/src/suricata7/src/detect-tls-cert-serial.c
Line | Count | Source |
1 | | /* Copyright (C) 2017-2022 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Mats Klepsland <mats.klepsland@gmail.com> |
22 | | * |
23 | | * Implements support for tls.cert_serial keyword. |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | #include "threads.h" |
28 | | #include "decode.h" |
29 | | #include "detect.h" |
30 | | |
31 | | #include "detect-parse.h" |
32 | | #include "detect-engine.h" |
33 | | #include "detect-engine-mpm.h" |
34 | | #include "detect-engine-prefilter.h" |
35 | | #include "detect-content.h" |
36 | | #include "detect-pcre.h" |
37 | | |
38 | | #include "flow.h" |
39 | | #include "flow-util.h" |
40 | | #include "flow-var.h" |
41 | | |
42 | | #include "util-debug.h" |
43 | | #include "util-spm.h" |
44 | | #include "util-print.h" |
45 | | |
46 | | #include "stream-tcp.h" |
47 | | |
48 | | #include "app-layer.h" |
49 | | #include "app-layer-ssl.h" |
50 | | #include "detect-tls-cert-serial.h" |
51 | | |
52 | | #include "util-unittest.h" |
53 | | #include "util-unittest-helper.h" |
54 | | |
55 | | static int DetectTlsSerialSetup(DetectEngineCtx *, Signature *, const char *); |
56 | | #ifdef UNITTESTS |
57 | | static void DetectTlsSerialRegisterTests(void); |
58 | | #endif |
59 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
60 | | const DetectEngineTransforms *transforms, |
61 | | Flow *f, const uint8_t flow_flags, |
62 | | void *txv, const int list_id); |
63 | | static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx, |
64 | | Signature *s); |
65 | | static bool DetectTlsSerialValidateCallback(const Signature *s, |
66 | | const char **sigerror); |
67 | | static int g_tls_cert_serial_buffer_id = 0; |
68 | | |
69 | | /** |
70 | | * \brief Registration function for keyword: tls.cert_serial |
71 | | */ |
72 | | void DetectTlsSerialRegister(void) |
73 | 73 | { |
74 | 73 | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls.cert_serial"; |
75 | 73 | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].alias = "tls_cert_serial"; |
76 | 73 | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].desc = |
77 | 73 | "sticky buffer to match the TLS cert serial buffer"; |
78 | 73 | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].url = "/rules/tls-keywords.html#tls-cert-serial"; |
79 | 73 | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].Setup = DetectTlsSerialSetup; |
80 | | #ifdef UNITTESTS |
81 | | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests; |
82 | | #endif |
83 | 73 | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT; |
84 | 73 | sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER; |
85 | | |
86 | 73 | DetectAppLayerInspectEngineRegister2("tls.cert_serial", ALPROTO_TLS, |
87 | 73 | SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, |
88 | 73 | DetectEngineInspectBufferGeneric, GetData); |
89 | | |
90 | 73 | DetectAppLayerMpmRegister2("tls.cert_serial", SIG_FLAG_TOCLIENT, 2, |
91 | 73 | PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, |
92 | 73 | TLS_STATE_CERT_READY); |
93 | | |
94 | 73 | DetectAppLayerInspectEngineRegister2("tls.cert_serial", ALPROTO_TLS, SIG_FLAG_TOSERVER, |
95 | 73 | TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); |
96 | | |
97 | 73 | DetectAppLayerMpmRegister2("tls.cert_serial", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, |
98 | 73 | GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); |
99 | | |
100 | 73 | DetectBufferTypeSetDescriptionByName("tls.cert_serial", |
101 | 73 | "TLS certificate serial number"); |
102 | | |
103 | 73 | DetectBufferTypeRegisterSetupCallback("tls.cert_serial", |
104 | 73 | DetectTlsSerialSetupCallback); |
105 | | |
106 | 73 | DetectBufferTypeRegisterValidateCallback("tls.cert_serial", |
107 | 73 | DetectTlsSerialValidateCallback); |
108 | | |
109 | 73 | g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls.cert_serial"); |
110 | 73 | } |
111 | | |
112 | | /** |
113 | | * \brief this function setup the tls_cert_serial modifier keyword used in the rule |
114 | | * |
115 | | * \param de_ctx Pointer to the Detection Engine Context |
116 | | * \param s Pointer to the Signature to which the current keyword belongs |
117 | | * \param str Should hold an empty string always |
118 | | * |
119 | | * \retval 0 On success |
120 | | * \retval -1 On failure |
121 | | */ |
122 | | static int DetectTlsSerialSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) |
123 | 4.97k | { |
124 | 4.97k | if (DetectBufferSetActiveList(de_ctx, s, g_tls_cert_serial_buffer_id) < 0) |
125 | 2 | return -1; |
126 | | |
127 | 4.96k | if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0) |
128 | 84 | return -1; |
129 | | |
130 | 4.88k | return 0; |
131 | 4.96k | } |
132 | | |
133 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
134 | | const DetectEngineTransforms *transforms, Flow *f, |
135 | | const uint8_t flow_flags, void *txv, const int list_id) |
136 | 185 | { |
137 | 185 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
138 | 185 | if (buffer->inspect == NULL) { |
139 | 176 | const SSLState *ssl_state = (SSLState *)f->alstate; |
140 | 176 | const SSLStateConnp *connp; |
141 | | |
142 | 176 | if (flow_flags & STREAM_TOSERVER) { |
143 | 88 | connp = &ssl_state->client_connp; |
144 | 88 | } else { |
145 | 88 | connp = &ssl_state->server_connp; |
146 | 88 | } |
147 | | |
148 | 176 | if (connp->cert0_serial == NULL) { |
149 | 104 | return NULL; |
150 | 104 | } |
151 | | |
152 | 72 | const uint32_t data_len = strlen(connp->cert0_serial); |
153 | 72 | const uint8_t *data = (uint8_t *)connp->cert0_serial; |
154 | | |
155 | 72 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
156 | 72 | InspectionBufferApplyTransforms(buffer, transforms); |
157 | 72 | } |
158 | | |
159 | 81 | return buffer; |
160 | 185 | } |
161 | | |
162 | | static bool DetectTlsSerialValidateCallback(const Signature *s, |
163 | | const char **sigerror) |
164 | 1.75k | { |
165 | 5.91k | for (uint32_t x = 0; x < s->init_data->buffer_index; x++) { |
166 | 4.36k | if (s->init_data->buffers[x].id != (uint32_t)g_tls_cert_serial_buffer_id) |
167 | 3.97k | continue; |
168 | 396 | const SigMatch *sm = s->init_data->buffers[x].head; |
169 | 2.54k | for (; sm != NULL; sm = sm->next) { |
170 | 2.34k | if (sm->type != DETECT_CONTENT) |
171 | 2.14k | continue; |
172 | | |
173 | 199 | const DetectContentData *cd = (DetectContentData *)sm->ctx; |
174 | | |
175 | 199 | if (cd->flags & DETECT_CONTENT_NOCASE) { |
176 | 7 | *sigerror = "tls.cert_serial should not be used together " |
177 | 7 | "with nocase, since the rule is automatically " |
178 | 7 | "uppercased anyway which makes nocase redundant."; |
179 | 7 | SCLogWarning("rule %u: %s", s->id, *sigerror); |
180 | 7 | } |
181 | | |
182 | | /* no need to worry about this if the content is short enough */ |
183 | 199 | if (cd->content_len <= 2) |
184 | 110 | return true; |
185 | | |
186 | 89 | uint32_t u; |
187 | 1.54k | for (u = 0; u < cd->content_len; u++) |
188 | 1.50k | if (cd->content[u] == ':') |
189 | 48 | return true; |
190 | | |
191 | 41 | *sigerror = "No colon delimiters ':' detected in content after " |
192 | 41 | "tls.cert_serial. This rule will therefore never " |
193 | 41 | "match."; |
194 | 41 | SCLogWarning("rule %u: %s", s->id, *sigerror); |
195 | | |
196 | 41 | return false; |
197 | 89 | } |
198 | 396 | } |
199 | 1.55k | return true; |
200 | 1.75k | } |
201 | | |
202 | | static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx, |
203 | | Signature *s) |
204 | 4.18k | { |
205 | 16.7k | for (uint32_t x = 0; x < s->init_data->buffer_index; x++) { |
206 | 12.6k | if (s->init_data->buffers[x].id != (uint32_t)g_tls_cert_serial_buffer_id) |
207 | 11.6k | continue; |
208 | 909 | SigMatch *sm = s->init_data->buffers[x].head; |
209 | 9.88k | for (; sm != NULL; sm = sm->next) { |
210 | 8.97k | if (sm->type != DETECT_CONTENT) |
211 | 7.74k | continue; |
212 | | |
213 | 1.23k | DetectContentData *cd = (DetectContentData *)sm->ctx; |
214 | | |
215 | 1.23k | bool changed = false; |
216 | 1.23k | uint32_t u; |
217 | 7.29k | for (u = 0; u < cd->content_len; u++) { |
218 | 6.06k | if (islower(cd->content[u])) { |
219 | 1.73k | cd->content[u] = u8_toupper(cd->content[u]); |
220 | 1.73k | changed = true; |
221 | 1.73k | } |
222 | 6.06k | } |
223 | | |
224 | | /* recreate the context if changes were made */ |
225 | 1.23k | if (changed) { |
226 | 350 | SpmDestroyCtx(cd->spm_ctx); |
227 | 350 | cd->spm_ctx = |
228 | 350 | SpmInitCtx(cd->content, cd->content_len, 1, de_ctx->spm_global_thread_ctx); |
229 | 350 | } |
230 | 1.23k | } |
231 | 909 | } |
232 | 4.18k | } |
233 | | |
234 | | #ifdef UNITTESTS |
235 | | #include "tests/detect-tls-cert-serial.c" |
236 | | #endif |