From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Mon, 27 Aug 2018 08:13:00 +0000 (+0200)
Subject: detect-tls-version: add support for 'raw' matching
X-Git-Tag: suricata-4.1.0-rc2~88
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df9853b75cb30c12a7373b1fcd59fbcb738d778a;p=thirdparty%2Fsuricata.git

detect-tls-version: add support for 'raw' matching

Add support for matching a 'raw' TLS version using a hex string, e.g:

  tls.version:0x7f12;

The above example matches TLSv1.3 draft 16.
---

diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c
index 4b994422a0..cc513e4b89 100644
--- a/src/detect-tls-version.c
+++ b/src/detect-tls-version.c
@@ -121,9 +121,11 @@ static int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
         SCLogDebug("client (toserver) version is 0x%02X", version);
     }
 
-    /* Match all TLSv1.3 drafts as TLSv1.3 */
-    if (((version >> 8) & 0xff) == 0x7f) {
-        version = TLS_VERSION_13;
+    if ((tls_data->flags & DETECT_TLS_VERSION_FLAG_RAW) == 0) {
+        /* Match all TLSv1.3 drafts as TLSv1.3 */
+        if (((version >> 8) & 0xff) == 0x7f) {
+            version = TLS_VERSION_13;
+        }
     }
 
     if (tls_data->ver == version) {
@@ -168,7 +170,7 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str)
         }
 
         /* We have a correct id option */
-        tls = SCMalloc(sizeof(DetectTlsVersionData));
+        tls = SCCalloc(1, sizeof(DetectTlsVersionData));
         if (unlikely(tls == NULL))
             goto error;
 
@@ -185,14 +187,17 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str)
             tmp_str += 1;
         }
 
-        if (strcmp("1.0", tmp_str) == 0) {
+        if (strncmp("1.0", tmp_str, 3) == 0) {
             temp = TLS_VERSION_10;
-        } else if (strcmp("1.1", tmp_str) == 0) {
+        } else if (strncmp("1.1", tmp_str, 3) == 0) {
             temp = TLS_VERSION_11;
-        } else if (strcmp("1.2", tmp_str) == 0) {
+        } else if (strncmp("1.2", tmp_str, 3) == 0) {
             temp = TLS_VERSION_12;
-        } else if (strcmp("1.3", tmp_str) == 0) {
+        } else if (strncmp("1.3", tmp_str, 3) == 0) {
             temp = TLS_VERSION_13;
+        } else if ((strncmp("0x", tmp_str, 2) == 0) && (strlen(str) == 6)) {
+            temp = (uint16_t)strtol(tmp_str, NULL, 0);
+            tls->flags |= DETECT_TLS_VERSION_FLAG_RAW;
         } else {
             SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
             SCFree(orig);
diff --git a/src/detect-tls-version.h b/src/detect-tls-version.h
index c4dd16925e..fa808f3940 100644
--- a/src/detect-tls-version.h
+++ b/src/detect-tls-version.h
@@ -24,8 +24,11 @@
 #ifndef __DETECT_TLS_VERSION_H__
 #define __DETECT_TLS_VERSION_H__
 
+#define DETECT_TLS_VERSION_FLAG_RAW  BIT_U8(0)
+
 typedef struct DetectTlsVersionData_ {
     uint16_t ver; /** tls version to match */
+    uint8_t flags;
 } DetectTlsVersionData;
 
 /* prototypes */