From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Thu, 15 Nov 2018 22:01:42 +0000 (+0100)
Subject: lua: add Ja3SGetString function
X-Git-Tag: suricata-5.0.0-rc1~467
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03e8e658d7daffd298ea3acd59bff8f79763a682;p=thirdparty%2Fsuricata.git

lua: add Ja3SGetString function

Add Ja3SGetString() to return the content of the JA3S string buffer from
the TLS session.

Example:

  function init (args)
      local needs = {}
      needs["protocol"] = "tls"
      return needs
  end

  function setup (args)
      filename = SCLogPath() .. "/ja3s_string.log"
      file = assert(io.open(filename, "a"))
  end

  function log (args)
      ja3s_string = Ja3SGetString()
      if ja3s_string == nil then
          return
      end

      file:write(ja3s_string .. "\n")
      file:flush()
  end

  function deinit (args)
      file:close()
  end
---

diff --git a/src/util-lua-ja3.c b/src/util-lua-ja3.c
index c538be5271..3143f30816 100644
--- a/src/util-lua-ja3.c
+++ b/src/util-lua-ja3.c
@@ -128,6 +128,30 @@ static int Ja3SGetHash(lua_State *luastate)
                                strlen(ssl_state->server_connp.ja3_hash));
 }
 
+static int Ja3SGetString(lua_State *luastate)
+{
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol is not tls");
+
+    Flow *f = LuaStateGetFlow(luastate);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+
+    if (ssl_state->server_connp.ja3_str == NULL ||
+            ssl_state->server_connp.ja3_str->data == NULL)
+        return LuaCallbackError(luastate, "error: no JA3S str");
+
+    return LuaPushStringBuffer(luastate,
+                               (uint8_t *)ssl_state->server_connp.ja3_str->data,
+                               ssl_state->server_connp.ja3_str->used);
+}
+
 /** *\brief Register JA3 Lua extensions */
 int LuaRegisterJa3Functions(lua_State *luastate)
 {
@@ -140,6 +164,9 @@ int LuaRegisterJa3Functions(lua_State *luastate)
     lua_pushcfunction(luastate, Ja3SGetHash);
     lua_setglobal(luastate, "Ja3SGetHash");
 
+    lua_pushcfunction(luastate, Ja3SGetString);
+    lua_setglobal(luastate, "Ja3SGetString");
+
     return 0;
 }