From: Victor Julien Date: Fri, 28 Feb 2025 08:28:10 +0000 (+0100) Subject: detect/tls: more precise state registration for keywords X-Git-Tag: suricata-8.0.0-beta1~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9539002b3998ffb67b8aeb091ba0168fa50de6a0;p=thirdparty%2Fsuricata.git detect/tls: more precise state registration for keywords --- diff --git a/src/detect-ja4-hash.c b/src/detect-ja4-hash.c index 3a835b2e3a..645c6eba54 100644 --- a/src/detect-ja4-hash.c +++ b/src/detect-ja4-hash.c @@ -83,11 +83,11 @@ void DetectJa4HashRegister(void) sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA4 - DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister( - "ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); + DetectAppLayerMpmRegister("ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, + GetData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE); DetectAppLayerMpmRegister("ja4.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, Ja4DetectGetHash, ALPROTO_QUIC, 1); diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index a326f1232e..f4d7154d03 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -92,11 +92,11 @@ void DetectTlsJa3HashRegister(void) sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 - DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister( - "ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); + DetectAppLayerMpmRegister("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, + GetData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE); DetectAppLayerMpmRegister("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, Ja3DetectGetHash, ALPROTO_QUIC, 1); diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 9b62f425d0..81b44c42fc 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -91,11 +91,11 @@ void DetectTlsJa3StringRegister(void) sigmatch_table[DETECT_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 - DetectAppLayerInspectEngineRegister("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("ja3.string", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, 0); + GetData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE); DetectAppLayerMpmRegister("ja3.string", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, Ja3DetectGetString, ALPROTO_QUIC, 1); diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index ee2c7ef4f7..2bec725169 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -91,11 +91,11 @@ void DetectTlsJa3SHashRegister(void) sigmatch_table[DETECT_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 - DetectAppLayerInspectEngineRegister("ja3s.hash", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister("ja3s.hash", ALPROTO_TLS, SIG_FLAG_TOCLIENT, + TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("ja3s.hash", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, 0); + GetData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO); DetectAppLayerMpmRegister("ja3s.hash", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, Ja3DetectGetHash, ALPROTO_QUIC, 1); diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index fd789bd902..857e045f7d 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -90,11 +90,11 @@ void DetectTlsJa3SStringRegister(void) sigmatch_table[DETECT_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 - DetectAppLayerInspectEngineRegister("ja3s.string", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister("ja3s.string", ALPROTO_TLS, SIG_FLAG_TOCLIENT, + TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister("ja3s.string", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetData, ALPROTO_TLS, 0); + GetData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO); DetectAppLayerMpmRegister("ja3s.string", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, Ja3DetectGetString, ALPROTO_QUIC, 1); diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 2e6aa97672..76e6049069 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -62,16 +62,16 @@ void DetectTlsRandomTimeRegister(void) sigmatch_table[DETECT_TLS_RANDOM_TIME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; /* Register engine for Server random */ - DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetRandomTimeData); + DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetRandomTimeData); DetectAppLayerMpmRegister("tls.random_time", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetRandomTimeData, ALPROTO_TLS, 0); + GetRandomTimeData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE); /* Register engine for Client random */ - DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetRandomTimeData); + DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOCLIENT, + TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetRandomTimeData); DetectAppLayerMpmRegister("tls.random_time", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetRandomTimeData, ALPROTO_TLS, 0); + GetRandomTimeData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO); DetectBufferTypeSetDescriptionByName("tls.random_time", "TLS Random Time"); @@ -89,16 +89,16 @@ void DetectTlsRandomBytesRegister(void) sigmatch_table[DETECT_TLS_RANDOM_BYTES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; /* Register engine for Server random */ - DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetRandomBytesData); + DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOSERVER, + TLS_STATE_CLIENT_HELLO_DONE, DetectEngineInspectBufferGeneric, GetRandomBytesData); DetectAppLayerMpmRegister("tls.random_bytes", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, - GetRandomBytesData, ALPROTO_TLS, 0); + GetRandomBytesData, ALPROTO_TLS, TLS_STATE_CLIENT_HELLO_DONE); /* Register engine for Client random */ - DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetRandomBytesData); + DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOCLIENT, + TLS_STATE_SERVER_HELLO, DetectEngineInspectBufferGeneric, GetRandomBytesData); DetectAppLayerMpmRegister("tls.random_bytes", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, - GetRandomBytesData, ALPROTO_TLS, 0); + GetRandomBytesData, ALPROTO_TLS, TLS_STATE_SERVER_HELLO); DetectBufferTypeSetDescriptionByName("tls.random_bytes", "TLS Random Bytes");