detect/tls: more precise state registration for keywords

author Victor Julien <vjulien@oisf.net>

Fri, 28 Feb 2025 08:28:10 +0000 (09:28 +0100)

committer Victor Julien <victor@inliniac.net>

Mon, 7 Apr 2025 20:04:13 +0000 (22:04 +0200)
author Victor Julien <vjulien@oisf.net>
Fri, 28 Feb 2025 08:28:10 +0000 (09:28 +0100)
committer Victor Julien <victor@inliniac.net>
Mon, 7 Apr 2025 20:04:13 +0000 (22:04 +0200)
diff --git a/src/detect-ja4-hash.c b/src/detect-ja4-hash.c

index 3a835b2e3aea858a8028c3712ad5329cd8ac11e0..645c6eba54a7be44ff4cceade0d613ae4786a29e 100644 (file)
--- a/src/detect-ja4-hash.c
+++ b/src/detect-ja4-hash.c
@@ -83,11 +83,11 @@ void DetectJa4HashRegister(void)
      sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
  #ifdef HAVE_JA4
-    DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectBufferGeneric, GetData);
+    DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER,
+            TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData);
  
-    DetectAppLayerMpmRegister(
-            "ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
+    DetectAppLayerMpmRegister("ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
+            GetData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE);
  
      DetectAppLayerMpmRegister("ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
              Ja4DetectGetHash, ALPROTO_QUIC, 1);
diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c

index a326f1232e7ea641129f177753a6b1dd7ecb3e77..f4d7154d0343f91b97931d618b20b196fd18e21f 100644 (file)
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@@ -92,11 +92,11 @@ void DetectTlsJa3HashRegister(void)
      sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
  #ifdef HAVE_JA3
-    DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectBufferGeneric, GetData);
+    DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER,
+            TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData);
  
-    DetectAppLayerMpmRegister(
-            "ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
+    DetectAppLayerMpmRegister("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
+            GetData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE);
  
      DetectAppLayerMpmRegister("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
              Ja3DetectGetHash, ALPROTO_QUIC, 1);
diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c

index 9b62f425d014c381c4cfd993f677bbe3af7d25e0..81b44c42fc6eac0acb5dbdbaed0c619c83f1d615 100644 (file)
--- a/src/detect-tls-ja3-string.c
+++ b/src/detect-tls-ja3-string.c
@@ -91,11 +91,11 @@ void DetectTlsJa3StringRegister(void)
      sigmatch_table[DETECT_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
  #ifdef HAVE_JA3
-    DetectAppLayerInspectEngineRegister("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectBufferGeneric, GetData);
+    DetectAppLayerInspectEngineRegister("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER,
+            TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData);
  
      DetectAppLayerMpmRegister("ja3.string", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
-            GetData, ALPROTO_TLS, 0);
+            GetData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE);
  
      DetectAppLayerMpmRegister("ja3.string", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
              Ja3DetectGetString, ALPROTO_QUIC, 1);
diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c

index ee2c7ef4f73e35535a89a3defe86424819bae988..2bec72516924a69ceedcbce5bd5390f578a904ac 100644 (file)
--- a/src/detect-tls-ja3s-hash.c
+++ b/src/detect-tls-ja3s-hash.c
@@ -91,11 +91,11 @@ void DetectTlsJa3SHashRegister(void)
      sigmatch_table[DETECT_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
  #ifdef HAVE_JA3
-    DetectAppLayerInspectEngineRegister("ja3s.hash", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectBufferGeneric, GetData);
+    DetectAppLayerInspectEngineRegister("ja3s.hash", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
+            TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetData);
  
      DetectAppLayerMpmRegister("ja3s.hash", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
-            GetData, ALPROTO_TLS, 0);
+            GetData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO);
  
      DetectAppLayerMpmRegister("ja3s.hash", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
              Ja3DetectGetHash, ALPROTO_QUIC, 1);
diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c

index fd789bd90247f981787cba21c3004f596175d56a..857e045f7d4d3c1733592e35513f65453be16f87 100644 (file)
--- a/src/detect-tls-ja3s-string.c
+++ b/src/detect-tls-ja3s-string.c
@@ -90,11 +90,11 @@ void DetectTlsJa3SStringRegister(void)
      sigmatch_table[DETECT_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
  #ifdef HAVE_JA3
-    DetectAppLayerInspectEngineRegister("ja3s.string", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectBufferGeneric, GetData);
+    DetectAppLayerInspectEngineRegister("ja3s.string", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
+            TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetData);
  
      DetectAppLayerMpmRegister("ja3s.string", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
-            GetData, ALPROTO_TLS, 0);
+            GetData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO);
  
      DetectAppLayerMpmRegister("ja3s.string", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
              Ja3DetectGetString, ALPROTO_QUIC, 1);
diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c

index 2e6aa97672cbeda20f5c3b726c6d1c065a1bd64f..76e6049069873311584e1f0b7b5d9cfb14bdfbea 100644 (file)
--- a/src/detect-tls-random.c
+++ b/src/detect-tls-random.c
@@ -62,16 +62,16 @@ void DetectTlsRandomTimeRegister(void)
      sigmatch_table[DETECT_TLS_RANDOM_TIME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
  
      /* Register engine for Server random */
-    DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectBufferGeneric, GetRandomTimeData);
+    DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOSERVER,
+            TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetRandomTimeData);
      DetectAppLayerMpmRegister("tls.random_time", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
-            GetRandomTimeData, ALPROTO_TLS, 0);
+            GetRandomTimeData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE);
  
      /* Register engine for Client random */
-    DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectBufferGeneric, GetRandomTimeData);
+    DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
+            TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetRandomTimeData);
      DetectAppLayerMpmRegister("tls.random_time", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
-            GetRandomTimeData, ALPROTO_TLS, 0);
+            GetRandomTimeData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO);
  
      DetectBufferTypeSetDescriptionByName("tls.random_time", "TLS Random Time");
  
@@ -89,16 +89,16 @@ void DetectTlsRandomBytesRegister(void)
      sigmatch_table[DETECT_TLS_RANDOM_BYTES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
  
      /* Register engine for Server random */
-    DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectBufferGeneric, GetRandomBytesData);
+    DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOSERVER,
+            TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetRandomBytesData);
      DetectAppLayerMpmRegister("tls.random_bytes", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
-            GetRandomBytesData, ALPROTO_TLS, 0);
+            GetRandomBytesData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE);
  
      /* Register engine for Client random */
-    DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectBufferGeneric, GetRandomBytesData);
+    DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
+            TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetRandomBytesData);
      DetectAppLayerMpmRegister("tls.random_bytes", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
-            GetRandomBytesData, ALPROTO_TLS, 0);
+            GetRandomBytesData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO);
  
      DetectBufferTypeSetDescriptionByName("tls.random_bytes", "TLS Random Bytes");
author	Victor Julien <vjulien@oisf.net>
	Fri, 28 Feb 2025 08:28:10 +0000 (09:28 +0100)
committer	Victor Julien <victor@inliniac.net>
	Mon, 7 Apr 2025 20:04:13 +0000 (22:04 +0200)
src/detect-ja4-hash.c		patch \| blob \| blame \| history
src/detect-tls-ja3-hash.c		patch \| blob \| blame \| history
src/detect-tls-ja3-string.c		patch \| blob \| blame \| history
src/detect-tls-ja3s-hash.c		patch \| blob \| blame \| history
src/detect-tls-ja3s-string.c		patch \| blob \| blame \| history
src/detect-tls-random.c		patch \| blob \| blame \| history