]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 800608a)
lua: add Ja3SGetHash function
authorMats Klepsland <mats.klepsland@gmail.com>
Thu, 15 Nov 2018 21:50:57 +0000 (22:50 +0100)
committerMats Klepsland <mats.klepsland@gmail.com>
Mon, 20 May 2019 12:30:27 +0000 (14:30 +0200)
Add Ja3SGetHash() to return the content of the JA3S hash buffer from
the TLS session.

Example:

  function init (args)
      local needs = {}
      needs["protocol"] = "tls"
      return needs
  end

  function setup (args)
      filename = SCLogPath() .. "/ja3s_hash.log"
      file = assert(io.open(filename, "a"))
  end

  function log (args)
      ja3s_hash = Ja3SGetHash()
      if ja3s_hash == nil then
          return
      end

      file:write(ja3s_hash .. "\n")
      file:flush()
  end

  function deinit (args)
      file:close()
  end

In the example above, each JA3S hash is logged to a log file.

src/util-lua-ja3.c patch | blob | blame | history

diff --git a/src/util-lua-ja3.c b/src/util-lua-ja3.c
index 7029e2f2c1717a5230aaf09619f6c7cf945a8abf..c538be5271f759499adfb63d3210ce8bbe3e78f3 100644 (file)
--- a/src/util-lua-ja3.c
+++ b/src/util-lua-ja3.c
@@ -105,6 +105,29 @@ static int Ja3GetString(lua_State *luastate)
                                ssl_state->client_connp.ja3_str->used);
 }
 
+static int Ja3SGetHash(lua_State *luastate)
+{
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol is not tls");
+
+    Flow *f = LuaStateGetFlow(luastate);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+
+    if (ssl_state->server_connp.ja3_hash == NULL)
+        return LuaCallbackError(luastate, "error: no JA3S hash");
+
+    return LuaPushStringBuffer(luastate,
+                               (uint8_t *)ssl_state->server_connp.ja3_hash,
+                               strlen(ssl_state->server_connp.ja3_hash));
+}
+
 /** *\brief Register JA3 Lua extensions */
 int LuaRegisterJa3Functions(lua_State *luastate)
 {
@@ -114,6 +137,9 @@ int LuaRegisterJa3Functions(lua_State *luastate)
     lua_pushcfunction(luastate, Ja3GetString);
     lua_setglobal(luastate, "Ja3GetString");
 
+    lua_pushcfunction(luastate, Ja3SGetHash);
+    lua_setglobal(luastate, "Ja3SGetHash");
+
     return 0;
 }
 
Mirror of https://github.com/OISF/suricata.git