From: Victor Julien <victor@inliniac.net>
Date: Thu, 22 Dec 2016 09:32:00 +0000 (+0100)
Subject: detect ssl/tls: use dynamic lists
X-Git-Tag: suricata-4.0.0-beta1~354
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8975c68e0354a51bfa44e30845e14619224c9dc;p=thirdparty%2Fsuricata.git

detect ssl/tls: use dynamic lists
---

diff --git a/src/detect-ssl-state.c b/src/detect-ssl-state.c
index 9cb9c7bc2b..88394b579f 100644
--- a/src/detect-ssl-state.c
+++ b/src/detect-ssl-state.c
@@ -60,26 +60,55 @@ static pcre *parse_regex2;
 static pcre_extra *parse_regex2_study;
 
 static int DetectSslStateMatch(ThreadVars *, DetectEngineThreadCtx *,
-        Flow *, uint8_t, void *,
-        const Signature *, const SigMatchData *);
+        Flow *, uint8_t, void *, void *,
+        const Signature *, const SigMatchCtx *);
 static int DetectSslStateSetup(DetectEngineCtx *, Signature *, char *);
 static void DetectSslStateRegisterTests(void);
 static void DetectSslStateFree(void *);
 
+static int InspectTlsGeneric(ThreadVars *tv,
+        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+        const Signature *s, const SigMatchData *smd,
+        Flow *f, uint8_t flags, void *alstate,
+        void *txv, uint64_t tx_id);
+
+static int g_tls_generic_list_id = 0;
+
 /**
  * \brief Registers the keyword handlers for the "ssl_state" keyword.
  */
 void DetectSslStateRegister(void)
 {
     sigmatch_table[DETECT_AL_SSL_STATE].name = "ssl_state";
-    sigmatch_table[DETECT_AL_SSL_STATE].Match = NULL;
-    sigmatch_table[DETECT_AL_SSL_STATE].AppLayerMatch = DetectSslStateMatch;
+    sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
     sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
     sigmatch_table[DETECT_AL_SSL_STATE].Free  = DetectSslStateFree;
     sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
 
     DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1, &parse_regex1_study);
     DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2, &parse_regex2_study);
+
+    g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
+
+    DetectBufferTypeSetDescriptionByName("tls_generic",
+            "generic ssl/tls inspection");
+
+    DetectAppLayerInspectEngineRegister("tls_generic",
+            ALPROTO_TLS, SIG_FLAG_TOSERVER,
+            InspectTlsGeneric);
+    DetectAppLayerInspectEngineRegister("tls_generic",
+            ALPROTO_TLS, SIG_FLAG_TOCLIENT,
+            InspectTlsGeneric);
+}
+
+static int InspectTlsGeneric(ThreadVars *tv,
+        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+        const Signature *s, const SigMatchData *smd,
+        Flow *f, uint8_t flags, void *alstate,
+        void *txv, uint64_t tx_id)
+{
+    return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
+                                          f, flags, alstate, txv, tx_id);
 }
 
 /**
@@ -97,10 +126,10 @@ void DetectSslStateRegister(void)
  * \retval 0 No match.
  */
 static int DetectSslStateMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
-        Flow *f, uint8_t flags, void *alstate,
-        const Signature *s, const SigMatchData *m)
+        Flow *f, uint8_t flags, void *alstate, void *txv,
+        const Signature *s, const SigMatchCtx *m)
 {
-    const DetectSslStateData *ssd = (const DetectSslStateData *)m->ctx;
+    const DetectSslStateData *ssd = (const DetectSslStateData *)m;
     SSLState *ssl_state = (SSLState *)alstate;
     if (ssl_state == NULL) {
         SCLogDebug("no app state, no match");
@@ -298,7 +327,7 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
 
     s->alproto = ALPROTO_TLS;
 
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+    SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
 
     return 0;
 
diff --git a/src/detect-ssl-version.c b/src/detect-ssl-version.c
index ea8f839c85..661c6b89bf 100644
--- a/src/detect-ssl-version.c
+++ b/src/detect-ssl-version.c
@@ -61,11 +61,12 @@ static pcre *parse_regex;
 static pcre_extra *parse_regex_study;
 
 static int DetectSslVersionMatch(ThreadVars *, DetectEngineThreadCtx *,
-        Flow *, uint8_t, void *,
-        const Signature *, const SigMatchData *);
+        Flow *, uint8_t, void *, void *,
+        const Signature *, const SigMatchCtx *);
 static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, char *);
 static void DetectSslVersionRegisterTests(void);
 static void DetectSslVersionFree(void *);
+static int g_tls_generic_list_id = 0;
 
 /**
  * \brief Registration function for keyword: ssl_version
@@ -73,13 +74,14 @@ static void DetectSslVersionFree(void *);
 void DetectSslVersionRegister(void)
 {
     sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
-    sigmatch_table[DETECT_AL_SSL_VERSION].Match = NULL;
-    sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerMatch = DetectSslVersionMatch;
+    sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
     sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
     sigmatch_table[DETECT_AL_SSL_VERSION].Free  = DetectSslVersionFree;
     sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
 
     DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
+
+    g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
 }
 
 /**
@@ -94,8 +96,8 @@ void DetectSslVersionRegister(void)
  * \retval 1 match
  */
 static int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
-        Flow *f, uint8_t flags, void *state,
-        const Signature *s, const SigMatchData *m)
+        Flow *f, uint8_t flags, void *state, void *txv,
+        const Signature *s, const SigMatchCtx *m)
 {
     SCEnter();
 
@@ -103,7 +105,7 @@ static int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
     uint16_t ver = 0;
     uint8_t sig_ver = TLS_UNKNOWN;
 
-    const DetectSslVersionData *ssl = (const DetectSslVersionData *)m->ctx;
+    const DetectSslVersionData *ssl = (const DetectSslVersionData *)m;
     SSLState *app_state = (SSLState *)state;
     if (app_state == NULL) {
         SCLogDebug("no app state, no match");
@@ -298,7 +300,7 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
     sm->type = DETECT_AL_SSL_VERSION;
     sm->ctx = (void *)ssl;
 
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+    SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
 
     s->alproto = ALPROTO_TLS;
     return 0;
diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c
index ee7d2c1678..198bb6fae0 100644
--- a/src/detect-tls-version.c
+++ b/src/detect-tls-version.c
@@ -60,11 +60,12 @@ static pcre *parse_regex;
 static pcre_extra *parse_regex_study;
 
 static int DetectTlsVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
-        Flow *, uint8_t, void *,
-        const Signature *, const SigMatchData *);
+        Flow *, uint8_t, void *, void *,
+        const Signature *, const SigMatchCtx *);
 static int DetectTlsVersionSetup (DetectEngineCtx *, Signature *, char *);
 static void DetectTlsVersionRegisterTests(void);
 static void DetectTlsVersionFree(void *);
+static int g_tls_generic_list_id = 0;
 
 /**
  * \brief Registration function for keyword: tls.version
@@ -74,13 +75,14 @@ void DetectTlsVersionRegister (void)
     sigmatch_table[DETECT_AL_TLS_VERSION].name = "tls.version";
     sigmatch_table[DETECT_AL_TLS_VERSION].desc = "match on TLS/SSL version";
     sigmatch_table[DETECT_AL_TLS_VERSION].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsversion";
-    sigmatch_table[DETECT_AL_TLS_VERSION].Match = NULL;
-    sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerMatch = DetectTlsVersionMatch;
+    sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerTxMatch = DetectTlsVersionMatch;
     sigmatch_table[DETECT_AL_TLS_VERSION].Setup = DetectTlsVersionSetup;
     sigmatch_table[DETECT_AL_TLS_VERSION].Free  = DetectTlsVersionFree;
     sigmatch_table[DETECT_AL_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests;
 
     DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
+
+    g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
 }
 
 /**
@@ -95,12 +97,12 @@ void DetectTlsVersionRegister (void)
  * \retval 1 match
  */
 static int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
-        Flow *f, uint8_t flags, void *state,
-        const Signature *s, const SigMatchData *m)
+        Flow *f, uint8_t flags, void *state, void *txv,
+        const Signature *s, const SigMatchCtx *m)
 {
     SCEnter();
 
-    const DetectTlsVersionData *tls_data = (const DetectTlsVersionData *)m->ctx;
+    const DetectTlsVersionData *tls_data = (const DetectTlsVersionData *)m;
     SSLState *ssl_state = (SSLState *)state;
     if (ssl_state == NULL) {
         SCLogDebug("no tls state, no match");
@@ -237,7 +239,7 @@ static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
     sm->type = DETECT_AL_TLS_VERSION;
     sm->ctx = (void *)tls;
 
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+    SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
 
     s->alproto = ALPROTO_TLS;
     return 0;