detect-tls-ja3-hash: add content validation callback

Validate that the content that follows the 'ja3_hash' keyword has
the correct length.

diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c
index 4f35062bc2e609c4d389969d5c71c6d556df4ac5..714137fae748e4df82f41c17cfe2286839404d4f 100644 (file)
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@@ -64,6 +64,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *_f, const uint8_t _flow_flags,
        void *txv, const int list_id);
+static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
+       const char **sigerror);
 static int g_tls_ja3_hash_buffer_id = 0;
 
 /**
@@ -89,6 +91,9 @@ void DetectTlsJa3HashRegister(void)
 
     DetectBufferTypeSetDescriptionByName("ja3_hash", "TLS JA3 hash");
 
+    DetectBufferTypeRegisterValidateCallback("ja3_hash",
+            DetectTlsJa3HashValidateCallback);
+
     g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3_hash");
 }
 
@@ -140,6 +145,30 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
     return buffer;
 }
 
+static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
+                                              const char **sigerror)
+{
+    const SigMatch *sm = s->init_data->smlists[g_tls_ja3_hash_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        if (cd->content_len == 32)
+            return TRUE;
+
+        *sigerror = "Invalid length of the specified JA3 hash (should "
+                    "be 32 characters long). This rule will therefore "
+                    "never match.";
+        SCLogWarning(SC_WARN_POOR_RULE,  "rule %u: %s", s->id, *sigerror);
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
 #ifndef HAVE_NSS
 
 static void DetectTlsJa3HashRegisterTests(void)