Add keyword to match on 'raw' TLS certificates #3851
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,142 @@ | ||
| /* Copyright (C) 2019 Open Information Security Foundation | ||
| * | ||
| * You can copy, redistribute or modify this Program under the terms of | ||
| * the GNU General Public License version 2 as published by the Free | ||
| * Software Foundation. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * version 2 along with this program; if not, write to the Free Software | ||
| * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||
| * 02110-1301, USA. | ||
| */ | ||
|
|
||
| /** | ||
| * \file | ||
| * | ||
| * \author Mats Klepsland <[email protected]> | ||
| * | ||
| * Implements support for tls.cert keyword. | ||
| */ | ||
|
|
||
| #include "suricata-common.h" | ||
| #include "threads.h" | ||
| #include "debug.h" | ||
| #include "decode.h" | ||
| #include "detect.h" | ||
|
|
||
| #include "detect-parse.h" | ||
| #include "detect-engine.h" | ||
| #include "detect-engine-mpm.h" | ||
| #include "detect-engine-prefilter.h" | ||
| #include "detect-content.h" | ||
| #include "detect-pcre.h" | ||
| #include "detect-tls-cert.h" | ||
|
|
||
| #include "flow.h" | ||
| #include "flow-util.h" | ||
| #include "flow-var.h" | ||
|
|
||
| #include "util-debug.h" | ||
| #include "util-unittest.h" | ||
| #include "util-spm.h" | ||
| #include "util-print.h" | ||
|
|
||
| #include "stream-tcp.h" | ||
|
|
||
| #include "app-layer.h" | ||
| #include "app-layer-ssl.h" | ||
|
|
||
| #include "util-unittest.h" | ||
| #include "util-unittest-helper.h" | ||
|
|
||
| static int DetectTlsCertSetup(DetectEngineCtx *, Signature *, const char *); | ||
| #ifdef UNITTESTS | ||
| static void DetectTlsCertRegisterTests(void); | ||
| #endif | ||
| static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, | ||
| const DetectEngineTransforms *transforms, | ||
| Flow *_f, const uint8_t _flow_flags, | ||
| void *txv, const int list_id); | ||
| static int g_tls_cert_buffer_id = 0; | ||
|
|
||
| /** | ||
| * \brief Registration function for keyword: tls.cert | ||
| */ | ||
| void DetectTlsCertRegister(void) | ||
| { | ||
| sigmatch_table[DETECT_AL_TLS_CERT].name = "tls.cert"; | ||
| sigmatch_table[DETECT_AL_TLS_CERT].desc = "content modifier to match the TLS certificate buffer"; | ||
| sigmatch_table[DETECT_AL_TLS_CERT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls.cert"; | ||
|
There was a problem hiding this comment. Hm, this should perhaps be changed to "tls-cert" instead of "tls.cert". |
||
| sigmatch_table[DETECT_AL_TLS_CERT].Setup = DetectTlsCertSetup; | ||
| #ifdef UNITTESTS | ||
| sigmatch_table[DETECT_AL_TLS_CERT].RegisterTests = DetectTlsCertRegisterTests; | ||
| #endif | ||
| sigmatch_table[DETECT_AL_TLS_CERT].flags |= SIGMATCH_NOOPT; | ||
victorjulien marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| DetectAppLayerInspectEngineRegister2("tls.cert", ALPROTO_TLS, | ||
| SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, | ||
| DetectEngineInspectBufferGeneric, GetData); | ||
|
|
||
| DetectAppLayerMpmRegister2("tls.cert", SIG_FLAG_TOCLIENT, 2, | ||
| PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, | ||
| TLS_STATE_CERT_READY); | ||
|
|
||
| DetectBufferTypeSetDescriptionByName("tls.cert", "TLS certificate"); | ||
|
|
||
| g_tls_cert_buffer_id = DetectBufferTypeGetByName("tls.cert"); | ||
| } | ||
|
|
||
| /** | ||
| * \brief This function setup the tls.cert modifier keyword | ||
| * | ||
| * \param de_ctx Pointer to the Detect Engine Context | ||
| * \param s Pointer to the Signature to which the keyword belongs | ||
| * \param str Should hold an empty string always | ||
| * | ||
| * \retval 0 On success | ||
| * \retval -1 On failure | ||
| */ | ||
| static int DetectTlsCertSetup(DetectEngineCtx *de_ctx, Signature *s, | ||
| const char *str) | ||
| { | ||
| if (DetectBufferSetActiveList(s, g_tls_cert_buffer_id) < 0) | ||
| return -1; | ||
|
|
||
| if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0) | ||
| return -1; | ||
|
|
||
| return 0; | ||
| } | ||
|
|
||
| static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, | ||
| const DetectEngineTransforms *transforms, Flow *f, | ||
| const uint8_t flow_flags, void *txv, const int list_id) | ||
| { | ||
| InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); | ||
| if (buffer->inspect == NULL) { | ||
| const SSLState *ssl_state = (SSLState *)f->alstate; | ||
|
|
||
| if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) { | ||
| return NULL; | ||
| } | ||
|
|
||
| const SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs); | ||
|
There was a problem hiding this comment. are we inspecting only one cert? There was a problem hiding this comment. Ok I see this is mentioned in the PR. Would it make sense to inspect all? Or would there be a case for a separate keyword for all certs or something? There was a problem hiding this comment. There's not really a good reason to only inspect one certificate. I'll change it to inspect the entire certificate chain :) There was a problem hiding this comment. Ok cool. This will complicate the inspection code somewhat, because you can now have multiple buffers per tx. I would suggest checking the dns query code which has the same issue. |
||
| if (cert == NULL) { | ||
| return NULL; | ||
| } | ||
|
|
||
| InspectionBufferSetup(buffer, cert->cert_data, cert->cert_len); | ||
| InspectionBufferApplyTransforms(buffer, transforms); | ||
| } | ||
|
|
||
| return buffer; | ||
| } | ||
|
|
||
| #ifdef UNITTESTS | ||
| #include "tests/detect-tls-cert.c" | ||
| #endif | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| /* Copyright (C) 2019 Open Information Security Foundation | ||
| * | ||
| * You can copy, redistribute or modify this Program under the terms of | ||
| * the GNU General Public License version 2 as published by the Free | ||
| * Software Foundation. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * version 2 along with this program; if not, write to the Free Software | ||
| * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||
| * 02110-1301, USA. | ||
| */ | ||
|
|
||
| /** | ||
| * \file | ||
| * | ||
| * \author Mats Klepsland <[email protected]> | ||
| */ | ||
|
|
||
| #ifndef __DETECT_TLS_CERT_H__ | ||
| #define __DETECT_TLS_CERT_H__ | ||
|
|
||
| void DetectTlsCertRegister(void); | ||
|
|
||
| #endif /* __DETECT_TLS_CERT_H__ */ |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should remove the underscores from the variables here as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah if they are used then you should