From: Victor Julien Date: Thu, 16 Jan 2025 11:32:40 +0000 (+0100) Subject: tls: introduce per direction progress tracking X-Git-Tag: suricata-8.0.0-beta1~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=780aeee55c6973cfeeb36c7494e29d324854679e;p=thirdparty%2Fsuricata.git tls: introduce per direction progress tracking Per direction track progress to be able to have more fine grained control over where the detection engines and logging hooks in. --- diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 331c56895a..c54ad90c24 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -292,30 +292,36 @@ static uint64_t SSLGetTxCnt(void *state) return 1; } -static int SSLGetAlstateProgress(void *tx, uint8_t direction) +static void UpdateClientState(SSLState *ssl_state, enum TlsStateClient s) { - SSLState *ssl_state = (SSLState *)tx; - - /* we don't care about direction, only that app-layer parser is done - and have sent an EOF */ - if (ssl_state->flags & SSL_AL_FLAG_STATE_FINISHED) { - return TLS_STATE_FINISHED; - } +#ifdef DEBUG + enum TlsStateClient old = ssl_state->client_state; +#endif + ssl_state->client_state = s; +#ifdef DEBUG + SCLogDebug("toserver: state updated to %u from %u", s, old); +#endif +} - /* we want the logger to log when the handshake is done, even if the - state is not finished */ - if (ssl_state->flags & SSL_AL_FLAG_HANDSHAKE_DONE) { - return TLS_HANDSHAKE_DONE; - } +static void UpdateServerState(SSLState *ssl_state, enum TlsStateServer s) +{ +#ifdef DEBUG + enum TlsStateServer old = ssl_state->server_state; +#endif + ssl_state->server_state = s; +#ifdef DEBUG + SCLogDebug("toclient: state updated to %u from %u", s, old); +#endif +} - if (direction == STREAM_TOSERVER && - (ssl_state->server_connp.cert0_subject != NULL || - ssl_state->server_connp.cert0_issuerdn != NULL)) - { - return TLS_STATE_CERT_READY; +static int SSLGetAlstateProgress(void *tx, uint8_t direction) +{ + SSLState *ssl_state = (SSLState *)tx; + if (direction & STREAM_TOCLIENT) { + return ssl_state->server_state; + } else { + return ssl_state->client_state; } - - return TLS_STATE_IN_PROGRESS; } static AppLayerTxData *SSLGetTxData(void *vtx) @@ -1610,6 +1616,11 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, ssl_state->curr_connp->ja3_hash = Ja3GenerateHash(ssl_state->curr_connp->ja3_str); } + if (ssl_state->curr_connp == &ssl_state->client_connp) { + UpdateClientState(ssl_state, TLS_STATE_CLIENT_HELLO_DONE); + } else { + UpdateServerState(ssl_state, TLS_STATE_SERVER_HELLO); + } end: return 0; } @@ -1636,6 +1647,11 @@ static inline int SSLv3ParseHandshakeTypeCertificate(SSLState *ssl_state, SSLSta SSLParserHSReset(connp); /* fall through to still consume the cert bytes */ } + if (connp == &ssl_state->client_connp) { + UpdateClientState(ssl_state, TLS_STATE_CLIENT_CERT_DONE); + } else { + UpdateServerState(ssl_state, TLS_STATE_SERVER_CERT_DONE); + } return input_len; } @@ -1704,7 +1720,6 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, break; case SSLV3_HS_CERTIFICATE: - rc = SSLv3ParseHandshakeTypeCertificate(ssl_state, direction ? &ssl_state->server_connp : &ssl_state->client_connp, initial_input, input_len); @@ -1728,6 +1743,9 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, SCLogDebug("new session ticket"); break; case SSLV3_HS_SERVER_HELLO_DONE: + if (direction) { + UpdateServerState(ssl_state, TLS_STATE_SERVER_HELLO_DONE); + } break; default: SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); @@ -1940,7 +1958,8 @@ static int SSLv3ParseAlertProtocol( /* if level Fatal, we consider the tx finished */ if (level == 2) { - ssl_state->flags |= SSL_AL_FLAG_STATE_FINISHED; + UpdateClientState(ssl_state, TLS_STATE_CLIENT_FINISHED); + UpdateServerState(ssl_state, TLS_STATE_SERVER_FINISHED); } } return 0; @@ -2323,6 +2342,7 @@ static struct SSLDecoderResult SSLv2Decode(uint8_t direction, SSLState *ssl_stat ssl_state->current_flags = SSL_AL_FLAG_STATE_CLIENT_HELLO; ssl_state->current_flags |= SSL_AL_FLAG_SSL_CLIENT_HS; + UpdateClientState(ssl_state, TLS_STATE_CLIENT_HELLO_DONE); const uint16_t version = (uint16_t)(input[0] << 8) | input[1]; SCLogDebug("SSLv2: version %04x", version); @@ -2352,6 +2372,7 @@ static struct SSLDecoderResult SSLv2Decode(uint8_t direction, SSLState *ssl_stat } else { ssl_state->current_flags = SSL_AL_FLAG_STATE_CLIENT_KEYX; } + UpdateServerState(ssl_state, TLS_STATE_SERVER_CERT_DONE); /* fall through */ case SSLV2_MT_SERVER_VERIFY: @@ -2404,6 +2425,7 @@ static struct SSLDecoderResult SSLv2Decode(uint8_t direction, SSLState *ssl_stat case SSLV2_MT_SERVER_HELLO: ssl_state->current_flags = SSL_AL_FLAG_STATE_SERVER_HELLO; ssl_state->current_flags |= SSL_AL_FLAG_SSL_SERVER_HS; + UpdateServerState(ssl_state, TLS_STATE_SERVER_HELLO); break; } @@ -2570,6 +2592,9 @@ static struct SSLDecoderResult SSLv3Decode(uint8_t direction, SSLState *ssl_stat ssl_state->flags |= SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC; } else { ssl_state->flags |= SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC; + + // TODO TLS 1.3 + UpdateClientState(ssl_state, TLS_STATE_CLIENT_HANDSHAKE_DONE); } break; @@ -2595,7 +2620,11 @@ static struct SSLDecoderResult SSLv3Decode(uint8_t direction, SSLState *ssl_stat /* if we see (encrypted) application data, then this means the handshake must be done */ - ssl_state->flags |= SSL_AL_FLAG_HANDSHAKE_DONE; + if (ssl_state->curr_connp == &ssl_state->client_connp) { + UpdateClientState(ssl_state, TLS_STATE_CLIENT_HANDSHAKE_DONE); + } else { + UpdateServerState(ssl_state, TLS_STATE_SERVER_HANDSHAKE_DONE); + } if (ssl_config.encrypt_mode != SSL_CNF_ENC_HANDLE_FULL) { SCLogDebug("setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD"); @@ -2723,7 +2752,10 @@ static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate, (direction == 1 && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TC)))) { /* flag session as finished if APP_LAYER_PARSER_EOF is set */ - ssl_state->flags |= SSL_AL_FLAG_STATE_FINISHED; + if (direction == 0) + UpdateClientState(ssl_state, TLS_STATE_CLIENT_FINISHED); + else + UpdateServerState(ssl_state, TLS_STATE_SERVER_FINISHED); SCReturnStruct(APP_LAYER_OK); } else if (input == NULL || input_len == 0) { SCReturnStruct(APP_LAYER_ERROR); @@ -2831,19 +2863,22 @@ static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate, /* mark handshake as done if we have subject and issuer */ if ((ssl_state->flags & SSL_AL_FLAG_NEED_CLIENT_CERT) && ssl_state->client_connp.cert0_subject && ssl_state->client_connp.cert0_issuerdn) { - SCLogDebug("SSL_AL_FLAG_HANDSHAKE_DONE"); - ssl_state->flags |= SSL_AL_FLAG_HANDSHAKE_DONE; + /* update both sides to keep existing behavior */ + UpdateClientState(ssl_state, TLS_STATE_CLIENT_HANDSHAKE_DONE); + UpdateServerState(ssl_state, TLS_STATE_SERVER_HANDSHAKE_DONE); } else if ((ssl_state->flags & SSL_AL_FLAG_NEED_CLIENT_CERT) == 0 && ssl_state->server_connp.cert0_subject && ssl_state->server_connp.cert0_issuerdn) { - SCLogDebug("SSL_AL_FLAG_HANDSHAKE_DONE"); - ssl_state->flags |= SSL_AL_FLAG_HANDSHAKE_DONE; + /* update both sides to keep existing behavior */ + UpdateClientState(ssl_state, TLS_STATE_CLIENT_HANDSHAKE_DONE); + UpdateServerState(ssl_state, TLS_STATE_SERVER_HANDSHAKE_DONE); } /* flag session as finished if APP_LAYER_PARSER_EOF is set */ if (AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TS) && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TC)) { - SCLogDebug("SSL_AL_FLAG_STATE_FINISHED"); - ssl_state->flags |= SSL_AL_FLAG_STATE_FINISHED; + /* update both sides to keep existing behavior */ + UpdateClientState(ssl_state, TLS_STATE_CLIENT_FINISHED); + UpdateServerState(ssl_state, TLS_STATE_SERVER_FINISHED); } return APP_LAYER_OK; @@ -3307,7 +3342,7 @@ void RegisterSSLParsers(void) AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_TLS, SSLGetAlstateProgress); AppLayerParserRegisterStateProgressCompletionStatus( - ALPROTO_TLS, TLS_STATE_FINISHED, TLS_STATE_FINISHED); + ALPROTO_TLS, TLS_STATE_CLIENT_FINISHED, TLS_STATE_SERVER_FINISHED); SCConfNode *enc_handle = SCConfGetNode("app-layer.protocols.tls.encryption-handling"); if (enc_handle != NULL && enc_handle->val != NULL) { diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index 8ad65f886f..2d136f6f01 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -74,11 +74,21 @@ enum { TLS_DECODER_EVENT_INVALID_SSL_RECORD, }; -enum { - TLS_STATE_IN_PROGRESS = 0, - TLS_STATE_CERT_READY = 1, - TLS_HANDSHAKE_DONE = 2, - TLS_STATE_FINISHED = 3 +enum TlsStateClient { + TLS_STATE_CLIENT_IN_PROGRESS = 0, + TLS_STATE_CLIENT_HELLO_DONE, + TLS_STATE_CLIENT_CERT_DONE, + TLS_STATE_CLIENT_HANDSHAKE_DONE, + TLS_STATE_CLIENT_FINISHED, +}; + +enum TlsStateServer { + TLS_STATE_SERVER_IN_PROGRESS = 0, + TLS_STATE_SERVER_HELLO, + TLS_STATE_SERVER_CERT_DONE, + TLS_STATE_SERVER_HELLO_DONE, + TLS_STATE_SERVER_HANDSHAKE_DONE, + TLS_STATE_SERVER_FINISHED, }; /* Flag to indicate that server will now on send encrypted msgs */ @@ -102,17 +112,11 @@ enum { #define SSL_AL_FLAG_STATE_SERVER_KEYX BIT_U32(12) #define SSL_AL_FLAG_STATE_UNKNOWN BIT_U32(13) -/* flag to indicate that session is finished */ -#define SSL_AL_FLAG_STATE_FINISHED BIT_U32(14) - /* flags specific to HeartBeat state */ #define SSL_AL_FLAG_HB_INFLIGHT BIT_U32(15) #define SSL_AL_FLAG_HB_CLIENT_INIT BIT_U32(16) #define SSL_AL_FLAG_HB_SERVER_INIT BIT_U32(17) -/* flag to indicate that handshake is done */ -#define SSL_AL_FLAG_HANDSHAKE_DONE BIT_U32(18) - /* Session resumed without a full handshake */ #define SSL_AL_FLAG_SESSION_RESUMED BIT_U32(20) @@ -312,6 +316,9 @@ typedef struct SSLState_ { SSLStateConnp *curr_connp; + enum TlsStateClient client_state; + enum TlsStateServer server_state; + SSLStateConnp client_connp; SSLStateConnp server_connp; } SSLState; diff --git a/src/detect-tls-alpn.c b/src/detect-tls-alpn.c index ccee33b14b..f7907ec713 100644 --- a/src/detect-tls-alpn.c +++ b/src/detect-tls-alpn.c @@ -70,10 +70,10 @@ void DetectTlsAlpnRegister(void) sigmatch_table[DETECT_TLS_ALPN].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_TLS_ALPN].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerMultiRegister("tls.alpn", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, TlsAlpnGetData, 2, - TLS_STATE_IN_PROGRESS); - DetectAppLayerMultiRegister( - "tls.alpn", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, TlsAlpnGetData, 2, TLS_STATE_CERT_READY); + DetectAppLayerMultiRegister("tls.alpn", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_HELLO_DONE, TlsAlpnGetData, 2, TLS_STATE_CLIENT_HELLO_DONE); + DetectAppLayerMultiRegister("tls.alpn", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_SERVER_HELLO, + TlsAlpnGetData, 2, TLS_STATE_SERVER_HELLO); DetectBufferTypeSetDescriptionByName("tls.alpn", "TLS APLN"); diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index 414819094e..3500c5f90a 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -85,16 +85,16 @@ void DetectTlsFingerprintRegister(void) sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_fingerprint", ALPROTO_TLS, SIG_FLAG_TOCLIENT, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_SERVER_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_fingerprint", SIG_FLAG_TOCLIENT, 2, - PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_SERVER_CERT_DONE); DetectAppLayerInspectEngineRegister("tls.cert_fingerprint", ALPROTO_TLS, SIG_FLAG_TOSERVER, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_CLIENT_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_fingerprint", SIG_FLAG_TOSERVER, 2, - PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CLIENT_CERT_DONE); DetectBufferTypeSetDescriptionByName("tls.cert_fingerprint", "TLS certificate fingerprint"); diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index fcdef7f478..340abf2fab 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -80,16 +80,16 @@ void DetectTlsIssuerRegister(void) sigmatch_table[DETECT_TLS_CERT_ISSUER].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_issuer", ALPROTO_TLS, SIG_FLAG_TOSERVER, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_CLIENT_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_issuer", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + GetData, ALPROTO_TLS, TLS_STATE_CLIENT_CERT_DONE); DetectAppLayerInspectEngineRegister("tls.cert_issuer", ALPROTO_TLS, SIG_FLAG_TOCLIENT, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_SERVER_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_issuer", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + GetData, ALPROTO_TLS, TLS_STATE_SERVER_CERT_DONE); DetectBufferTypeSetDescriptionByName("tls.cert_issuer", "TLS certificate issuer"); diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index 0ac1ec39c1..f022170427 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -84,16 +84,16 @@ void DetectTlsSerialRegister(void) sigmatch_table[DETECT_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_serial", ALPROTO_TLS, SIG_FLAG_TOCLIENT, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_SERVER_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_serial", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + GetData, ALPROTO_TLS, TLS_STATE_SERVER_CERT_DONE); DetectAppLayerInspectEngineRegister("tls.cert_serial", ALPROTO_TLS, SIG_FLAG_TOSERVER, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_CLIENT_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_serial", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + GetData, ALPROTO_TLS, TLS_STATE_CLIENT_CERT_DONE); DetectBufferTypeSetDescriptionByName("tls.cert_serial", "TLS certificate serial number"); diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index 86193052c4..55dc976e24 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -80,16 +80,16 @@ void DetectTlsSubjectRegister(void) sigmatch_table[DETECT_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOSERVER, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_CLIENT_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_subject", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + GetData, ALPROTO_TLS, TLS_STATE_CLIENT_CERT_DONE); DetectAppLayerInspectEngineRegister("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOCLIENT, - TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); + TLS_STATE_SERVER_CERT_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("tls.cert_subject", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); + GetData, ALPROTO_TLS, TLS_STATE_SERVER_CERT_DONE); DetectBufferTypeSupportsMultiInstance("tls.cert_subject"); diff --git a/src/detect-tls-certs.c b/src/detect-tls-certs.c index 4bdd52d529..90193df5d7 100644 --- a/src/detect-tls-certs.c +++ b/src/detect-tls-certs.c @@ -122,10 +122,10 @@ void DetectTlsCertsRegister(void) sigmatch_table[DETECT_TLS_CERTS].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_TLS_CERTS].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerMultiRegister("tls.certs", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, - TlsCertsGetData, 2, 1); - DetectAppLayerMultiRegister("tls.certs", ALPROTO_TLS, SIG_FLAG_TOSERVER, TLS_STATE_CERT_READY, - TlsCertsGetData, 2, 1); + DetectAppLayerMultiRegister("tls.certs", ALPROTO_TLS, SIG_FLAG_TOCLIENT, + TLS_STATE_SERVER_CERT_DONE, TlsCertsGetData, 2, 1); + DetectAppLayerMultiRegister("tls.certs", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_CERT_DONE, TlsCertsGetData, 2, 1); DetectBufferTypeSetDescriptionByName("tls.certs", "TLS certificate"); @@ -253,7 +253,7 @@ void DetectTlsCertChainLenRegister(void) sigmatch_table[KEYWORD_ID].Free = DetectTLSCertChainLenFree; DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_TLS, SIG_FLAG_TOCLIENT, - TLS_STATE_CERT_READY, DetectEngineInspectGenericList, NULL); + TLS_STATE_SERVER_CERT_DONE, DetectEngineInspectGenericList, NULL); g_tls_cert_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); } diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index 0f7a957b8b..7905e67c59 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -73,11 +73,11 @@ void DetectTlsSniRegister(void) sigmatch_table[DETECT_TLS_SNI].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister("tls.sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister("tls.sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister( - "tls.sni", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); + DetectAppLayerMpmRegister("tls.sni", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, + ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE); DetectBufferTypeSetDescriptionByName("tls.sni", "TLS Server Name Indication (SNI) extension"); diff --git a/src/detect-tls-subjectaltname.c b/src/detect-tls-subjectaltname.c index 80455d6d23..2bc1b3e411 100644 --- a/src/detect-tls-subjectaltname.c +++ b/src/detect-tls-subjectaltname.c @@ -72,7 +72,7 @@ void DetectTlsSubjectAltNameRegister(void) sigmatch_table[DETECT_TLS_SUBJECTALTNAME].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerMultiRegister("tls.subjectaltname", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, - TlsSubjectAltNameGetData, 2, TLS_STATE_CERT_READY); + TlsSubjectAltNameGetData, 2, TLS_STATE_SERVER_CERT_DONE); DetectBufferTypeSetDescriptionByName("tls.subjectaltname", "TLS Subject Alternative Name"); diff --git a/src/detect-tls.c b/src/detect-tls.c index a0e423dbe0..b16c3db303 100644 --- a/src/detect-tls.c +++ b/src/detect-tls.c @@ -144,10 +144,10 @@ void DetectTlsRegister (void) g_tls_cert_fingerprint_list_id = DetectBufferTypeRegister("tls.cert_fingerprint"); DetectAppLayerInspectEngineRegister("tls_cert", ALPROTO_TLS, SIG_FLAG_TOCLIENT, - TLS_STATE_CERT_READY, DetectEngineInspectGenericList, NULL); + TLS_STATE_SERVER_CERT_DONE, DetectEngineInspectGenericList, NULL); DetectAppLayerInspectEngineRegister("tls_cert", ALPROTO_TLS, SIG_FLAG_TOSERVER, - TLS_STATE_CERT_READY, DetectEngineInspectGenericList, NULL); + TLS_STATE_CLIENT_CERT_DONE, DetectEngineInspectGenericList, NULL); } /** diff --git a/src/log-tlslog.c b/src/log-tlslog.c index f684b7a98f..ae3797878d 100644 --- a/src/log-tlslog.c +++ b/src/log-tlslog.c @@ -499,6 +499,6 @@ static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, void LogTlsLogRegister(void) { OutputRegisterTxModuleWithProgress(LOGGER_TLS, MODULE_NAME, "tls-log", LogTlsLogInitCtx, - ALPROTO_TLS, LogTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE, LogTlsLogThreadInit, - LogTlsLogThreadDeinit); + ALPROTO_TLS, LogTlsLogger, TLS_STATE_CLIENT_HANDSHAKE_DONE, + TLS_STATE_SERVER_HANDSHAKE_DONE, LogTlsLogThreadInit, LogTlsLogThreadDeinit); } diff --git a/src/output-json-tls.c b/src/output-json-tls.c index e6b8f96e12..72d60b19e8 100644 --- a/src/output-json-tls.c +++ b/src/output-json-tls.c @@ -659,6 +659,6 @@ void JsonTlsLogRegister (void) { /* register as child of eve-log */ OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", "JsonTlsLog", "eve-log.tls", - OutputTlsLogInitSub, ALPROTO_TLS, JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE, - JsonTlsLogThreadInit, JsonTlsLogThreadDeinit); + OutputTlsLogInitSub, ALPROTO_TLS, JsonTlsLogger, TLS_STATE_SERVER_HANDSHAKE_DONE, + TLS_STATE_CLIENT_HANDSHAKE_DONE, JsonTlsLogThreadInit, JsonTlsLogThreadDeinit); } diff --git a/src/output-lua.c b/src/output-lua.c index e7438c6d36..2a773aa774 100644 --- a/src/output-lua.c +++ b/src/output-lua.c @@ -777,8 +777,8 @@ static OutputInitResult OutputLuaLogInit(SCConfNode *conf) } else if (opts.alproto == ALPROTO_TLS) { om->TxLogFunc = LuaTxLogger; om->alproto = ALPROTO_TLS; - om->tc_log_progress = TLS_HANDSHAKE_DONE; - om->ts_log_progress = TLS_HANDSHAKE_DONE; + om->tc_log_progress = TLS_STATE_SERVER_HANDSHAKE_DONE; + om->ts_log_progress = TLS_STATE_CLIENT_HANDSHAKE_DONE; AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS); } else if (opts.alproto == ALPROTO_DNS) { om->TxLogFunc = LuaTxLogger;