 | | |
55 | | static int DetectTlsSniSetup(DetectEngineCtx *, Signature *, const char *); |
56 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
57 | | const DetectEngineTransforms *transforms, |
58 | | Flow *f, const uint8_t flow_flags, |
59 | | void *txv, const int list_id); |
60 | | static int g_tls_sni_buffer_id = 0; |
61 | | |
62 | | /** |
63 | | * \brief Registration function for keyword: tls.sni |
64 | | */ |
65 | | void DetectTlsSniRegister(void) |
66 | 73 | { |
67 | 73 | sigmatch_table[DETECT_AL_TLS_SNI].name = "tls.sni"; |
68 | 73 | sigmatch_table[DETECT_AL_TLS_SNI].alias = "tls_sni"; |
69 | 73 | sigmatch_table[DETECT_AL_TLS_SNI].desc = |
70 | 73 | "sticky buffer to match specifically and only on the TLS SNI buffer"; |
71 | 73 | sigmatch_table[DETECT_AL_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni"; |
72 | 73 | sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup; |
73 | 73 | sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT; |
74 | 73 | sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER; |
75 | | |
76 | 73 | DetectAppLayerInspectEngineRegister2("tls.sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, |
77 | 73 | DetectEngineInspectBufferGeneric, GetData); |
78 | | |
79 | 73 | DetectAppLayerMpmRegister2("tls.sni", SIG_FLAG_TOSERVER, 2, |
80 | 73 | PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); |
81 | | |
82 | 73 | DetectBufferTypeSetDescriptionByName("tls.sni", |
83 | 73 | "TLS Server Name Indication (SNI) extension"); |
84 | | |
85 | 73 | g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls.sni"); |
86 | 73 | } |
87 | | |
88 | | |
89 | | /** |
90 | | * \brief this function setup the tls.sni modifier keyword used in the rule |
91 | | * |
92 | | * \param de_ctx Pointer to the Detection Engine Context |
93 | | * \param s Pointer to the Signature to which the current keyword belongs |
94 | | * \param str Should hold an empty string always |
95 | | * |
96 | | * \retval 0 On success |
97 | | * \retval -1 On failure |
98 | | */ |
99 | | static int DetectTlsSniSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) |
100 | 308 | { |
101 | 308 | if (DetectBufferSetActiveList(de_ctx, s, g_tls_sni_buffer_id) < 0) |
102 | 3 | return -1; |
103 | | |
104 | 305 | if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0) |
105 | 121 | return -1; |
106 | | |
107 | 184 | return 0; |
108 | 305 | } |
109 | | |
110 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
111 | | const DetectEngineTransforms *transforms, Flow *f, |
112 | | const uint8_t flow_flags, void *txv, const int list_id) |
113 | 72 | { |
114 | 72 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
115 | 72 | if (buffer->inspect == NULL) { |
116 | 54 | const SSLState *ssl_state = (SSLState *)f->alstate; |
117 | | |
118 | 54 | if (ssl_state->client_connp.sni == NULL) { |
119 | 14 | return NULL; |
120 | 14 | } |
121 | | |
122 | 40 | const uint32_t data_len = strlen(ssl_state->client_connp.sni); |
123 | 40 | const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; |
124 | | |
125 | 40 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
126 | 40 | InspectionBufferApplyTransforms(buffer, transforms); |
127 | 40 | } |
128 | | |
129 | 58 | return buffer; |
130 | 72 | } |