detect-tls-cert-fingerprint: add warning if nocase is used

author Mats Klepsland <mats.klepsland@gmail.com>

Sat, 24 Mar 2018 22:00:33 +0000 (23:00 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 3 May 2018 12:50:47 +0000 (14:50 +0200)
author Mats Klepsland <mats.klepsland@gmail.com>
Sat, 24 Mar 2018 22:00:33 +0000 (23:00 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 3 May 2018 12:50:47 +0000 (14:50 +0200)
diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c

index 4cb21271756db89baee5b46f528a9c8f18b9cc75..a2fd47cf7dcfbb9b2d1b280ba55a3898acb7c5f4 100644 (file)
--- a/src/detect-tls-cert-fingerprint.c
+++ b/src/detect-tls-cert-fingerprint.c
@@ -154,7 +154,7 @@ static _Bool DetectTlsFingerprintValidateCallback(const Signature *s,
          if (sm->type != DETECT_CONTENT)
              continue;
  
-        DetectContentData *cd = (DetectContentData *)sm->ctx;
+        const DetectContentData *cd = (DetectContentData *)sm->ctx;
  
          if (cd->content_len != 59) {
              *sigerror = "Invalid length of the specified fingerprint. "
@@ -181,6 +181,12 @@ static _Bool DetectTlsFingerprintValidateCallback(const Signature *s,
              return FALSE;
          }
  
+        if (cd->flags & DETECT_CONTENT_NOCASE) {
+            *sigerror = "tls_cert_fingerprint should not be used together "
+                        "with nocase, since the rule is automatically "
+                        "lowercased anyway which makes nocase redundant.";
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+        }
      }
  
      return TRUE;
author	Mats Klepsland <mats.klepsland@gmail.com>
	Sat, 24 Mar 2018 22:00:33 +0000 (23:00 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 3 May 2018 12:50:47 +0000 (14:50 +0200)