static pcre_extra *fingerprint_parse_regex_study;
static int DetectTlsSubjectMatch (ThreadVars *, DetectEngineThreadCtx *,
- Flow *, uint8_t, void *,
- const Signature *, const SigMatchData *);
+ Flow *, uint8_t, void *, void *,
+ const Signature *, const SigMatchCtx *);
static int DetectTlsSubjectSetup (DetectEngineCtx *, Signature *, char *);
static void DetectTlsSubjectRegisterTests(void);
static void DetectTlsSubjectFree(void *);
static int DetectTlsIssuerDNMatch (ThreadVars *, DetectEngineThreadCtx *,
- Flow *, uint8_t, void *,
- const Signature *, const SigMatchData *);
+ Flow *, uint8_t, void *, void *,
+ const Signature *, const SigMatchCtx *);
static int DetectTlsIssuerDNSetup (DetectEngineCtx *, Signature *, char *);
static void DetectTlsIssuerDNRegisterTests(void);
static void DetectTlsIssuerDNFree(void *);
static int DetectTlsFingerprintMatch (ThreadVars *, DetectEngineThreadCtx *,
- Flow *, uint8_t, void *,
- const Signature *, const SigMatchData *);
+ Flow *, uint8_t, void *, void *,
+ const Signature *, const SigMatchCtx *);
static int DetectTlsFingerprintSetup (DetectEngineCtx *, Signature *, char *);
static void DetectTlsFingerprintFree(void *);
static int DetectTlsStorePostMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Packet *, const Signature *s, const SigMatchCtx *unused);
+static int g_tls_cert_list_id = 0;
+
+static int InspectTlsCert(ThreadVars *tv,
+ DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+ const Signature *s, const SigMatchData *smd,
+ Flow *f, uint8_t flags, void *alstate,
+ void *txv, uint64_t tx_id)
+{
+ return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
+ f, flags, alstate, txv, tx_id);
+}
+
/**
* \brief Registration function for keyword: tls.version
*/
sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
sigmatch_table[DETECT_AL_TLS_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlssubject";
- sigmatch_table[DETECT_AL_TLS_SUBJECT].Match = NULL;
- sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerMatch = DetectTlsSubjectMatch;
+ sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsissuerdn";
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].Match = NULL;
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerMatch = DetectTlsIssuerDNMatch;
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsfingerprint";
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Match = NULL;
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerMatch = DetectTlsFingerprintMatch;
+ sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerTxMatch = DetectTlsFingerprintMatch;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL;
&issuerdn_parse_regex, &issuerdn_parse_regex_study);
DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT,
&fingerprint_parse_regex, &fingerprint_parse_regex_study);
+
+ g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert");
+
+ DetectAppLayerInspectEngineRegister("tls_cert",
+ ALPROTO_TLS, SIG_FLAG_TOCLIENT,
+ InspectTlsCert);
}
/**
* \retval 1 match
*/
static int DetectTlsSubjectMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- const Signature *s, const SigMatchData *m)
+ Flow *f, uint8_t flags, void *state, void *txv,
+ const Signature *s, const SigMatchCtx *m)
{
SCEnter();
- const DetectTlsData *tls_data = (const DetectTlsData *)m->ctx;
+ const DetectTlsData *tls_data = (const DetectTlsData *)m;
SSLState *ssl_state = (SSLState *)state;
if (ssl_state == NULL) {
SCLogDebug("no tls state, no match");
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ goto error;
+ }
+
tls = DetectTlsSubjectParse(str);
if (tls == NULL)
goto error;
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
-
sm->type = DETECT_AL_TLS_SUBJECT;
sm->ctx = (void *)tls;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+ SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
return 0;
* \retval 1 match
*/
static int DetectTlsIssuerDNMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- const Signature *s, const SigMatchData *m)
+ Flow *f, uint8_t flags, void *state, void *txv,
+ const Signature *s, const SigMatchCtx *m)
{
SCEnter();
- const DetectTlsData *tls_data = (const DetectTlsData *)m->ctx;
+ const DetectTlsData *tls_data = (const DetectTlsData *)m;
SSLState *ssl_state = (SSLState *)state;
if (ssl_state == NULL) {
SCLogDebug("no tls state, no match");
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ goto error;
+ }
+
tls = DetectTlsIssuerDNParse(str);
if (tls == NULL)
goto error;
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
-
sm->type = DETECT_AL_TLS_ISSUERDN;
sm->ctx = (void *)tls;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+ SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
return 0;
* \retval 1 match
*/
static int DetectTlsFingerprintMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- const Signature *s, const SigMatchData *m)
+ Flow *f, uint8_t flags, void *state, void *txv,
+ const Signature *s, const SigMatchCtx *m)
{
SCEnter();
- const DetectTlsData *tls_data = (const DetectTlsData *)m->ctx;
+ const DetectTlsData *tls_data = (const DetectTlsData *)m;
SSLState *ssl_state = (SSLState *)state;
if (ssl_state == NULL) {
SCLogDebug("no tls state, no match");
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ goto error;
+ }
+
tls = DetectTlsFingerprintParse(str);
if (tls == NULL)
goto error;
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
-
sm->type = DETECT_AL_TLS_FINGERPRINT;
sm->ctx = (void *)tls;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+ SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
return 0;
projects / thirdparty / suricata.git / commitdiff
