#define DE_STATE_FLAG_TLSSNI_INSPECT BIT_U32(24)
#define DE_STATE_FLAG_TLSISSUER_INSPECT BIT_U32(25)
#define DE_STATE_FLAG_TLSSUBJECT_INSPECT BIT_U32(26)
-#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(27)
-#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(28)
+#define DE_STATE_FLAG_TLSVALIDITY_INSPECT BIT_U32(27)
+#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(28)
+#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(29)
/* state flags */
#define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001
return cnt;
}
+
+int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx, Signature *s,
+ Flow *f, uint8_t flags, void *alstate,
+ void *txv, uint64_t tx_id)
+{
+ return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags,
+ alstate, txv, tx_id,
+ DETECT_SM_LIST_TLSVALIDITY_MATCH);
+}
Signature *s, Flow *f, uint8_t flags,
void *alstate, void *txv, uint64_t tx_id);
+int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx,
+ Signature *s, Flow *f, uint8_t flags,
+ void *alstate, void *txv, uint64_t tx_id);
+
#endif /* __DETECT_ENGINE_TLS_H__ */
DE_STATE_FLAG_TLSSUBJECT_INSPECT,
1,
DetectEngineInspectTlsSubject },
+ { IPPROTO_TCP,
+ ALPROTO_TLS,
+ DETECT_SM_LIST_TLSVALIDITY_MATCH,
+ DE_STATE_FLAG_TLSVALIDITY_INSPECT,
+ 1,
+ DetectEngineInspectTlsValidity },
/* specifically for UDP, register again
* allows us to use the alproto w/o translation
* in the detection engine */
return "tls issuer";
case DETECT_SM_LIST_TLSSUBJECT_MATCH:
return "tls subject";
+ case DETECT_SM_LIST_TLSVALIDITY_MATCH:
+ return "tls validity";
case DETECT_SM_LIST_MODBUS_MATCH:
return "modbus";
CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni");
CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer");
CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject");
+ CASE_CODE_STRING(DETECT_SM_LIST_TLSVALIDITY_MATCH, "tls_cert_validity");
CASE_CODE_STRING(DETECT_SM_LIST_MODBUS_MATCH, "modbus");
CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template");
CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch");
CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH);
CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH);
CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH);
+ CASE_CODE(DETECT_SM_LIST_TLSVALIDITY_MATCH);
CASE_CODE(DETECT_SM_LIST_MODBUS_MATCH);
CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH);
CASE_CODE(DETECT_SM_LIST_POSTMATCH);
sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
+ if (sig->sm_lists[DETECT_SM_LIST_TLSVALIDITY_MATCH])
+ sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_MODBUS_MATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
static pcre_extra *parse_regex_study;
static int DetectTlsValidityMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
- uint8_t, void *, Signature *, SigMatch *);
+ uint8_t, void *, void *, const Signature *,
+ const SigMatchCtx *);
+
static time_t DateStringToEpoch (char *);
static DetectTlsValidityData *DetectTlsValidityParse (char *);
static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, char *str);
sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsnotbefore";
sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Match = NULL;
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerMatch = DetectTlsValidityMatch;
+ sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
sigmatch_table[DETECT_AL_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests;
sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsnotafter";
sigmatch_table[DETECT_AL_TLS_NOTAFTER].Match = NULL;
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerMatch = DetectTlsValidityMatch;
+ sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree;
sigmatch_table[DETECT_AL_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests;
* \retval 1 match.
*/
static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
+ Flow *f, uint8_t flags, void *state,
+ void *txv, const Signature *s,
+ const SigMatchCtx *ctx)
{
SCEnter();
else
connp = &ssl_state->server_connp;
- const DetectTlsValidityData *dd = (const DetectTlsValidityData *)m->ctx;
+ const DetectTlsValidityData *dd = (const DetectTlsValidityData *)ctx;
time_t cert_epoch = 0;
if (dd->type == DETECT_TLS_TYPE_NOTBEFORE)
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH);
return 0;
DETECT_SM_LIST_TLSSNI_MATCH,
DETECT_SM_LIST_TLSISSUER_MATCH,
DETECT_SM_LIST_TLSSUBJECT_MATCH,
+ DETECT_SM_LIST_TLSVALIDITY_MATCH,
DETECT_SM_LIST_MODBUS_MATCH,
projects / thirdparty / suricata.git / commitdiff
