Add keyword to match on 'raw' TLS certificates #3545
Conversation
Add keyword to do "raw" matching on the TLS certificate buffer.
Example:
alert tls any any -> any any (msg:"tls_cert test"; tls_cert; \
content:"|01 02 03 04|"; sid:1;)
Rename buffer type for the old TLS keywords to avoid a name conflict with the 'tls_cert' keyword.
| alert tls any any -> any any (msg:"match bytes in TLS cert"; tls_cert; \ | ||
| content:"|06 09 2a 86|"; sid:200070;) | ||
|
|
||
| ``tls_cert`` is a 'Sticky buffer'. |
There was a problem hiding this comment.
sticky instead of Sticky? :) but in general doc looks good
There was a problem hiding this comment.
It is written as 'Sticky' on all the other keywords in the same file. Do you want me to lowercase the existing keywords as well? :)
There was a problem hiding this comment.
I like the lowercase one better as well. If you want to update it elsewhere, please do.
| } | ||
|
|
||
| static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, | ||
| const DetectEngineTransforms *transforms, Flow *_f, |
There was a problem hiding this comment.
_f is a rust-ism, indicating that the variable isn't used. So seeing it being used as _f is kind of weird :)
There was a problem hiding this comment.
I agree! I just copied that from some other code in the repo ;)
It's like that for the other mpm TLS keywords. Do you want me to change this for the other keywords as well?
| SigGroupBuild(de_ctx); | ||
| DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); | ||
|
|
||
| FLOWLOCK_WRLOCK(&f); |
There was a problem hiding this comment.
you can remove the locks from these tests
There was a problem hiding this comment.
Sure. Do you want me to remove them from the other mpm TLS keywords too? :)
There was a problem hiding this comment.
Yeah I think that would be good.
| de_ctx->mpm_matcher = mpm_default_matcher; | ||
| de_ctx->flags |= DE_QUIET; | ||
|
|
||
| s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " |
| FAIL_IF_NOT(PacketAlertCheck(p3, 1)); | ||
| AppLayerParserThreadCtxFree(alp_tctx); | ||
| DetectEngineThreadCtxDeinit(&tv, det_ctx); | ||
| SigGroupCleanup(de_ctx); |
There was a problem hiding this comment.
this is called as well by DetectEngineCtxFree
| @@ -159,9 +159,9 @@ void DetectTlsRegister (void) | |||
| DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT, | |||
| &fingerprint_parse_regex, &fingerprint_parse_regex_study); | |||
|
|
|||
| g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert"); | |||
| g_tls_cert_list_id = DetectBufferTypeRegister("tls_keywords_old"); | |||
There was a problem hiding this comment.
I would suggest tls_legacy_keywords
There was a problem hiding this comment.
I agree, that's a better name!
| return buffer; | ||
| } | ||
|
|
||
| #ifdef UNITTESTS |
There was a problem hiding this comment.
can you move the tests into their own file in tests/ ?
| InspectionBuffer *buffer = &det_ctx->inspect_buffers[list_id]; | ||
|
|
||
| if (buffer->inspect == NULL) { | ||
| SSLState *ssl_state = (SSLState *)_f->alstate; |
| return NULL; | ||
| } | ||
|
|
||
| SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs); |
| static int DetectTlsCertSetup(DetectEngineCtx *de_ctx, Signature *s, | ||
| const char *str) | ||
| { | ||
| DetectBufferSetActiveList(s, g_tls_cert_buffer_id); |
There was a problem hiding this comment.
check the return code here as well
There was a problem hiding this comment.
This is probably something that is missing from a lot of other places too. So maybe you can check at least all the TLS ones for this?
| sigmatch_table[DETECT_AL_TLS_CERT].name = "tls_cert"; | ||
| sigmatch_table[DETECT_AL_TLS_CERT].desc = "content modifier to match the TLS certificate buffer"; | ||
| sigmatch_table[DETECT_AL_TLS_CERT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert"; | ||
| sigmatch_table[DETECT_AL_TLS_CERT].Match = NULL; |
There was a problem hiding this comment.
remove the NULL settings please, they are redundant
|
Replaced by #3851 |
Add new keyword
tls_certto match on the 'raw' TLS certificate. This keyword matches on the first certificate in the certificate chain.Example:
alert tls any any -> any any (msg:"test tls_cert"; tls_cert; content:"|01 02 03 04|"; sid:1;)https://redmine.openinfosecfoundation.org/issues/2670
Prscript: