From: Pierre Chifflier Date: Tue, 28 Feb 2012 14:08:43 +0000 (+0100) Subject: Add TLS decode events X-Git-Tag: suricata-1.3beta1~81 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3df341dbeb0cec1a83198fc7c22d4fb3be590480;p=thirdparty%2Fsuricata.git Add TLS decode events --- diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 457d5413be..e32fd63257 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2011 Open Information Security Foundation +/* Copyright (C) 2007-2012 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -43,6 +43,7 @@ #include "app-layer-tls-handshake.h" #include "conf.h" +#include "decode-events.h" #include "util-spm.h" #include "util-unittest.h" @@ -52,6 +53,18 @@ #include "util-byte.h" +SCEnumCharMap tls_decoder_event_table[ ] = { + /* TLS protocol messages */ + { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER }, + { "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER }, + { "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE }, + { "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE }, + /* Certificates decoding messages */ + { "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE }, + { "CERTIFICATE_MISSING_FIELD", TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD }, + { NULL, -1 }, +}; + typedef struct SslConfig_ { int no_reassemble; } SslConfig; @@ -445,7 +458,7 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, if (ssl_state->bytes_processed < (ssl_state->record_lengths_length + 1)) { retval = SSLv2ParseRecord(direction, ssl_state, input, input_len); if (retval == -1) { - SCLogDebug("Error parsing SSLv2Header"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSLV2_HEADER); return -1; } else { input += retval; @@ -462,6 +475,7 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, SCLogWarning(SC_ERR_ALPARSER, "SSLV2_MT_ERROR msg_type received. " "Error encountered in establishing the sslv2 " "session, may be version"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE); break; @@ -654,7 +668,7 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, if (ssl_state->bytes_processed < SSLV3_RECORD_LEN) { retval = SSLv3ParseRecord(direction, ssl_state, input, input_len); if (retval == -1) { - SCLogDebug("Error parsing SSLv3Header"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_TLS_HEADER); return -1; } else { parsed += retval; @@ -696,7 +710,7 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, retval = SSLv3ParseHandshakeProtocol(ssl_state, input + parsed, input_len); if (retval == -1) { - SCLogDebug("Error parsing SSLv3.x. Let's get outta here"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE); return -1; } else { if ((uint32_t)retval > input_len) { @@ -716,7 +730,7 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, break; default: - SCLogDebug("Bad ssl record type"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_RECORD_TYPE); return -1; } @@ -757,13 +771,15 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, * * \retval >=0 On success. */ -static int SSLDecode(uint8_t direction, void *alstate, AppLayerParserState *pstate, +static int SSLDecode(Flow *f, uint8_t direction, void *alstate, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len) { SSLState *ssl_state = (SSLState *)alstate; int retval = 0; uint8_t counter = 0; + ssl_state->f = f; + /* if we have more than one record */ while (input_len) { if (counter++ == 30) { @@ -870,14 +886,14 @@ int SSLParseClientRecord(Flow *f, void *alstate, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, void *local_data, AppLayerParserResult *output) { - return SSLDecode(0 /* toserver */, alstate, pstate, input, input_len); + return SSLDecode(f, 0 /* toserver */, alstate, pstate, input, input_len); } int SSLParseServerRecord(Flow *f, void *alstate, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, void *local_data, AppLayerParserResult *output) { - return SSLDecode(1 /* toclient */, alstate, pstate, input, input_len); + return SSLDecode(f, 1 /* toclient */, alstate, pstate, input, input_len); } /** @@ -947,6 +963,7 @@ void RegisterSSLParsers(void) AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT, SSLParseServerRecord); + AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table); AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree); diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index 7853b3f567..21309108d0 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation +/* Copyright (C) 2007-2012 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -19,12 +19,26 @@ * \file * * \author Anoop Saldanha + * \author Pierre Chifflier * */ #ifndef __APP_LAYER_SSL_H__ #define __APP_LAYER_SSL_H__ +#include "decode-events.h" + +enum { + /* TLS protocol messages */ + TLS_DECODER_EVENT_INVALID_SSLV2_HEADER, + TLS_DECODER_EVENT_INVALID_TLS_HEADER, + TLS_DECODER_EVENT_INVALID_RECORD_TYPE, + TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, + /* Certificates decoding messages */ + TLS_DECODER_EVENT_INVALID_CERTIFICATE, + TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD, +}; + /* Flag to indicate that server will now on send encrypted msgs */ #define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC 0x0001 /* Flag to indicate that client will now on send encrypted msgs */ @@ -64,6 +78,8 @@ enum { * Structure to store the SSL state values. */ typedef struct SSLState_ { + Flow *f; + /* record length */ uint32_t record_length; /* record length's length for SSLv2 */ diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c index a7e2f7f189..a2f6a3a9ab 100644 --- a/src/app-layer-tls-handshake.c +++ b/src/app-layer-tls-handshake.c @@ -38,6 +38,9 @@ #include "debug.h" #include "decode.h" +#include "app-layer-parser.h" +#include "decode-events.h" + #include "app-layer-ssl.h" #include "app-layer-tls-handshake.h" @@ -117,16 +120,19 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin if (input - start_data + cur_cert_length > input_len) { SCLogWarning(SC_ERR_ALPARSER, "ASN.1 structure contains invalid length\n"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE); return -1; } cert = DecodeDer(input, cur_cert_length); if (cert == NULL) { SCLogWarning(SC_ERR_ALPARSER, "decoding ASN.1 structure for X509 certificate failed\n"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE); } if (cert != NULL) { rc = Asn1DerGetSubjectDN(cert, buffer, sizeof(buffer)); if (rc != 0) { SCLogWarning(SC_ERR_ALPARSER, "X509: could not get subject\n"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD); } else { //SCLogInfo("TLS Cert %d: %s\n", i, buffer); if (i==0) { @@ -136,6 +142,7 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin rc = Asn1DerGetIssuerDN(cert, buffer, sizeof(buffer)); if (rc != 0) { SCLogWarning(SC_ERR_ALPARSER, "X509: could not get issuerdn\n"); + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD); } else { //SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer); if (i==0) {