]>
Commit | Line | Data |
---|---|---|
4172c4c8 MK |
1 | /* Copyright (C) 2007-2016 Open Information Security Foundation |
2 | * | |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
18 | /** | |
19 | * \file | |
20 | * | |
21 | * \author Mats Klepsland <mats.klepsland@gmail.com> | |
22 | * | |
23 | * Implements support for tls_cert_subject keyword. | |
24 | */ | |
25 | ||
26 | #include "suricata-common.h" | |
27 | #include "threads.h" | |
28 | #include "debug.h" | |
29 | #include "decode.h" | |
30 | #include "detect.h" | |
31 | ||
32 | #include "detect-parse.h" | |
33 | #include "detect-engine.h" | |
34 | #include "detect-engine-mpm.h" | |
e68b2214 | 35 | #include "detect-engine-tls.h" |
4172c4c8 MK |
36 | #include "detect-content.h" |
37 | #include "detect-pcre.h" | |
38 | ||
39 | #include "flow.h" | |
40 | #include "flow-util.h" | |
41 | #include "flow-var.h" | |
42 | ||
43 | #include "util-debug.h" | |
44 | #include "util-unittest.h" | |
45 | #include "util-spm.h" | |
46 | #include "util-print.h" | |
47 | ||
48 | #include "stream-tcp.h" | |
49 | ||
50 | #include "app-layer.h" | |
51 | #include "app-layer-ssl.h" | |
52 | ||
53 | #include "util-unittest.h" | |
54 | #include "util-unittest-helper.h" | |
55 | ||
56 | static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, char *); | |
57 | static void DetectTlsSubjectRegisterTests(void); | |
58 | ||
59 | /** | |
60 | * \brief Registration function for keyword: tls_cert_issuer | |
61 | */ | |
62 | void DetectTlsSubjectRegister(void) | |
63 | { | |
64 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls_cert_subject"; | |
65 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = "content modifier to match specifically and only on the TLS cert subject buffer"; | |
66 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Match = NULL; | |
67 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].AppLayerMatch = NULL; | |
68 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup; | |
69 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Free = NULL; | |
70 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; | |
71 | ||
72 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT; | |
73 | sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_PAYLOAD; | |
e68b2214 VJ |
74 | |
75 | DetectMpmAppLayerRegister("tls_cert_subject", SIG_FLAG_TOCLIENT, | |
960461f4 | 76 | DETECT_SM_LIST_TLSSUBJECT_MATCH, 2, |
e68b2214 | 77 | PrefilterTxTlsSubjectRegister); |
e28e98bc VJ |
78 | |
79 | DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT, | |
80 | DETECT_SM_LIST_TLSSUBJECT_MATCH, | |
81 | DetectEngineInspectTlsSubject); | |
82 | ||
4172c4c8 MK |
83 | } |
84 | ||
85 | /** | |
86 | * \brief this function setup the tls_cert_subject modifier keyword used in the rule | |
87 | * | |
88 | * \param de_ctx Pointer to the Detection Engine Context | |
89 | * \param s Pointer to the Signature to which the current keyword belongs | |
90 | * \param str Should hold an empty string always | |
91 | * | |
92 | * \retval 0 On success | |
93 | */ | |
94 | static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) | |
95 | { | |
96 | s->list = DETECT_SM_LIST_TLSSUBJECT_MATCH; | |
97 | s->alproto = ALPROTO_TLS; | |
98 | return 0; | |
99 | } | |
100 | ||
101 | #ifdef UNITTESTS | |
20b41567 MK |
102 | |
103 | /** | |
104 | * \test Test that a signature containing a tls_cert_subject is correctly parsed | |
105 | * and that the keyword is registered. | |
106 | */ | |
107 | static int DetectTlsSubjectTest01(void) | |
108 | { | |
109 | DetectEngineCtx *de_ctx = NULL; | |
110 | SigMatch *sm = NULL; | |
111 | ||
112 | de_ctx = DetectEngineCtxInit(); | |
113 | FAIL_IF_NULL(de_ctx); | |
114 | ||
115 | de_ctx->flags |= DE_QUIET; | |
116 | de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any " | |
117 | "(msg:\"Testing tls_cert_subject\"; " | |
118 | "tls_cert_subject; content:\"test\"; sid:1;)"); | |
119 | FAIL_IF_NULL(de_ctx->sig_list); | |
120 | ||
121 | /* sm should not be in the MATCH list */ | |
122 | sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH]; | |
123 | FAIL_IF_NOT_NULL(sm); | |
124 | ||
125 | sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH]; | |
126 | FAIL_IF_NULL(sm); | |
127 | ||
128 | FAIL_IF(sm->type != DETECT_CONTENT); | |
129 | FAIL_IF_NOT_NULL(sm->next); | |
130 | ||
131 | SigGroupCleanup(de_ctx); | |
132 | SigCleanSignatures(de_ctx); | |
133 | DetectEngineCtxFree(de_ctx); | |
134 | ||
135 | PASS; | |
136 | } | |
137 | ||
138 | /** | |
139 | * \test Test matching for google in the subject of a certificate | |
140 | * | |
141 | */ | |
142 | static int DetectTlsSubjectTest02(void) | |
143 | { | |
144 | /* client hello */ | |
145 | uint8_t client_hello[] = { | |
146 | 0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00, | |
147 | 0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86, | |
148 | 0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc, | |
149 | 0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b, | |
150 | 0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46, | |
151 | 0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b, | |
152 | 0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, | |
153 | 0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f, | |
154 | 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85, | |
155 | 0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00, | |
156 | 0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f, | |
157 | 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01, | |
158 | 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, | |
159 | 0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, | |
160 | 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, | |
161 | 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, | |
162 | 0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31, | |
163 | 0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05, | |
164 | 0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32, | |
165 | 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e, | |
166 | 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, | |
167 | 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, | |
168 | 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00, | |
169 | 0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, | |
170 | 0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, | |
171 | 0x03, 0x04, 0x02, 0x02, 0x02 | |
172 | }; | |
173 | ||
174 | /* server hello */ | |
175 | uint8_t server_hello[] = { | |
176 | 0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00, | |
177 | 0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd, | |
178 | 0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d, | |
179 | 0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1, | |
180 | 0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23, | |
181 | 0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00, | |
182 | 0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, | |
183 | 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10, | |
184 | 0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00, | |
185 | 0x0b, 0x00, 0x02, 0x01, 0x00 | |
186 | }; | |
187 | ||
188 | /* certificate */ | |
189 | uint8_t certificate[] = { | |
190 | 0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04, | |
191 | 0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30, | |
192 | 0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0, | |
193 | 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19, | |
194 | 0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d, | |
195 | 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, | |
196 | 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31, | |
197 | 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, | |
198 | 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, | |
199 | 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47, | |
200 | 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e, | |
201 | 0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, | |
202 | 0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67, | |
203 | 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, | |
204 | 0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68, | |
205 | 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32, | |
206 | 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37, | |
207 | 0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32, | |
208 | 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30, | |
209 | 0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a, | |
210 | 0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, | |
211 | 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, | |
212 | 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, | |
213 | 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, | |
214 | 0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14, | |
215 | 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d, | |
216 | 0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, | |
217 | 0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11, | |
218 | 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47, | |
219 | 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e, | |
220 | 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, | |
221 | 0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f, | |
222 | 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30, | |
223 | 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, | |
224 | 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, | |
225 | 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, | |
226 | 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, | |
227 | 0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae, | |
228 | 0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f, | |
229 | 0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16, | |
230 | 0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50, | |
231 | 0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f, | |
232 | 0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45, | |
233 | 0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59, | |
234 | 0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42, | |
235 | 0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03, | |
236 | 0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1, | |
237 | 0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62, | |
238 | 0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04, | |
239 | 0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4, | |
240 | 0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8, | |
241 | 0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82, | |
242 | 0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6, | |
243 | 0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86, | |
244 | 0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd, | |
245 | 0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d, | |
246 | 0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4, | |
247 | 0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5, | |
248 | 0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d, | |
249 | 0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c, | |
250 | 0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26, | |
251 | 0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec, | |
252 | 0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c, | |
253 | 0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d, | |
254 | 0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78, | |
255 | 0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0, | |
256 | 0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40, | |
257 | 0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50, | |
258 | 0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f, | |
259 | 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, | |
260 | 0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06, | |
261 | 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, | |
262 | 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, | |
263 | 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, | |
264 | 0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03, | |
265 | 0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82, | |
266 | 0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, | |
267 | 0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f, | |
268 | 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30, | |
269 | 0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, | |
270 | 0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30, | |
271 | 0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, | |
272 | 0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74, | |
273 | 0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e, | |
274 | 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63, | |
275 | 0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32, | |
276 | 0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08, | |
277 | 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, | |
278 | 0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, | |
279 | 0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73, | |
280 | 0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, | |
281 | 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, | |
282 | 0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, | |
283 | 0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42, | |
284 | 0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb, | |
285 | 0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40, | |
286 | 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, | |
287 | 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f, | |
288 | 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, | |
289 | 0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b, | |
290 | 0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6, | |
291 | 0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30, | |
292 | 0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a, | |
293 | 0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, | |
294 | 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01, | |
295 | 0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01, | |
296 | 0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d, | |
297 | 0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0, | |
298 | 0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74, | |
299 | 0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e, | |
300 | 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63, | |
301 | 0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32, | |
302 | 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09, | |
303 | 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, | |
304 | 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, | |
305 | 0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff, | |
306 | 0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a, | |
307 | 0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94, | |
308 | 0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98, | |
309 | 0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8, | |
310 | 0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09, | |
311 | 0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34, | |
312 | 0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91, | |
313 | 0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5, | |
314 | 0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1, | |
315 | 0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1, | |
316 | 0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66, | |
317 | 0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05, | |
318 | 0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20, | |
319 | 0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc, | |
320 | 0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4, | |
321 | 0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d, | |
322 | 0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e, | |
323 | 0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63, | |
324 | 0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5, | |
325 | 0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04, | |
326 | 0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9, | |
327 | 0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98, | |
328 | 0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d, | |
329 | 0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52, | |
330 | 0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00, | |
331 | 0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83, | |
332 | 0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f, | |
333 | 0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1, | |
334 | 0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6, | |
335 | 0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d, | |
336 | 0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d | |
337 | }; | |
338 | ||
339 | Flow f; | |
340 | SSLState *ssl_state = NULL; | |
341 | TcpSession ssn; | |
342 | Packet *p1 = NULL; | |
343 | Packet *p2 = NULL; | |
344 | Packet *p3 = NULL; | |
345 | Signature *s = NULL; | |
346 | ThreadVars tv; | |
347 | DetectEngineThreadCtx *det_ctx = NULL; | |
348 | AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); | |
349 | ||
350 | memset(&tv, 0, sizeof(ThreadVars)); | |
351 | memset(&f, 0, sizeof(Flow)); | |
352 | memset(&ssn, 0, sizeof(TcpSession)); | |
353 | ||
354 | p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP, | |
355 | "192.168.1.5", "192.168.1.1", 51251, 443); | |
356 | p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP, | |
357 | "192.168.1.1", "192.168.1.5", 443, 51251); | |
358 | p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP, | |
359 | "192.168.1.1", "192.168.1.5", 443, 51251); | |
360 | ||
361 | FLOW_INITIALIZE(&f); | |
362 | f.flags |= FLOW_IPV4; | |
363 | f.proto = IPPROTO_TCP; | |
364 | f.protomap = FlowGetProtoMapping(f.proto); | |
365 | f.alproto = ALPROTO_TLS; | |
366 | ||
367 | p1->flow = &f; | |
368 | p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; | |
369 | p1->flowflags |= FLOW_PKT_TOSERVER; | |
370 | p1->flowflags |= FLOW_PKT_ESTABLISHED; | |
371 | p1->pcap_cnt = 1; | |
372 | ||
373 | p2->flow = &f; | |
374 | p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; | |
375 | p2->flowflags |= FLOW_PKT_TOCLIENT; | |
376 | p2->flowflags |= FLOW_PKT_ESTABLISHED; | |
377 | p2->pcap_cnt = 2; | |
378 | ||
379 | p3->flow = &f; | |
380 | p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; | |
381 | p3->flowflags |= FLOW_PKT_TOCLIENT; | |
382 | p3->flowflags |= FLOW_PKT_ESTABLISHED; | |
383 | p3->pcap_cnt = 3; | |
384 | ||
385 | StreamTcpInitConfig(TRUE); | |
386 | ||
387 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
388 | FAIL_IF_NULL(de_ctx); | |
389 | ||
e6044aaf | 390 | de_ctx->mpm_matcher = mpm_default_matcher; |
20b41567 MK |
391 | de_ctx->flags |= DE_QUIET; |
392 | ||
393 | s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " | |
394 | "(msg:\"Test tls_cert_subject\"; " | |
395 | "tls_cert_subject; content:\"google\"; nocase; " | |
396 | "sid:1;)"); | |
397 | FAIL_IF_NULL(s); | |
398 | ||
399 | SigGroupBuild(de_ctx); | |
400 | DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); | |
401 | ||
6530c3d0 | 402 | FLOWLOCK_WRLOCK(&f); |
675fa564 GL |
403 | int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, |
404 | STREAM_TOSERVER, client_hello, | |
405 | sizeof(client_hello)); | |
6530c3d0 | 406 | FLOWLOCK_UNLOCK(&f); |
20b41567 MK |
407 | |
408 | FAIL_IF(r != 0); | |
409 | ||
410 | ssl_state = f.alstate; | |
411 | FAIL_IF_NULL(ssl_state); | |
412 | ||
413 | SigMatchSignatures(&tv, de_ctx, det_ctx, p1); | |
414 | ||
415 | FAIL_IF(PacketAlertCheck(p1, 1)); | |
416 | ||
6530c3d0 | 417 | FLOWLOCK_WRLOCK(&f); |
675fa564 | 418 | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, |
20b41567 | 419 | server_hello, sizeof(server_hello)); |
6530c3d0 | 420 | FLOWLOCK_UNLOCK(&f); |
20b41567 MK |
421 | |
422 | FAIL_IF(r != 0); | |
423 | ||
424 | SigMatchSignatures(&tv, de_ctx, det_ctx, p2); | |
425 | ||
426 | FAIL_IF(PacketAlertCheck(p2, 1)); | |
427 | ||
6530c3d0 | 428 | FLOWLOCK_WRLOCK(&f); |
675fa564 | 429 | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, |
20b41567 | 430 | certificate, sizeof(certificate)); |
6530c3d0 | 431 | FLOWLOCK_UNLOCK(&f); |
20b41567 MK |
432 | |
433 | FAIL_IF(r != 0); | |
434 | ||
435 | SigMatchSignatures(&tv, de_ctx, det_ctx, p3); | |
436 | ||
437 | FAIL_IF_NOT(PacketAlertCheck(p3, 1)); | |
438 | ||
439 | if (alp_tctx != NULL) | |
440 | AppLayerParserThreadCtxFree(alp_tctx); | |
441 | if (det_ctx != NULL) | |
442 | DetectEngineThreadCtxDeinit(&tv, det_ctx); | |
443 | if (de_ctx != NULL) | |
444 | SigGroupCleanup(de_ctx); | |
445 | if (de_ctx != NULL) | |
446 | DetectEngineCtxFree(de_ctx); | |
447 | ||
448 | StreamTcpFreeConfig(TRUE); | |
449 | FLOW_DESTROY(&f); | |
450 | UTHFreePacket(p1); | |
451 | UTHFreePacket(p2); | |
452 | UTHFreePacket(p3); | |
453 | ||
454 | PASS; | |
455 | } | |
456 | ||
4172c4c8 MK |
457 | #endif |
458 | ||
459 | static void DetectTlsSubjectRegisterTests(void) | |
460 | { | |
461 | #ifdef UNITTESTS | |
20b41567 MK |
462 | UtRegisterTest("DetectTlsSubjectTest01", DetectTlsSubjectTest01); |
463 | UtRegisterTest("DetectTlsSubjectTest02", DetectTlsSubjectTest02); | |
4172c4c8 MK |
464 | #endif |
465 | } |