static int g_tls_cert_fingerprint_buffer_id = 0;
/**
- * \brief Registration function for keyword: tls_cert_fingerprint
+ * \brief Registration function for keyword: tls.cert_fingerprint
*/
void DetectTlsFingerprintRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].name = "tls_cert_fingerprint";
+ sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].name = "tls.cert_fingerprint";
+ sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].alias = "tls_cert_fingerprint";
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].desc = "content modifier to match the TLS cert fingerprint buffer";
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-fingerprint";
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].Match = NULL;
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].RegisterTests = DetectTlsFingerprintRegisterTests;
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("tls_cert_fingerprint", ALPROTO_TLS,
+ DetectAppLayerInspectEngineRegister2("tls.cert_fingerprint", ALPROTO_TLS,
SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerMpmRegister2("tls_cert_fingerprint", SIG_FLAG_TOCLIENT, 2,
+ DetectAppLayerMpmRegister2("tls.cert_fingerprint", SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
TLS_STATE_CERT_READY);
- DetectBufferTypeSetDescriptionByName("tls_cert_fingerprint",
+ DetectBufferTypeSetDescriptionByName("tls.cert_fingerprint",
"TLS certificate fingerprint");
- DetectBufferTypeRegisterSetupCallback("tls_cert_fingerprint",
+ DetectBufferTypeRegisterSetupCallback("tls.cert_fingerprint",
DetectTlsFingerprintSetupCallback);
- DetectBufferTypeRegisterValidateCallback("tls_cert_fingerprint",
+ DetectBufferTypeRegisterValidateCallback("tls.cert_fingerprint",
DetectTlsFingerprintValidateCallback);
- g_tls_cert_fingerprint_buffer_id = DetectBufferTypeGetByName("tls_cert_fingerprint");
+ g_tls_cert_fingerprint_buffer_id = DetectBufferTypeGetByName("tls.cert_fingerprint");
}
/**
if (have_delimiters == FALSE) {
*sigerror = "No colon delimiters ':' detected in content after "
- "tls_cert_fingerprint. This rule will therefore "
+ "tls.cert_fingerprint. This rule will therefore "
"never match.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
return FALSE;
}
if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = "tls_cert_fingerprint should not be used together "
+ *sigerror = "tls.cert_fingerprint should not be used together "
"with nocase, since the rule is automatically "
"lowercased anyway which makes nocase redundant.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
- "(msg:\"Testing tls_cert_fingerprint\"; "
- "tls_cert_fingerprint; "
+ "(msg:\"Testing tls.cert_fingerprint\"; "
+ "tls.cert_fingerprint; "
"content:\"11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99:00\"; "
"sid:1;)");
FAIL_IF_NULL(de_ctx->sig_list);
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test tls_cert_fingerprint\"; "
- "tls_cert_fingerprint; "
+ "(msg:\"Test tls.cert_fingerprint\"; "
+ "tls.cert_fingerprint; "
"content:\"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18\"; "
"sid:1;)");
FAIL_IF_NULL(s);
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
- * Implements support for tls_cert_issuer keyword.
+ * Implements support for tls.cert_issuer keyword.
*/
#include "suricata-common.h"
static int g_tls_cert_issuer_buffer_id = 0;
/**
- * \brief Registration function for keyword: tls_cert_issuer
+ * \brief Registration function for keyword: tls.cert_issuer
*/
void DetectTlsIssuerRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls_cert_issuer";
+ sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls.cert_issuer";
+ sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].alias = "tls_cert_issuer";
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = "content modifier to match specifically and only on the TLS cert issuer buffer";
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-issuer";
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Match = NULL;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("tls_cert_issuer", ALPROTO_TLS,
+ DetectAppLayerInspectEngineRegister2("tls.cert_issuer", ALPROTO_TLS,
SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerMpmRegister2("tls_cert_issuer", SIG_FLAG_TOCLIENT, 2,
+ DetectAppLayerMpmRegister2("tls.cert_issuer", SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
TLS_STATE_CERT_READY);
- DetectBufferTypeSetDescriptionByName("tls_cert_issuer",
+ DetectBufferTypeSetDescriptionByName("tls.cert_issuer",
"TLS certificate issuer");
- g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls_cert_issuer");
+ g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls.cert_issuer");
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
- "(msg:\"Testing tls_cert_issuer\"; "
- "tls_cert_issuer; content:\"test\"; sid:1;)");
+ "(msg:\"Testing tls.cert_issuer\"; "
+ "tls.cert_issuer; content:\"test\"; sid:1;)");
FAIL_IF_NULL(de_ctx->sig_list);
/* sm should not be in the MATCH list */
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test tls_cert_issuer\"; "
- "tls_cert_issuer; content:\"google\"; nocase; "
+ "(msg:\"Test tls.cert_issuer\"; "
+ "tls.cert_issuer; content:\"google\"; nocase; "
"sid:1;)");
FAIL_IF_NULL(s);
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
- * Implements support for tls_cert_serial keyword.
+ * Implements support for tls.cert_serial keyword.
*/
#include "suricata-common.h"
static int g_tls_cert_serial_buffer_id = 0;
/**
- * \brief Registration function for keyword: tls_cert_serial
+ * \brief Registration function for keyword: tls.cert_serial
*/
void DetectTlsSerialRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls_cert_serial";
+ sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls.cert_serial";
+ sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].alias = "tls_cert_serial";
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].desc = "content modifier to match the TLS cert serial buffer";
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-serial";
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].Match = NULL;
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests;
sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("tls_cert_serial", ALPROTO_TLS,
+ DetectAppLayerInspectEngineRegister2("tls.cert_serial", ALPROTO_TLS,
SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerMpmRegister2("tls_cert_serial", SIG_FLAG_TOCLIENT, 2,
+ DetectAppLayerMpmRegister2("tls.cert_serial", SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
TLS_STATE_CERT_READY);
- DetectBufferTypeSetDescriptionByName("tls_cert_serial",
+ DetectBufferTypeSetDescriptionByName("tls.cert_serial",
"TLS certificate serial number");
- DetectBufferTypeRegisterSetupCallback("tls_cert_serial",
+ DetectBufferTypeRegisterSetupCallback("tls.cert_serial",
DetectTlsSerialSetupCallback);
- DetectBufferTypeRegisterValidateCallback("tls_cert_serial",
+ DetectBufferTypeRegisterValidateCallback("tls.cert_serial",
DetectTlsSerialValidateCallback);
- g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls_cert_serial");
+ g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls.cert_serial");
}
/**
const DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = "tls_cert_serial should not be used together "
+ *sigerror = "tls.cert_serial should not be used together "
"with nocase, since the rule is automatically "
"uppercased anyway which makes nocase redundant.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
return TRUE;
*sigerror = "No colon delimiters ':' detected in content after "
- "tls_cert_serial. This rule will therefore never "
+ "tls.cert_serial. This rule will therefore never "
"match.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
#ifdef UNITTESTS
/**
- * \test Test that a signature containing tls_cert_serial is correctly parsed
+ * \test Test that a signature containing tls.cert_serial is correctly parsed
* and that the keyword is registered.
*/
static int DetectTlsSerialTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
- "(msg:\"Testing tls_cert_serial\"; "
- "tls_cert_serial; content:\"XX:XX:XX\"; sid:1;)");
+ "(msg:\"Testing tls.cert_serial\"; "
+ "tls.cert_serial; content:\"XX:XX:XX\"; sid:1;)");
FAIL_IF_NULL(de_ctx->sig_list);
/* sm should not be in the MATCH list */
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test tls_cert_serial\"; "
- "tls_cert_serial; "
+ "(msg:\"Test tls.cert_serial\"; "
+ "tls.cert_serial; "
"content:\"5C:19:B7:B1:32:3B:1C:A1\"; "
"sid:1;)");
FAIL_IF_NULL(s);
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
- * Implements support for tls_cert_subject keyword.
+ * Implements support for tls.cert_subject keyword.
*/
#include "suricata-common.h"
static int g_tls_cert_subject_buffer_id = 0;
/**
- * \brief Registration function for keyword: tls_cert_subject
+ * \brief Registration function for keyword: tls.cert_subject
*/
void DetectTlsSubjectRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls_cert_subject";
+ sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls.cert_subject";
+ sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].alias = "tls_cert_subject";
sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = "content modifier to match specifically and only on the TLS cert subject buffer";
sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-subject";
sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Match = NULL;
sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("tls_cert_subject", ALPROTO_TLS,
+ DetectAppLayerInspectEngineRegister2("tls.cert_subject", ALPROTO_TLS,
SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerMpmRegister2("tls_cert_subject", SIG_FLAG_TOCLIENT, 2,
+ DetectAppLayerMpmRegister2("tls.cert_subject", SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
TLS_STATE_CERT_READY);
- DetectBufferTypeSetDescriptionByName("tls_cert_subject",
+ DetectBufferTypeSetDescriptionByName("tls.cert_subject",
"TLS certificate subject");
- g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls_cert_subject");
+ g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls.cert_subject");
}
/**
- * \brief this function setup the tls_cert_subject modifier keyword used in the rule
+ * \brief this function setup the tls.cert_subject modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
#ifdef UNITTESTS
/**
- * \test Test that a signature containing a tls_cert_subject is correctly parsed
+ * \test Test that a signature containing a tls.cert_subject is correctly parsed
* and that the keyword is registered.
*/
static int DetectTlsSubjectTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any "
- "(msg:\"Testing tls_cert_subject\"; "
- "tls_cert_subject; content:\"test\"; sid:1;)");
+ "(msg:\"Testing tls.cert_subject\"; "
+ "tls.cert_subject; content:\"test\"; sid:1;)");
FAIL_IF_NULL(de_ctx->sig_list);
/* sm should not be in the MATCH list */
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test tls_cert_subject\"; "
- "tls_cert_subject; content:\"google\"; nocase; "
+ "(msg:\"Test tls.cert_subject\"; "
+ "tls.cert_subject; content:\"google\"; nocase; "
"sid:1;)");
FAIL_IF_NULL(s);
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
- * Implements support for ja3_hash keyword.
+ * Implements support for ja3.hash keyword.
*/
#include "suricata-common.h"
*/
void DetectTlsJa3HashRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].name = "ja3_hash";
+ sigmatch_table[DETECT_AL_TLS_JA3_HASH].name = "ja3.hash";
+ sigmatch_table[DETECT_AL_TLS_JA3_HASH].alias = "ja3_hash";
sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "content modifier to match the JA3 hash buffer";
sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = DOC_URL DOC_VERSION "/rules/ja3-keywords.html#ja3-hash";
sigmatch_table[DETECT_AL_TLS_JA3_HASH].Match = NULL;
sigmatch_table[DETECT_AL_TLS_JA3_HASH].RegisterTests = DetectTlsJa3HashRegisterTests;
sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("ja3_hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
+ DetectAppLayerInspectEngineRegister2("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerMpmRegister2("ja3_hash", SIG_FLAG_TOSERVER, 2,
+ DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
- DetectBufferTypeSetDescriptionByName("ja3_hash", "TLS JA3 hash");
+ DetectBufferTypeSetDescriptionByName("ja3.hash", "TLS JA3 hash");
- DetectBufferTypeRegisterSetupCallback("ja3_hash",
+ DetectBufferTypeRegisterSetupCallback("ja3.hash",
DetectTlsJa3HashSetupCallback);
- DetectBufferTypeRegisterValidateCallback("ja3_hash",
+ DetectBufferTypeRegisterValidateCallback("ja3.hash",
DetectTlsJa3HashValidateCallback);
- g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3_hash");
+ g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3.hash");
}
/**
- * \brief this function setup the ja3_hash modifier keyword used in the rule
+ * \brief this function setup the ja3.hash modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
const DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NOCASE) {
- *sigerror = "ja3_hash should not be used together with "
+ *sigerror = "ja3.hash should not be used together with "
"nocase, since the rule is automatically "
"lowercased anyway which makes nocase redundant.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test ja3_hash\"; ja3_hash; "
+ "(msg:\"Test ja3.hash\"; ja3.hash; "
"content:\"e7eca2baf4458d095b7f45da28c16c34\"; "
"sid:1;)");
FAIL_IF_NULL(s);
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test ja3_hash\"; ja3_hash; "
+ "(msg:\"Test ja3.hash\"; ja3.hash; "
"content:\"bc6c386f480ee97b9d9e52d472b772d8\"; "
"sid:1;)");
FAIL_IF_NULL(s);
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
- * Implements support for ja3_string keyword.
+ * Implements support for ja3.string keyword.
*/
#include "suricata-common.h"
static int g_tls_ja3_str_buffer_id = 0;
/**
- * \brief Registration function for keyword: ja3_string
+ * \brief Registration function for keyword: ja3.string
*/
void DetectTlsJa3StringRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3_string";
+ sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3.string";
+ sigmatch_table[DETECT_AL_TLS_JA3_STRING].alias = "ja3_string";
sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "content modifier to match the JA3 string buffer";
sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = DOC_URL DOC_VERSION "/rules/ja3-keywords.html#ja3-string";
sigmatch_table[DETECT_AL_TLS_JA3_STRING].Match = NULL;
sigmatch_table[DETECT_AL_TLS_JA3_STRING].RegisterTests = DetectTlsJa3StringRegisterTests;
sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("ja3_string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
+ DetectAppLayerInspectEngineRegister2("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerMpmRegister2("ja3_string", SIG_FLAG_TOSERVER, 2,
+ DetectAppLayerMpmRegister2("ja3.string", SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
- DetectBufferTypeSetDescriptionByName("ja3_string", "TLS JA3 string");
+ DetectBufferTypeSetDescriptionByName("ja3.string", "TLS JA3 string");
- g_tls_ja3_str_buffer_id = DetectBufferTypeGetByName("ja3_string");
+ g_tls_ja3_str_buffer_id = DetectBufferTypeGetByName("ja3.string");
}
/**
- * \brief this function setup the ja3_string modifier keyword used in the rule
+ * \brief this function setup the ja3.string modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test ja3_string\"; ja3_string; "
+ "(msg:\"Test ja3.string\"; ja3.string; "
"content:\"-65-68-69-102-103-104-105-106-107-132-135-255,0,,\"; "
"sid:1;)");
FAIL_IF_NULL(s);
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
- * Implements support for tls_sni keyword.
+ * Implements support for tls.sni keyword.
*/
#include "suricata-common.h"
static int g_tls_sni_buffer_id = 0;
/**
- * \brief Registration function for keyword: tls_sni
+ * \brief Registration function for keyword: tls.sni
*/
void DetectTlsSniRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_SNI].name = "tls_sni";
+ sigmatch_table[DETECT_AL_TLS_SNI].name = "tls.sni";
+ sigmatch_table[DETECT_AL_TLS_SNI].alias = "tls_sni";
sigmatch_table[DETECT_AL_TLS_SNI].desc = "content modifier to match specifically and only on the TLS SNI buffer";
sigmatch_table[DETECT_AL_TLS_SNI].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-sni";
sigmatch_table[DETECT_AL_TLS_SNI].Match = NULL;
sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests;
sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("tls_sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
+ DetectAppLayerInspectEngineRegister2("tls.sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerMpmRegister2("tls_sni", SIG_FLAG_TOSERVER, 2,
+ DetectAppLayerMpmRegister2("tls.sni", SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
- DetectBufferTypeSetDescriptionByName("tls_sni",
+ DetectBufferTypeSetDescriptionByName("tls.sni",
"TLS Server Name Indication (SNI) extension");
- g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls_sni");
+ g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls.sni");
}
/**
- * \brief this function setup the tls_sni modifier keyword used in the rule
+ * \brief this function setup the tls.sni modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test tls_sni option\"; "
- "tls_sni; content:\"google.com\"; sid:1;)");
+ "(msg:\"Test tls.sni option\"; "
+ "tls.sni; content:\"google.com\"; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test tls_sni option\"; "
- "tls_sni; content:\"google\"; nocase; "
+ "(msg:\"Test tls.sni option\"; "
+ "tls.sni; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
- "(msg:\"Test tls_sni option\"; "
- "tls_sni; content:\"google\"; nocase; "
+ "(msg:\"Test tls.sni option\"; "
+ "tls.sni; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
FAIL_IF_NULL(s);
projects / thirdparty / suricata.git / commitdiff
