/src/suricata7/src/detect-tls-ja3-hash.c
Line | Count | Source |
1 | | /* Copyright (C) 2017 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Mats Klepsland <mats.klepsland@gmail.com> |
22 | | * |
23 | | * Implements support for ja3.hash keyword. |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | #include "threads.h" |
28 | | #include "decode.h" |
29 | | #include "detect.h" |
30 | | |
31 | | #include "detect-parse.h" |
32 | | #include "detect-engine.h" |
33 | | #include "detect-engine-mpm.h" |
34 | | #include "detect-engine-prefilter.h" |
35 | | #include "detect-content.h" |
36 | | #include "detect-pcre.h" |
37 | | #include "detect-tls-ja3-hash.h" |
38 | | |
39 | | #include "flow.h" |
40 | | #include "flow-util.h" |
41 | | #include "flow-var.h" |
42 | | |
43 | | #include "conf.h" |
44 | | #include "conf-yaml-loader.h" |
45 | | |
46 | | #include "util-debug.h" |
47 | | #include "util-spm.h" |
48 | | #include "util-print.h" |
49 | | #include "util-ja3.h" |
50 | | |
51 | | #include "stream-tcp.h" |
52 | | |
53 | | #include "app-layer.h" |
54 | | #include "app-layer-ssl.h" |
55 | | |
56 | | #include "util-unittest.h" |
57 | | #include "util-unittest-helper.h" |
58 | | |
59 | | #ifndef HAVE_JA3 |
60 | | static int DetectJA3SetupNoSupport(DetectEngineCtx *a, Signature *b, const char *c) |
61 | | { |
62 | | SCLogError("no JA3 support built in"); |
63 | | return -1; |
64 | | } |
65 | | #endif |
66 | | |
67 | | static int DetectTlsJa3HashSetup(DetectEngineCtx *, Signature *, const char *); |
68 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
69 | | const DetectEngineTransforms *transforms, |
70 | | Flow *f, const uint8_t flow_flags, |
71 | | void *txv, const int list_id); |
72 | | static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx, |
73 | | Signature *s); |
74 | | static bool DetectTlsJa3HashValidateCallback(const Signature *s, |
75 | | const char **sigerror); |
76 | | static int g_tls_ja3_hash_buffer_id = 0; |
77 | | |
78 | | /** |
79 | | * \brief Registration function for keyword: ja3_hash |
80 | | */ |
81 | | void DetectTlsJa3HashRegister(void) |
82 | 75 | { |
83 | 75 | sigmatch_table[DETECT_AL_TLS_JA3_HASH].name = "ja3.hash"; |
84 | 75 | sigmatch_table[DETECT_AL_TLS_JA3_HASH].alias = "ja3_hash"; |
85 | 75 | sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer"; |
86 | 75 | sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash"; |
87 | 75 | #ifdef HAVE_JA3 |
88 | 75 | sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup; |
89 | | #else /* HAVE_JA3 */ |
90 | | sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectJA3SetupNoSupport; |
91 | | #endif /* HAVE_JA3 */ |
92 | 75 | sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT; |
93 | 75 | sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; |
94 | | |
95 | 75 | #ifdef HAVE_JA3 |
96 | 75 | DetectAppLayerInspectEngineRegister2("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, |
97 | 75 | DetectEngineInspectBufferGeneric, GetData); |
98 | | |
99 | 75 | DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2, |
100 | 75 | PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); |
101 | | |
102 | 75 | DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, |
103 | 75 | Ja3DetectGetHash, ALPROTO_QUIC, 1); |
104 | | |
105 | 75 | DetectAppLayerInspectEngineRegister2("ja3.hash", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1, |
106 | 75 | DetectEngineInspectBufferGeneric, Ja3DetectGetHash); |
107 | | |
108 | 75 | DetectBufferTypeSetDescriptionByName("ja3.hash", "TLS JA3 hash"); |
109 | | |
110 | 75 | DetectBufferTypeRegisterSetupCallback("ja3.hash", |
111 | 75 | DetectTlsJa3HashSetupCallback); |
112 | | |
113 | 75 | DetectBufferTypeRegisterValidateCallback("ja3.hash", |
114 | 75 | DetectTlsJa3HashValidateCallback); |
115 | | |
116 | 75 | g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3.hash"); |
117 | 75 | #endif /* HAVE_JA3 */ |
118 | 75 | } |
119 | | |
120 | | /** |
121 | | * \brief this function setup the ja3.hash modifier keyword used in the rule |
122 | | * |
123 | | * \param de_ctx Pointer to the Detection Engine Context |
124 | | * \param s Pointer to the Signature to which the current keyword belongs |
125 | | * \param str Should hold an empty string always |
126 | | * |
127 | | * \retval 0 On success |
128 | | * \retval -1 On failure |
129 | | * \retval -2 on failure that should be silent after the first |
130 | | */ |
131 | | static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) |
132 | 2.36k | { |
133 | 2.36k | if (DetectBufferSetActiveList(de_ctx, s, g_tls_ja3_hash_buffer_id) < 0) |
134 | 2 | return -1; |
135 | | |
136 | 2.36k | if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS && s->alproto != ALPROTO_QUIC) { |
137 | 20 | SCLogError("rule contains conflicting protocols."); |
138 | 20 | return -1; |
139 | 20 | } |
140 | | |
141 | | /* try to enable JA3 */ |
142 | 2.34k | SSLEnableJA3(); |
143 | | |
144 | | /* Check if JA3 is disabled */ |
145 | 2.34k | if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) { |
146 | 0 | if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3_HASH)) { |
147 | 0 | SCLogError("ja3 support is not enabled"); |
148 | 0 | } |
149 | 0 | return -2; |
150 | 0 | } |
151 | 2.34k | s->init_data->init_flags |= SIG_FLAG_INIT_JA; |
152 | | |
153 | 2.34k | return 0; |
154 | 2.34k | } |
155 | | |
156 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
157 | | const DetectEngineTransforms *transforms, Flow *f, |
158 | | const uint8_t flow_flags, void *txv, const int list_id) |
159 | 3 | { |
160 | 3 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
161 | 3 | if (buffer->inspect == NULL) { |
162 | 2 | const SSLState *ssl_state = (SSLState *)f->alstate; |
163 | | |
164 | 2 | if (ssl_state->client_connp.ja3_hash == NULL) { |
165 | 0 | return NULL; |
166 | 0 | } |
167 | | |
168 | 2 | const uint32_t data_len = strlen(ssl_state->client_connp.ja3_hash); |
169 | 2 | const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash; |
170 | | |
171 | 2 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
172 | 2 | InspectionBufferApplyTransforms(buffer, transforms); |
173 | 2 | } |
174 | | |
175 | 3 | return buffer; |
176 | 3 | } |
177 | | |
178 | | static bool DetectTlsJa3HashValidateCallback(const Signature *s, |
179 | | const char **sigerror) |
180 | 1.58k | { |
181 | 26.0k | for (uint32_t x = 0; x < s->init_data->buffer_index; x++) { |
182 | 24.7k | if (s->init_data->buffers[x].id != (uint32_t)g_tls_ja3_hash_buffer_id) |
183 | 23.6k | continue; |
184 | 1.13k | const SigMatch *sm = s->init_data->buffers[x].head; |
185 | 8.48k | for (; sm != NULL; sm = sm->next) { |
186 | 7.66k | if (sm->type != DETECT_CONTENT) |
187 | 7.35k | continue; |
188 | | |
189 | 309 | const DetectContentData *cd = (DetectContentData *)sm->ctx; |
190 | | |
191 | 309 | if (cd->flags & DETECT_CONTENT_NOCASE) { |
192 | 137 | *sigerror = "ja3.hash should not be used together with " |
193 | 137 | "nocase, since the rule is automatically " |
194 | 137 | "lowercased anyway which makes nocase redundant."; |
195 | 137 | SCLogWarning("rule %u: %s", s->id, *sigerror); |
196 | 137 | } |
197 | | |
198 | 309 | if (cd->content_len == SC_MD5_HEX_LEN) |
199 | 232 | return true; |
200 | | |
201 | 77 | *sigerror = "Invalid length of the specified JA3 hash (should " |
202 | 77 | "be 32 characters long). This rule will therefore " |
203 | 77 | "never match."; |
204 | 77 | SCLogWarning("rule %u: %s", s->id, *sigerror); |
205 | 77 | return false; |
206 | 309 | } |
207 | 1.13k | } |
208 | 1.27k | return true; |
209 | 1.58k | } |
210 | | |
211 | | static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx, |
212 | | Signature *s) |
213 | 2.02k | { |
214 | 32.9k | for (uint32_t x = 0; x < s->init_data->buffer_index; x++) { |
215 | 30.9k | if (s->init_data->buffers[x].id != (uint32_t)g_tls_ja3_hash_buffer_id) |
216 | 29.5k | continue; |
217 | 1.33k | SigMatch *sm = s->init_data->buffers[x].head; |
218 | 9.97k | for (; sm != NULL; sm = sm->next) { |
219 | 8.63k | if (sm->type != DETECT_CONTENT) |
220 | 7.71k | continue; |
221 | | |
222 | 917 | DetectContentData *cd = (DetectContentData *)sm->ctx; |
223 | | |
224 | 917 | bool changed = false; |
225 | 917 | uint32_t u; |
226 | 38.9k | for (u = 0; u < cd->content_len; u++) { |
227 | 38.0k | if (isupper(cd->content[u])) { |
228 | 24.5k | cd->content[u] = u8_tolower(cd->content[u]); |
229 | 24.5k | changed = true; |
230 | 24.5k | } |
231 | 38.0k | } |
232 | | |
233 | | /* recreate the context if changes were made */ |
234 | 917 | if (changed) { |
235 | 211 | SpmDestroyCtx(cd->spm_ctx); |
236 | 211 | cd->spm_ctx = |
237 | 211 | SpmInitCtx(cd->content, cd->content_len, 1, de_ctx->spm_global_thread_ctx); |
238 | 211 | } |
239 | 917 | } |
240 | 1.33k | } |
241 | 2.02k | } |