From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Sat, 24 Mar 2018 22:16:40 +0000 (+0100)
Subject: detect-tls-ja3-hash: add setup callback to lowercase content
X-Git-Tag: suricata-4.1.0-rc1~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f36d578ee0b0582e7750d287ebe4263d3164272c;p=thirdparty%2Fsuricata.git

detect-tls-ja3-hash: add setup callback to lowercase content

Add setup callback that lowercase the content that follows 'ja3_hash'.
---

diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c
index ab9af80fa7..5f39062f30 100644
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@@ -64,6 +64,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *_f, const uint8_t _flow_flags,
        void *txv, const int list_id);
+static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
+       Signature *s);
 static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
        const char **sigerror);
 static int g_tls_ja3_hash_buffer_id = 0;
@@ -91,6 +93,9 @@ void DetectTlsJa3HashRegister(void)
 
     DetectBufferTypeSetDescriptionByName("ja3_hash", "TLS JA3 hash");
 
+    DetectBufferTypeRegisterSetupCallback("ja3_hash",
+            DetectTlsJa3HashSetupCallback);
+
     DetectBufferTypeRegisterValidateCallback("ja3_hash",
             DetectTlsJa3HashValidateCallback);
 
@@ -176,6 +181,36 @@ static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
     return TRUE;
 }
 
+static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
+                                          Signature *s)
+{
+    SigMatch *sm = s->init_data->smlists[g_tls_ja3_hash_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        _Bool changed = FALSE;
+        uint32_t u;
+        for (u = 0; u < cd->content_len; u++)
+        {
+            if (isupper(cd->content[u])) {
+                cd->content[u] = tolower(cd->content[u]);
+                changed = TRUE;
+            }
+        }
+
+        /* recreate the context if changes were made */
+        if (changed) {
+            SpmDestroyCtx(cd->spm_ctx);
+            cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
+                                     de_ctx->spm_global_thread_ctx);
+        }
+    }
+}
+
 #ifndef HAVE_NSS
 
 static void DetectTlsJa3HashRegisterTests(void)