Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add keyword to match on 'raw' TLS certificates #3851

Closed
wants to merge 3 commits into from
Closed

Add keyword to match on 'raw' TLS certificates #3851

wants to merge 3 commits into from

Conversation

thus
Copy link
Contributor

@thus thus commented May 13, 2019

Add new keyword tls.cert to match on the 'raw' TLS certificate. This keyword matches on the first certificate in the certificate chain.

Example:
alert tls any any -> any any (msg:"test tls.cert"; tls.cert; content:"|01 02 03 04|"; sid:1;)

Updates:

https://redmine.openinfosecfoundation.org/issues/2670

Prscript:

thus added 3 commits May 13, 2019 15:28
@thus
detect: add tls.cert keyword
bccc257 
Add keyword to do "raw" matching on the TLS certificate buffer.

Example:
  alert tls any any -> any any (msg:"tls.cert test"; tls.cert; \
          content:"|01 02 03 04|"; sid:1;)
@thus
userguide: add documentation for tls.cert keyword
b966044
@thus
detect-tls-cert: move unittests to tests/
7b34ca3
@thus thus requested review from norg and a team as code owners May 13, 2019 14:03
@thus thus mentioned this pull request May 13, 2019
Closed
victorjulien
victorjulien requested changes May 13, 2019
View reviewed changes
src/detect-tls-cert.c
return NULL;
}

const SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we inspecting only one cert?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok I see this is mentioned in the PR. Would it make sense to inspect all? Or would there be a case for a separate keyword for all certs or something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's not really a good reason to only inspect one certificate. I'll change it to inspect the entire certificate chain :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok cool. This will complicate the inspection code somewhat, because you can now have multiple buffers per tx. I would suggest checking the dns query code which has the same issue.

src/detect-tls-cert.c Show resolved Hide resolved
src/tests/detect-tls-cert.c Show resolved Hide resolved
thus
thus commented May 13, 2019
View reviewed changes
src/detect-tls-cert.c
{
sigmatch_table[DETECT_AL_TLS_CERT].name = "tls.cert";
sigmatch_table[DETECT_AL_TLS_CERT].desc = "content modifier to match the TLS certificate buffer";
sigmatch_table[DETECT_AL_TLS_CERT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls.cert";
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, this should perhaps be changed to "tls-cert" instead of "tls.cert".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed.

thus
thus commented May 14, 2019
View reviewed changes
src/detect-tls-cert.c
#endif
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *_f, const uint8_t _flow_flags,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should remove the underscores from the variables here as well.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah if they are used then you should

@victorjulien
Copy link
Member

Can you also add suricata-verify tests?

@thus thus mentioned this pull request May 15, 2019
Closed
@thus
Copy link
Contributor Author

thus commented May 15, 2019

Replaced by #3855

@thus thus closed this May 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien requested changes

@norg norg Awaiting requested review from norg

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thus @victorjulien