From: Mats Klepsland Date: Wed, 21 Sep 2016 10:40:12 +0000 (+0200) Subject: detect: add detect engine for tls validity keywords X-Git-Tag: suricata-3.2beta1~281 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc8e0b3cf2a3b8ffc20f8c40832e31219d9fd4da;p=thirdparty%2Fsuricata.git detect: add detect engine for tls validity keywords Add detect engine for tls validity keywords (tls_cert_notbefore and tls_cert_notafter). --- diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index 7757ce8953..e079bedbca 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -90,8 +90,9 @@ #define DE_STATE_FLAG_TLSSNI_INSPECT BIT_U32(24) #define DE_STATE_FLAG_TLSISSUER_INSPECT BIT_U32(25) #define DE_STATE_FLAG_TLSSUBJECT_INSPECT BIT_U32(26) -#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(27) -#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(28) +#define DE_STATE_FLAG_TLSVALIDITY_INSPECT BIT_U32(27) +#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(28) +#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(29) /* state flags */ #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 diff --git a/src/detect-engine-tls.c b/src/detect-engine-tls.c index 1d3e8641b9..25891671d0 100644 --- a/src/detect-engine-tls.c +++ b/src/detect-engine-tls.c @@ -341,3 +341,13 @@ int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx, return cnt; } + +int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Signature *s, + Flow *f, uint8_t flags, void *alstate, + void *txv, uint64_t tx_id) +{ + return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags, + alstate, txv, tx_id, + DETECT_SM_LIST_TLSVALIDITY_MATCH); +} diff --git a/src/detect-engine-tls.h b/src/detect-engine-tls.h index 547b637613..efcc111f7b 100644 --- a/src/detect-engine-tls.h +++ b/src/detect-engine-tls.h @@ -38,4 +38,9 @@ int DetectEngineInspectTlsSubject(ThreadVars *tv, DetectEngineCtx *de_ctx, Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id); +int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id); + #endif /* __DETECT_ENGINE_TLS_H__ */ diff --git a/src/detect-engine.c b/src/detect-engine.c index 5ba049f89f..638ebf0702 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -377,6 +377,12 @@ void DetectEngineRegisterAppInspectionEngines(void) DE_STATE_FLAG_TLSSUBJECT_INSPECT, 1, DetectEngineInspectTlsSubject }, + { IPPROTO_TCP, + ALPROTO_TLS, + DETECT_SM_LIST_TLSVALIDITY_MATCH, + DE_STATE_FLAG_TLSVALIDITY_INSPECT, + 1, + DetectEngineInspectTlsValidity }, /* specifically for UDP, register again * allows us to use the alproto w/o translation * in the detection engine */ @@ -2808,6 +2814,8 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "tls issuer"; case DETECT_SM_LIST_TLSSUBJECT_MATCH: return "tls subject"; + case DETECT_SM_LIST_TLSVALIDITY_MATCH: + return "tls validity"; case DETECT_SM_LIST_MODBUS_MATCH: return "modbus"; diff --git a/src/detect-parse.c b/src/detect-parse.c index c9373c21d6..ca1a238afb 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -167,6 +167,7 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni"); CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer"); CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject"); + CASE_CODE_STRING(DETECT_SM_LIST_TLSVALIDITY_MATCH, "tls_cert_validity"); CASE_CODE_STRING(DETECT_SM_LIST_MODBUS_MATCH, "modbus"); CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template"); CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch"); @@ -210,6 +211,7 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH); CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH); CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH); + CASE_CODE(DETECT_SM_LIST_TLSVALIDITY_MATCH); CASE_CODE(DETECT_SM_LIST_MODBUS_MATCH); CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH); CASE_CODE(DETECT_SM_LIST_POSTMATCH); @@ -1587,6 +1589,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + if (sig->sm_lists[DETECT_SM_LIST_TLSVALIDITY_MATCH]) + sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_MODBUS_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; diff --git a/src/detect-tls-cert-validity.c b/src/detect-tls-cert-validity.c index 15d612fb5d..702f53f09c 100644 --- a/src/detect-tls-cert-validity.c +++ b/src/detect-tls-cert-validity.c @@ -57,7 +57,9 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; static int DetectTlsValidityMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, - uint8_t, void *, Signature *, SigMatch *); + uint8_t, void *, void *, const Signature *, + const SigMatchCtx *); + static time_t DateStringToEpoch (char *); static DetectTlsValidityData *DetectTlsValidityParse (char *); static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, char *str); @@ -76,7 +78,7 @@ void DetectTlsValidityRegister (void) sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field"; sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsnotbefore"; sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Match = NULL; - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerMatch = DetectTlsValidityMatch; + sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch; sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup; sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree; sigmatch_table[DETECT_AL_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests; @@ -85,7 +87,7 @@ void DetectTlsValidityRegister (void) sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field"; sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsnotafter"; sigmatch_table[DETECT_AL_TLS_NOTAFTER].Match = NULL; - sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerMatch = DetectTlsValidityMatch; + sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch; sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup; sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree; sigmatch_table[DETECT_AL_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests; @@ -110,7 +112,9 @@ void DetectTlsValidityRegister (void) * \retval 1 match. */ static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) + Flow *f, uint8_t flags, void *state, + void *txv, const Signature *s, + const SigMatchCtx *ctx) { SCEnter(); @@ -128,7 +132,7 @@ static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx else connp = &ssl_state->server_connp; - const DetectTlsValidityData *dd = (const DetectTlsValidityData *)m->ctx; + const DetectTlsValidityData *dd = (const DetectTlsValidityData *)ctx; time_t cert_epoch = 0; if (dd->type == DETECT_TLS_TYPE_NOTBEFORE) @@ -451,7 +455,7 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s, s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH); return 0; diff --git a/src/detect.h b/src/detect.h index 05870f3642..f9754ff94e 100644 --- a/src/detect.h +++ b/src/detect.h @@ -127,6 +127,7 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_TLSSNI_MATCH, DETECT_SM_LIST_TLSISSUER_MATCH, DETECT_SM_LIST_TLSSUBJECT_MATCH, + DETECT_SM_LIST_TLSVALIDITY_MATCH, DETECT_SM_LIST_MODBUS_MATCH,