From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Sat, 24 Mar 2018 22:00:33 +0000 (+0100)
Subject: detect-tls-cert-fingerprint: add warning if nocase is used
X-Git-Tag: suricata-4.1.0-rc1~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c5d5bbdaa994119a5847eac0b2c188715981d51;p=thirdparty%2Fsuricata.git

detect-tls-cert-fingerprint: add warning if nocase is used
---

diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c
index 4cb2127175..a2fd47cf7d 100644
--- a/src/detect-tls-cert-fingerprint.c
+++ b/src/detect-tls-cert-fingerprint.c
@@ -154,7 +154,7 @@ static _Bool DetectTlsFingerprintValidateCallback(const Signature *s,
         if (sm->type != DETECT_CONTENT)
             continue;
 
-        DetectContentData *cd = (DetectContentData *)sm->ctx;
+        const DetectContentData *cd = (DetectContentData *)sm->ctx;
 
         if (cd->content_len != 59) {
             *sigerror = "Invalid length of the specified fingerprint. "
@@ -181,6 +181,12 @@ static _Bool DetectTlsFingerprintValidateCallback(const Signature *s,
             return FALSE;
         }
 
+        if (cd->flags & DETECT_CONTENT_NOCASE) {
+            *sigerror = "tls_cert_fingerprint should not be used together "
+                        "with nocase, since the rule is automatically "
+                        "lowercased anyway which makes nocase redundant.";
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+        }
     }
 
     return TRUE;