From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Thu, 15 Nov 2018 21:50:57 +0000 (+0100)
Subject: lua: add Ja3SGetHash function
X-Git-Tag: suricata-5.0.0-rc1~469
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b1d5fe9657e6eb63e76c2855229f2dbafe980928;p=thirdparty%2Fsuricata.git

lua: add Ja3SGetHash function

Add Ja3SGetHash() to return the content of the JA3S hash buffer from
the TLS session.

Example:

  function init (args)
      local needs = {}
      needs["protocol"] = "tls"
      return needs
  end

  function setup (args)
      filename = SCLogPath() .. "/ja3s_hash.log"
      file = assert(io.open(filename, "a"))
  end

  function log (args)
      ja3s_hash = Ja3SGetHash()
      if ja3s_hash == nil then
          return
      end

      file:write(ja3s_hash .. "\n")
      file:flush()
  end

  function deinit (args)
      file:close()
  end

In the example above, each JA3S hash is logged to a log file.
---

diff --git a/src/util-lua-ja3.c b/src/util-lua-ja3.c
index 7029e2f2c1..c538be5271 100644
--- a/src/util-lua-ja3.c
+++ b/src/util-lua-ja3.c
@@ -105,6 +105,29 @@ static int Ja3GetString(lua_State *luastate)
                                ssl_state->client_connp.ja3_str->used);
 }
 
+static int Ja3SGetHash(lua_State *luastate)
+{
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol is not tls");
+
+    Flow *f = LuaStateGetFlow(luastate);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+
+    if (ssl_state->server_connp.ja3_hash == NULL)
+        return LuaCallbackError(luastate, "error: no JA3S hash");
+
+    return LuaPushStringBuffer(luastate,
+                               (uint8_t *)ssl_state->server_connp.ja3_hash,
+                               strlen(ssl_state->server_connp.ja3_hash));
+}
+
 /** *\brief Register JA3 Lua extensions */
 int LuaRegisterJa3Functions(lua_State *luastate)
 {
@@ -114,6 +137,9 @@ int LuaRegisterJa3Functions(lua_State *luastate)
     lua_pushcfunction(luastate, Ja3GetString);
     lua_setglobal(luastate, "Ja3GetString");
 
+    lua_pushcfunction(luastate, Ja3SGetHash);
+    lua_setglobal(luastate, "Ja3SGetHash");
+
     return 0;
 }