*/
#define PARSE_REGEX "^\\s*([A-z0-9\\.]+|\"[A-z0-9\\.]+\")\\s*$"
-static pcre *parse_regex;
-static pcre_extra *parse_regex_study;
+static pcre *subject_parse_regex;
+static pcre_extra *subject_parse_regex_study;
+static pcre *issuerdn_parse_regex;
+static pcre_extra *issuerdn_parse_regex_study;
static int DetectTlsSubjectMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
static int DetectTlsSubjectSetup (DetectEngineCtx *, Signature *, char *);
static void DetectTlsSubjectRegisterTests(void);
static void DetectTlsSubjectFree(void *);
+static int DetectTlsIssuerDNMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
+static int DetectTlsIssuerDNSetup (DetectEngineCtx *, Signature *, char *);
+static void DetectTlsIssuerDNRegisterTests(void);
+static void DetectTlsIssuerDNFree(void *);
/**
* \brief Registration function for keyword: tls.version
sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].Match = NULL;
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerMatch = DetectTlsIssuerDNMatch;
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].alproto = ALPROTO_TLS;
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
+ sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests;
+
const char *eb;
int eo;
int opts = 0;
SCLogDebug("registering tls.subject rule option");
- parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
- if (parse_regex == NULL) {
+ subject_parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
+ if (subject_parse_regex == NULL) {
SCLogError(SC_ERR_PCRE_COMPILE, "Compile of \"%s\" failed at offset %" PRId32 ": %s",
PARSE_REGEX, eo, eb);
goto error;
}
- parse_regex_study = pcre_study(parse_regex, 0, &eb);
+ subject_parse_regex_study = pcre_study(subject_parse_regex, 0, &eb);
+ if (eb != NULL) {
+ SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
+ goto error;
+ }
+
+ SCLogDebug("registering tls.issuerdn rule option");
+
+ issuerdn_parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
+ if (issuerdn_parse_regex == NULL) {
+ SCLogError(SC_ERR_PCRE_COMPILE, "Compile of \"%s\" failed at offset %" PRId32 ": %s",
+ PARSE_REGEX, eo, eb);
+ goto error;
+ }
+
+ issuerdn_parse_regex_study = pcre_study(issuerdn_parse_regex, 0, &eb);
if (eb != NULL) {
SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
goto error;
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
- ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
+ ret = pcre_exec(subject_parse_regex, subject_parse_regex_study, str, strlen(str), 0, 0,
ov, MAX_SUBSTRINGS);
if (ret < 1 || ret > 3) {
*/
static void DetectTlsSubjectRegisterTests(void) {
}
+
+/**
+ * \brief match the specified IssuerDN on a tls session
+ *
+ * \param t pointer to thread vars
+ * \param det_ctx pointer to the pattern matcher thread
+ * \param p pointer to the current packet
+ * \param m pointer to the sigmatch that we will cast into DetectTlsData
+ *
+ * \retval 0 no match
+ * \retval 1 match
+ */
+static int DetectTlsIssuerDNMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
+{
+ SCEnter();
+
+ DetectTlsData *tls_data = (DetectTlsData *)m->ctx;
+ SSLState *ssl_state = (SSLState *)state;
+ if (ssl_state == NULL) {
+ SCLogDebug("no tls state, no match");
+ SCReturnInt(0);
+ }
+
+ int ret = 0;
+ SCMutexLock(&f->m);
+
+ if (ssl_state->cert0_issuerdn != NULL) {
+ SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n", ssl_state->cert0_issuerdn, tls_data->issuerdn);
+
+ if (strstr(ssl_state->cert0_issuerdn, tls_data->issuerdn) != NULL) {
+ ret = 1;
+ }
+ }
+
+ SCMutexUnlock(&f->m);
+
+ SCReturnInt(ret);
+}
+
+/**
+ * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
+ *
+ * \param idstr Pointer to the user provided id option
+ *
+ * \retval id_d pointer to DetectTlsData on success
+ * \retval NULL on failure
+ */
+static DetectTlsData *DetectTlsIssuerDNParse(char *str)
+{
+ DetectTlsData *tls = NULL;
+#define MAX_SUBSTRINGS 30
+ int ret = 0, res = 0;
+ int ov[MAX_SUBSTRINGS];
+
+ ret = pcre_exec(issuerdn_parse_regex, issuerdn_parse_regex_study, str, strlen(str), 0, 0,
+ ov, MAX_SUBSTRINGS);
+
+ if (ret < 1 || ret > 3) {
+ SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.issuerdn option");
+ goto error;
+ }
+
+ if (ret > 1) {
+ const char *str_ptr;
+ char *orig;
+ char *tmp_str;
+ res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
+ goto error;
+ }
+
+ /* We have a correct id option */
+ tls = SCMalloc(sizeof(DetectTlsData));
+ if (tls == NULL)
+ goto error;
+ tls->issuerdn = NULL;
+
+ orig = SCStrdup((char*)str_ptr);
+ tmp_str=orig;
+ if (tmp_str == NULL) {
+ goto error;
+ }
+
+ /* Let's see if we need to escape "'s */
+ if (tmp_str[0] == '"')
+ {
+ tmp_str[strlen(tmp_str) - 1] = '\0';
+ tmp_str += 1;
+ }
+
+ tls->issuerdn = SCStrdup(tmp_str);
+
+ SCFree(orig);
+
+ SCLogDebug("will look for TLS issuerdn %s", tls->issuerdn);
+ }
+
+ return tls;
+
+error:
+ if (tls != NULL)
+ DetectTlsIssuerDNFree(tls);
+ return NULL;
+
+}
+
+/**
+ * \brief this function is used to add the parsed "id" option
+ * \brief into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param idstr pointer to the user provided "id" option
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
+{
+ DetectTlsData *tls = NULL;
+ SigMatch *sm = NULL;
+
+ tls = DetectTlsIssuerDNParse(str);
+ if (tls == NULL) goto error;
+
+ /* Okay so far so good, lets get this into a SigMatch
+ * and put it in the Signature. */
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+
+ sm->type = DETECT_AL_TLS_ISSUERDN;
+ sm->ctx = (void *)tls;
+
+ SigMatchAppendAppLayer(s, sm);
+
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ goto error;
+ }
+
+ s->alproto = ALPROTO_TLS;
+ return 0;
+
+error:
+ if (tls != NULL) DetectTlsIssuerDNFree(tls);
+ if (sm != NULL) SCFree(sm);
+ return -1;
+
+}
+
+/**
+ * \brief this function will free memory associated with DetectTlsData
+ *
+ * \param id_d pointer to DetectTlsData
+ */
+static void DetectTlsIssuerDNFree(void *ptr)
+{
+ DetectTlsData *id_d = (DetectTlsData *)ptr;
+ SCFree(id_d->issuerdn);
+ SCFree(id_d);
+}
+
+/**
+ * \brief this function registers unit tests for DetectTlsIssuerDN
+ */
+static void DetectTlsIssuerDNRegisterTests(void)
+{
+}
projects / thirdparty / suricata.git / commitdiff
