return cnt;
}
-/** \brief TLS fingerprint Mpm prefilter callback
- *
- * \param det_ctx detection engine thread ctx
- * \param p packet to inspect
- * \param f flow to inspect
- * \param txv tx to inspect
- * \param pectx inspection context
- */
-static void PrefilterTxTlsFingerprint(DetectEngineThreadCtx *det_ctx,
- const void *pectx, Packet *p, Flow *f,
- void *txv, const uint64_t idx,
- const uint8_t flags)
-{
- SCEnter();
-
- const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
- const SSLState *ssl_state = f->alstate;
-
- if (ssl_state->server_connp.cert0_fingerprint == NULL)
- return;
-
- const uint8_t *buffer = (const uint8_t *)ssl_state->server_connp.cert0_fingerprint;
- const uint32_t buffer_len = strlen(ssl_state->server_connp.cert0_fingerprint);
-
- if (buffer_len >= mpm_ctx->minlen) {
- (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, &det_ctx->mtcu,
- &det_ctx->pmq, buffer, buffer_len);
- }
-}
-
-int PrefilterTxTlsFingerprintRegister(DetectEngineCtx *de_ctx,
- SigGroupHead *sgh, MpmCtx *mpm_ctx)
-{
- SCEnter();
-
- return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxTlsFingerprint, ALPROTO_TLS,
- TLS_STATE_CERT_READY, mpm_ctx, NULL,
- "tls_cert_fingerprint");
-}
-
-/** \brief Do the content inspection and validation for a signature
- *
- * \param de_ctx Detection engine context
- * \param det_ctx Detection engine thread context
- * \param s Signature to inspect
- * \param sm SigMatch to inspect
- * \param f Flow
- * \param flags App layer flags
- * \param state App layer state
- *
- * \retval 0 No match
- * \retval 1 Match
- */
-int DetectEngineInspectTlsFingerprint(ThreadVars *tv, DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx,const Signature *s,
- const SigMatchData *smd, Flow *f,
- uint8_t flags, void *alstate, void *txv,
- uint64_t tx_id)
-{
- uint8_t *buffer;
- uint32_t buffer_len;
- int cnt = 0;
-
- SSLState *ssl_state = (SSLState *)alstate;
-
- if (ssl_state->server_connp.cert0_fingerprint == NULL)
- return 0;
-
- buffer = (uint8_t *)ssl_state->server_connp.cert0_fingerprint;
- buffer_len = strlen(ssl_state->server_connp.cert0_fingerprint);
-
- cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
- f, buffer, buffer_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
-
- return cnt;
-}
int DetectEngineInspectTlsValidity(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
SigGroupHead *sgh, MpmCtx *mpm_ctx);
int PrefilterTxTlsSerialRegister(DetectEngineCtx *de_ctx,
SigGroupHead *sgh, MpmCtx *mpm_ctx);
-int PrefilterTxTlsFingerprintRegister(DetectEngineCtx *de_ctx,
- SigGroupHead *sgh, MpmCtx *mpm_ctx);
int DetectEngineInspectTlsSni(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags,
void *alstate, void *txv, uint64_t tx_id);
-int DetectEngineInspectTlsFingerprint(ThreadVars *tv,
- DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
- const Signature *s, const SigMatchData *smd,
- Flow *f, uint8_t flags,
- void *alstate, void *txv, uint64_t tx_id);
-
int DetectEngineInspectTlsValidity(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
-#include "detect-engine-tls.h"
+#include "detect-engine-prefilter.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-tls-cert-fingerprint.h"
static int DetectTlsFingerprintSetup(DetectEngineCtx *, Signature *, const char *);
static void DetectTlsFingerprintRegisterTests(void);
+static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms,
+ Flow *_f, const uint8_t _flow_flags,
+ void *txv, const int list_id);
static int g_tls_cert_fingerprint_buffer_id = 0;
/**
sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT;
- DetectAppLayerMpmRegister("tls_cert_fingerprint", SIG_FLAG_TOCLIENT, 2,
- PrefilterTxTlsFingerprintRegister);
+ DetectAppLayerInspectEngineRegister2("tls_cert_fingerprint", ALPROTO_TLS,
+ SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
+ DetectEngineInspectBufferGeneric, GetData);
- DetectAppLayerInspectEngineRegister("tls_cert_fingerprint", ALPROTO_TLS,
- SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, DetectEngineInspectTlsFingerprint);
+ DetectAppLayerMpmRegister2("tls_cert_fingerprint", SIG_FLAG_TOCLIENT, 2,
+ PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
+ TLS_STATE_CERT_READY);
+
+ DetectBufferTypeSetDescriptionByName("tls_cert_fingerprint",
+ "TLS certificate fingerprint");
g_tls_cert_fingerprint_buffer_id = DetectBufferTypeGetByName("tls_cert_fingerprint");
}
static int DetectTlsFingerprintSetup(DetectEngineCtx *de_ctx, Signature *s,
const char *str)
{
- s->init_data->list = g_tls_cert_fingerprint_buffer_id;
+ DetectBufferSetActiveList(s, g_tls_cert_fingerprint_buffer_id);
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
return 0;
}
+static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f,
+ const uint8_t _flow_flags, void *txv, const int list_id)
+{
+ BUG_ON(det_ctx->inspect_buffers == NULL);
+ InspectionBuffer *buffer = &det_ctx->inspect_buffers[list_id];
+
+ if (buffer->inspect == NULL) {
+ SSLState *ssl_state = (SSLState *)_f->alstate;
+
+ if (ssl_state->server_connp.cert0_fingerprint == NULL) {
+ return NULL;
+ }
+
+ const uint32_t data_len = strlen(ssl_state->server_connp.cert0_fingerprint);
+ const uint8_t *data = (uint8_t *)ssl_state->server_connp.cert0_fingerprint;
+
+ InspectionBufferSetup(buffer, data, data_len);
+ InspectionBufferApplyTransforms(buffer, transforms);
+ }
+
+ return buffer;
+}
+
#ifdef UNITTESTS
/**
projects / thirdparty / suricata.git / commitdiff
