From: Jeff Lucovsky Date: Sun, 7 Apr 2019 17:42:25 +0000 (-0700) Subject: detect: Modernize TLS keywords X-Git-Tag: suricata-5.0.0-beta1~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f102d95b634916088b09b29e5b943773a9b63af;p=thirdparty%2Fsuricata.git detect: Modernize TLS keywords This changeset adds keywords for "tls." and moves the existing value of "tls_" to an alias. --- diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index 1d5244ed19..6b803d375c 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -67,11 +67,12 @@ static _Bool DetectTlsFingerprintValidateCallback(const Signature *s, static int g_tls_cert_fingerprint_buffer_id = 0; /** - * \brief Registration function for keyword: tls_cert_fingerprint + * \brief Registration function for keyword: tls.cert_fingerprint */ void DetectTlsFingerprintRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].name = "tls_cert_fingerprint"; + sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].name = "tls.cert_fingerprint"; + sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].alias = "tls_cert_fingerprint"; sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].desc = "content modifier to match the TLS cert fingerprint buffer"; sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-fingerprint"; sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].Match = NULL; @@ -80,25 +81,26 @@ void DetectTlsFingerprintRegister(void) sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].RegisterTests = DetectTlsFingerprintRegisterTests; sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("tls_cert_fingerprint", ALPROTO_TLS, + DetectAppLayerInspectEngineRegister2("tls.cert_fingerprint", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister2("tls_cert_fingerprint", SIG_FLAG_TOCLIENT, 2, + DetectAppLayerMpmRegister2("tls.cert_fingerprint", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); - DetectBufferTypeSetDescriptionByName("tls_cert_fingerprint", + DetectBufferTypeSetDescriptionByName("tls.cert_fingerprint", "TLS certificate fingerprint"); - DetectBufferTypeRegisterSetupCallback("tls_cert_fingerprint", + DetectBufferTypeRegisterSetupCallback("tls.cert_fingerprint", DetectTlsFingerprintSetupCallback); - DetectBufferTypeRegisterValidateCallback("tls_cert_fingerprint", + DetectBufferTypeRegisterValidateCallback("tls.cert_fingerprint", DetectTlsFingerprintValidateCallback); - g_tls_cert_fingerprint_buffer_id = DetectBufferTypeGetByName("tls_cert_fingerprint"); + g_tls_cert_fingerprint_buffer_id = DetectBufferTypeGetByName("tls.cert_fingerprint"); } /** @@ -173,14 +175,14 @@ static _Bool DetectTlsFingerprintValidateCallback(const Signature *s, if (have_delimiters == FALSE) { *sigerror = "No colon delimiters ':' detected in content after " - "tls_cert_fingerprint. This rule will therefore " + "tls.cert_fingerprint. This rule will therefore " "never match."; SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); return FALSE; } if (cd->flags & DETECT_CONTENT_NOCASE) { - *sigerror = "tls_cert_fingerprint should not be used together " + *sigerror = "tls.cert_fingerprint should not be used together " "with nocase, since the rule is automatically " "lowercased anyway which makes nocase redundant."; SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); @@ -236,8 +238,8 @@ static int DetectTlsFingerprintTest01(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any " - "(msg:\"Testing tls_cert_fingerprint\"; " - "tls_cert_fingerprint; " + "(msg:\"Testing tls.cert_fingerprint\"; " + "tls.cert_fingerprint; " "content:\"11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99:00\"; " "sid:1;)"); FAIL_IF_NULL(de_ctx->sig_list); @@ -514,8 +516,8 @@ static int DetectTlsFingerprintTest02(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls_cert_fingerprint\"; " - "tls_cert_fingerprint; " + "(msg:\"Test tls.cert_fingerprint\"; " + "tls.cert_fingerprint; " "content:\"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18\"; " "sid:1;)"); FAIL_IF_NULL(s); diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index 2896549aef..8f3dd2d590 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -20,7 +20,7 @@ * * \author Mats Klepsland * - * Implements support for tls_cert_issuer keyword. + * Implements support for tls.cert_issuer keyword. */ #include "suricata-common.h" @@ -63,11 +63,12 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, static int g_tls_cert_issuer_buffer_id = 0; /** - * \brief Registration function for keyword: tls_cert_issuer + * \brief Registration function for keyword: tls.cert_issuer */ void DetectTlsIssuerRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls_cert_issuer"; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls.cert_issuer"; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].alias = "tls_cert_issuer"; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = "content modifier to match specifically and only on the TLS cert issuer buffer"; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-issuer"; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Match = NULL; @@ -76,19 +77,20 @@ void DetectTlsIssuerRegister(void) sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("tls_cert_issuer", ALPROTO_TLS, + DetectAppLayerInspectEngineRegister2("tls.cert_issuer", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister2("tls_cert_issuer", SIG_FLAG_TOCLIENT, 2, + DetectAppLayerMpmRegister2("tls.cert_issuer", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); - DetectBufferTypeSetDescriptionByName("tls_cert_issuer", + DetectBufferTypeSetDescriptionByName("tls.cert_issuer", "TLS certificate issuer"); - g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls_cert_issuer"); + g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls.cert_issuer"); } @@ -146,8 +148,8 @@ static int DetectTlsIssuerTest01(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any " - "(msg:\"Testing tls_cert_issuer\"; " - "tls_cert_issuer; content:\"test\"; sid:1;)"); + "(msg:\"Testing tls.cert_issuer\"; " + "tls.cert_issuer; content:\"test\"; sid:1;)"); FAIL_IF_NULL(de_ctx->sig_list); /* sm should not be in the MATCH list */ @@ -423,8 +425,8 @@ static int DetectTlsIssuerTest02(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls_cert_issuer\"; " - "tls_cert_issuer; content:\"google\"; nocase; " + "(msg:\"Test tls.cert_issuer\"; " + "tls.cert_issuer; content:\"google\"; nocase; " "sid:1;)"); FAIL_IF_NULL(s); diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index c58ea9553b..624c40298d 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -20,7 +20,7 @@ * * \author Mats Klepsland * - * Implements support for tls_cert_serial keyword. + * Implements support for tls.cert_serial keyword. */ #include "suricata-common.h" @@ -67,11 +67,12 @@ static _Bool DetectTlsSerialValidateCallback(const Signature *s, static int g_tls_cert_serial_buffer_id = 0; /** - * \brief Registration function for keyword: tls_cert_serial + * \brief Registration function for keyword: tls.cert_serial */ void DetectTlsSerialRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls_cert_serial"; + sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls.cert_serial"; + sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].alias = "tls_cert_serial"; sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].desc = "content modifier to match the TLS cert serial buffer"; sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-serial"; sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].Match = NULL; @@ -80,25 +81,26 @@ void DetectTlsSerialRegister(void) sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests; sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("tls_cert_serial", ALPROTO_TLS, + DetectAppLayerInspectEngineRegister2("tls.cert_serial", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister2("tls_cert_serial", SIG_FLAG_TOCLIENT, 2, + DetectAppLayerMpmRegister2("tls.cert_serial", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); - DetectBufferTypeSetDescriptionByName("tls_cert_serial", + DetectBufferTypeSetDescriptionByName("tls.cert_serial", "TLS certificate serial number"); - DetectBufferTypeRegisterSetupCallback("tls_cert_serial", + DetectBufferTypeRegisterSetupCallback("tls.cert_serial", DetectTlsSerialSetupCallback); - DetectBufferTypeRegisterValidateCallback("tls_cert_serial", + DetectBufferTypeRegisterValidateCallback("tls.cert_serial", DetectTlsSerialValidateCallback); - g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls_cert_serial"); + g_tls_cert_serial_buffer_id = DetectBufferTypeGetByName("tls.cert_serial"); } /** @@ -154,7 +156,7 @@ static _Bool DetectTlsSerialValidateCallback(const Signature *s, const DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_NOCASE) { - *sigerror = "tls_cert_serial should not be used together " + *sigerror = "tls.cert_serial should not be used together " "with nocase, since the rule is automatically " "uppercased anyway which makes nocase redundant."; SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); @@ -170,7 +172,7 @@ static _Bool DetectTlsSerialValidateCallback(const Signature *s, return TRUE; *sigerror = "No colon delimiters ':' detected in content after " - "tls_cert_serial. This rule will therefore never " + "tls.cert_serial. This rule will therefore never " "match."; SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); @@ -213,7 +215,7 @@ static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx, #ifdef UNITTESTS /** - * \test Test that a signature containing tls_cert_serial is correctly parsed + * \test Test that a signature containing tls.cert_serial is correctly parsed * and that the keyword is registered. */ static int DetectTlsSerialTest01(void) @@ -226,8 +228,8 @@ static int DetectTlsSerialTest01(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any " - "(msg:\"Testing tls_cert_serial\"; " - "tls_cert_serial; content:\"XX:XX:XX\"; sid:1;)"); + "(msg:\"Testing tls.cert_serial\"; " + "tls.cert_serial; content:\"XX:XX:XX\"; sid:1;)"); FAIL_IF_NULL(de_ctx->sig_list); /* sm should not be in the MATCH list */ @@ -502,8 +504,8 @@ static int DetectTlsSerialTest02(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls_cert_serial\"; " - "tls_cert_serial; " + "(msg:\"Test tls.cert_serial\"; " + "tls.cert_serial; " "content:\"5C:19:B7:B1:32:3B:1C:A1\"; " "sid:1;)"); FAIL_IF_NULL(s); diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index dd9f043abc..3c1c4c9772 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -20,7 +20,7 @@ * * \author Mats Klepsland * - * Implements support for tls_cert_subject keyword. + * Implements support for tls.cert_subject keyword. */ #include "suricata-common.h" @@ -63,11 +63,12 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, static int g_tls_cert_subject_buffer_id = 0; /** - * \brief Registration function for keyword: tls_cert_subject + * \brief Registration function for keyword: tls.cert_subject */ void DetectTlsSubjectRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls_cert_subject"; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls.cert_subject"; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].alias = "tls_cert_subject"; sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = "content modifier to match specifically and only on the TLS cert subject buffer"; sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-subject"; sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Match = NULL; @@ -76,23 +77,24 @@ void DetectTlsSubjectRegister(void) sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("tls_cert_subject", ALPROTO_TLS, + DetectAppLayerInspectEngineRegister2("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister2("tls_cert_subject", SIG_FLAG_TOCLIENT, 2, + DetectAppLayerMpmRegister2("tls.cert_subject", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY); - DetectBufferTypeSetDescriptionByName("tls_cert_subject", + DetectBufferTypeSetDescriptionByName("tls.cert_subject", "TLS certificate subject"); - g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls_cert_subject"); + g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls.cert_subject"); } /** - * \brief this function setup the tls_cert_subject modifier keyword used in the rule + * \brief this function setup the tls.cert_subject modifier keyword used in the rule * * \param de_ctx Pointer to the Detection Engine Context * \param s Pointer to the Signature to which the current keyword belongs @@ -132,7 +134,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, #ifdef UNITTESTS /** - * \test Test that a signature containing a tls_cert_subject is correctly parsed + * \test Test that a signature containing a tls.cert_subject is correctly parsed * and that the keyword is registered. */ static int DetectTlsSubjectTest01(void) @@ -145,8 +147,8 @@ static int DetectTlsSubjectTest01(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tls any any -> any any " - "(msg:\"Testing tls_cert_subject\"; " - "tls_cert_subject; content:\"test\"; sid:1;)"); + "(msg:\"Testing tls.cert_subject\"; " + "tls.cert_subject; content:\"test\"; sid:1;)"); FAIL_IF_NULL(de_ctx->sig_list); /* sm should not be in the MATCH list */ @@ -422,8 +424,8 @@ static int DetectTlsSubjectTest02(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls_cert_subject\"; " - "tls_cert_subject; content:\"google\"; nocase; " + "(msg:\"Test tls.cert_subject\"; " + "tls.cert_subject; content:\"google\"; nocase; " "sid:1;)"); FAIL_IF_NULL(s); diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index b94a6d86ef..ef1453c823 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -20,7 +20,7 @@ * * \author Mats Klepsland * - * Implements support for ja3_hash keyword. + * Implements support for ja3.hash keyword. */ #include "suricata-common.h" @@ -75,7 +75,8 @@ static int g_tls_ja3_hash_buffer_id = 0; */ void DetectTlsJa3HashRegister(void) { - sigmatch_table[DETECT_AL_TLS_JA3_HASH].name = "ja3_hash"; + sigmatch_table[DETECT_AL_TLS_JA3_HASH].name = "ja3.hash"; + sigmatch_table[DETECT_AL_TLS_JA3_HASH].alias = "ja3_hash"; sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "content modifier to match the JA3 hash buffer"; sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = DOC_URL DOC_VERSION "/rules/ja3-keywords.html#ja3-hash"; sigmatch_table[DETECT_AL_TLS_JA3_HASH].Match = NULL; @@ -84,26 +85,27 @@ void DetectTlsJa3HashRegister(void) sigmatch_table[DETECT_AL_TLS_JA3_HASH].RegisterTests = DetectTlsJa3HashRegisterTests; sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("ja3_hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, + DetectAppLayerInspectEngineRegister2("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister2("ja3_hash", SIG_FLAG_TOSERVER, 2, + DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); - DetectBufferTypeSetDescriptionByName("ja3_hash", "TLS JA3 hash"); + DetectBufferTypeSetDescriptionByName("ja3.hash", "TLS JA3 hash"); - DetectBufferTypeRegisterSetupCallback("ja3_hash", + DetectBufferTypeRegisterSetupCallback("ja3.hash", DetectTlsJa3HashSetupCallback); - DetectBufferTypeRegisterValidateCallback("ja3_hash", + DetectBufferTypeRegisterValidateCallback("ja3.hash", DetectTlsJa3HashValidateCallback); - g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3_hash"); + g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3.hash"); } /** - * \brief this function setup the ja3_hash modifier keyword used in the rule + * \brief this function setup the ja3.hash modifier keyword used in the rule * * \param de_ctx Pointer to the Detection Engine Context * \param s Pointer to the Signature to which the current keyword belongs @@ -160,7 +162,7 @@ static _Bool DetectTlsJa3HashValidateCallback(const Signature *s, const DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_NOCASE) { - *sigerror = "ja3_hash should not be used together with " + *sigerror = "ja3.hash should not be used together with " "nocase, since the rule is automatically " "lowercased anyway which makes nocase redundant."; SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); @@ -281,7 +283,7 @@ static int DetectTlsJa3HashTest01(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3_hash\"; ja3_hash; " + "(msg:\"Test ja3.hash\"; ja3.hash; " "content:\"e7eca2baf4458d095b7f45da28c16c34\"; " "sid:1;)"); FAIL_IF_NULL(s); @@ -381,7 +383,7 @@ static int DetectTlsJa3HashTest02(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3_hash\"; ja3_hash; " + "(msg:\"Test ja3.hash\"; ja3.hash; " "content:\"bc6c386f480ee97b9d9e52d472b772d8\"; " "sid:1;)"); FAIL_IF_NULL(s); diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 0fd914990f..d58359ecbc 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -20,7 +20,7 @@ * * \author Mats Klepsland * - * Implements support for ja3_string keyword. + * Implements support for ja3.string keyword. */ #include "suricata-common.h" @@ -67,11 +67,12 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, static int g_tls_ja3_str_buffer_id = 0; /** - * \brief Registration function for keyword: ja3_string + * \brief Registration function for keyword: ja3.string */ void DetectTlsJa3StringRegister(void) { - sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3_string"; + sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3.string"; + sigmatch_table[DETECT_AL_TLS_JA3_STRING].alias = "ja3_string"; sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "content modifier to match the JA3 string buffer"; sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = DOC_URL DOC_VERSION "/rules/ja3-keywords.html#ja3-string"; sigmatch_table[DETECT_AL_TLS_JA3_STRING].Match = NULL; @@ -80,20 +81,21 @@ void DetectTlsJa3StringRegister(void) sigmatch_table[DETECT_AL_TLS_JA3_STRING].RegisterTests = DetectTlsJa3StringRegisterTests; sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("ja3_string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, + DetectAppLayerInspectEngineRegister2("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister2("ja3_string", SIG_FLAG_TOSERVER, 2, + DetectAppLayerMpmRegister2("ja3.string", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); - DetectBufferTypeSetDescriptionByName("ja3_string", "TLS JA3 string"); + DetectBufferTypeSetDescriptionByName("ja3.string", "TLS JA3 string"); - g_tls_ja3_str_buffer_id = DetectBufferTypeGetByName("ja3_string"); + g_tls_ja3_str_buffer_id = DetectBufferTypeGetByName("ja3.string"); } /** - * \brief this function setup the ja3_string modifier keyword used in the rule + * \brief this function setup the ja3.string modifier keyword used in the rule * * \param de_ctx Pointer to the Detection Engine Context * \param s Pointer to the Signature to which the current keyword belongs @@ -211,7 +213,7 @@ static int DetectTlsJa3StringTest01(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3_string\"; ja3_string; " + "(msg:\"Test ja3.string\"; ja3.string; " "content:\"-65-68-69-102-103-104-105-106-107-132-135-255,0,,\"; " "sid:1;)"); FAIL_IF_NULL(s); diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index b4c27a2ee8..d333c47fab 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -20,7 +20,7 @@ * * \author Mats Klepsland * - * Implements support for tls_sni keyword. + * Implements support for tls.sni keyword. */ #include "suricata-common.h" @@ -63,11 +63,12 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, static int g_tls_sni_buffer_id = 0; /** - * \brief Registration function for keyword: tls_sni + * \brief Registration function for keyword: tls.sni */ void DetectTlsSniRegister(void) { - sigmatch_table[DETECT_AL_TLS_SNI].name = "tls_sni"; + sigmatch_table[DETECT_AL_TLS_SNI].name = "tls.sni"; + sigmatch_table[DETECT_AL_TLS_SNI].alias = "tls_sni"; sigmatch_table[DETECT_AL_TLS_SNI].desc = "content modifier to match specifically and only on the TLS SNI buffer"; sigmatch_table[DETECT_AL_TLS_SNI].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-sni"; sigmatch_table[DETECT_AL_TLS_SNI].Match = NULL; @@ -76,22 +77,23 @@ void DetectTlsSniRegister(void) sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests; sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("tls_sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, + DetectAppLayerInspectEngineRegister2("tls.sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister2("tls_sni", SIG_FLAG_TOSERVER, 2, + DetectAppLayerMpmRegister2("tls.sni", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); - DetectBufferTypeSetDescriptionByName("tls_sni", + DetectBufferTypeSetDescriptionByName("tls.sni", "TLS Server Name Indication (SNI) extension"); - g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls_sni"); + g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls.sni"); } /** - * \brief this function setup the tls_sni modifier keyword used in the rule + * \brief this function setup the tls.sni modifier keyword used in the rule * * \param de_ctx Pointer to the Detection Engine Context * \param s Pointer to the Signature to which the current keyword belongs @@ -190,8 +192,8 @@ static int DetectTlsSniTest01(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls_sni option\"; " - "tls_sni; content:\"google.com\"; sid:1;)"); + "(msg:\"Test tls.sni option\"; " + "tls.sni; content:\"google.com\"; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); @@ -282,14 +284,14 @@ static int DetectTlsSniTest02(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls_sni option\"; " - "tls_sni; content:\"google\"; nocase; " + "(msg:\"Test tls.sni option\"; " + "tls.sni; content:\"google\"; nocase; " "pcre:\"/google\\.com$/i\"; sid:1;)"); FAIL_IF_NULL(s); s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls_sni option\"; " - "tls_sni; content:\"google\"; nocase; " + "(msg:\"Test tls.sni option\"; " + "tls.sni; content:\"google\"; nocase; " "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)"); FAIL_IF_NULL(s);