/src/suricata7/src/detect-tls-cert-subject.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2022 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Mats Klepsland <mats.klepsland@gmail.com> |
22 | | * |
23 | | * Implements support for tls.cert_subject keyword. |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | #include "threads.h" |
28 | | #include "decode.h" |
29 | | #include "detect.h" |
30 | | |
31 | | #include "detect-parse.h" |
32 | | #include "detect-engine.h" |
33 | | #include "detect-engine-mpm.h" |
34 | | #include "detect-engine-prefilter.h" |
35 | | #include "detect-content.h" |
36 | | #include "detect-pcre.h" |
37 | | #include "detect-tls-cert-subject.h" |
38 | | |
39 | | #include "flow.h" |
40 | | #include "flow-util.h" |
41 | | #include "flow-var.h" |
42 | | |
43 | | #include "util-debug.h" |
44 | | #include "util-spm.h" |
45 | | #include "util-print.h" |
46 | | |
47 | | #include "stream-tcp.h" |
48 | | |
49 | | #include "app-layer.h" |
50 | | #include "app-layer-ssl.h" |
51 | | |
52 | | #include "util-unittest.h" |
53 | | #include "util-unittest-helper.h" |
54 | | |
55 | | static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, const char *); |
56 | | #ifdef UNITTESTS |
57 | | static void DetectTlsSubjectRegisterTests(void); |
58 | | #endif |
59 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
60 | | const DetectEngineTransforms *transforms, |
61 | | Flow *f, const uint8_t flow_flags, |
62 | | void *txv, const int list_id); |
63 | | static int g_tls_cert_subject_buffer_id = 0; |
64 | | |
65 | | /** |
66 | | * \brief Registration function for keyword: tls.cert_subject |
67 | | */ |
68 | | void DetectTlsSubjectRegister(void) |
69 | 75 | { |
70 | 75 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls.cert_subject"; |
71 | 75 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].alias = "tls_cert_subject"; |
72 | 75 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = |
73 | 75 | "sticky buffer to match specifically and only on the TLS cert subject buffer"; |
74 | 75 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = "/rules/tls-keywords.html#tls-cert-subject"; |
75 | 75 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup; |
76 | | #ifdef UNITTESTS |
77 | | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; |
78 | | #endif |
79 | 75 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT; |
80 | 75 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER; |
81 | | |
82 | 75 | DetectAppLayerInspectEngineRegister2("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOSERVER, |
83 | 75 | TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); |
84 | | |
85 | 75 | DetectAppLayerMpmRegister2("tls.cert_subject", SIG_FLAG_TOSERVER, 2, |
86 | 75 | PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); |
87 | | |
88 | 75 | DetectAppLayerInspectEngineRegister2("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOCLIENT, |
89 | 75 | TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); |
90 | | |
91 | 75 | DetectAppLayerMpmRegister2("tls.cert_subject", SIG_FLAG_TOCLIENT, 2, |
92 | 75 | PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, |
93 | 75 | TLS_STATE_CERT_READY); |
94 | | |
95 | 75 | DetectBufferTypeSupportsMultiInstance("tls.cert_subject"); |
96 | | |
97 | 75 | DetectBufferTypeSetDescriptionByName("tls.cert_subject", |
98 | 75 | "TLS certificate subject"); |
99 | | |
100 | 75 | g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls.cert_subject"); |
101 | 75 | } |
102 | | |
103 | | /** |
104 | | * \brief this function setup the tls.cert_subject modifier keyword used in the rule |
105 | | * |
106 | | * \param de_ctx Pointer to the Detection Engine Context |
107 | | * \param s Pointer to the Signature to which the current keyword belongs |
108 | | * \param str Should hold an empty string always |
109 | | * |
110 | | * \retval 0 On success |
111 | | * \retval -1 On failure |
112 | | */ |
113 | | static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) |
114 | 2.97k | { |
115 | 2.97k | if (DetectBufferSetActiveList(de_ctx, s, g_tls_cert_subject_buffer_id) < 0) |
116 | 139 | return -1; |
117 | | |
118 | 2.84k | if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0) |
119 | 126 | return -1; |
120 | | |
121 | 2.71k | return 0; |
122 | 2.84k | } |
123 | | |
124 | | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
125 | | const DetectEngineTransforms *transforms, Flow *f, |
126 | | const uint8_t flow_flags, void *txv, const int list_id) |
127 | 24 | { |
128 | 24 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
129 | 24 | if (buffer->inspect == NULL) { |
130 | 19 | const SSLState *ssl_state = (SSLState *)f->alstate; |
131 | 19 | const SSLStateConnp *connp; |
132 | | |
133 | 19 | if (flow_flags & STREAM_TOSERVER) { |
134 | 5 | connp = &ssl_state->client_connp; |
135 | 14 | } else { |
136 | 14 | connp = &ssl_state->server_connp; |
137 | 14 | } |
138 | | |
139 | 19 | if (connp->cert0_subject == NULL) { |
140 | 8 | return NULL; |
141 | 8 | } |
142 | | |
143 | 11 | const uint32_t data_len = strlen(connp->cert0_subject); |
144 | 11 | const uint8_t *data = (uint8_t *)connp->cert0_subject; |
145 | | |
146 | 11 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
147 | 11 | InspectionBufferApplyTransforms(buffer, transforms); |
148 | 11 | } |
149 | | |
150 | 16 | return buffer; |
151 | 24 | } |
152 | | |
153 | | #ifdef UNITTESTS |
154 | | #include "tests/detect-tls-cert-subject.c" |
155 | | #endif |