From: Mats Klepsland Date: Fri, 16 Mar 2018 21:39:17 +0000 (+0100) Subject: detect-tls-sni: use *_Register2 API functions X-Git-Tag: suricata-4.1.0-beta1~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3304%2Fhead;p=thirdparty%2Fsuricata.git detect-tls-sni: use *_Register2 API functions Use *_Register2 API functions when registering 'tls_sni' detection keyword. --- diff --git a/src/detect-engine-tls.c b/src/detect-engine-tls.c index 5039b16df6..9a4313f24c 100644 --- a/src/detect-engine-tls.c +++ b/src/detect-engine-tls.c @@ -47,82 +47,6 @@ #include "util-unittest-helper.h" #include "util-validate.h" -/** \brief TLS SNI Mpm prefilter callback - * - * \param det_ctx detection engine thread ctx - * \param p packet to inspect - * \param f flow to inspect - * \param txv tx to inspect - * \param pectx inspection context - */ -static void PrefilterTxTlsSni(DetectEngineThreadCtx *det_ctx, const void *pectx, - Packet *p, Flow *f, void *txv, - const uint64_t idx, const uint8_t flags) -{ - SCEnter(); - - const MpmCtx *mpm_ctx = (MpmCtx *)pectx; - SSLState *ssl_state = f->alstate; - - if (ssl_state->client_connp.sni == NULL) - return; - - const uint8_t *buffer = (uint8_t *)ssl_state->client_connp.sni; - const uint32_t buffer_len = strlen(ssl_state->client_connp.sni); - - if (buffer_len >= mpm_ctx->minlen) { - (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, - &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); - } -} - -int PrefilterTxTlsSniRegister(DetectEngineCtx *de_ctx, - SigGroupHead *sgh, MpmCtx *mpm_ctx) -{ - SCEnter(); - - return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxTlsSni, - ALPROTO_TLS, 0, // TODO a special 'cert ready' state might be good to add - mpm_ctx, NULL, "tls_sni"); -} - -/** \brief Do the content inspection and validation for a signature - * - * \param de_ctx Detection engine context - * \param det_ctx Detection engine thread context - * \param s Signature to inspect - * \param sm SigMatch to inspect - * \param f Flow - * \param flags App layer flags - * \param state App layer state - * - * \retval 0 No match - * \retval 1 Match - */ -int DetectEngineInspectTlsSni(ThreadVars *tv, - DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, - const Signature *s, const SigMatchData *smd, - Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id) -{ - uint8_t *buffer; - uint16_t buffer_len; - int cnt = 0; - - SSLState *ssl_state = (SSLState *)alstate; - - if (ssl_state->client_connp.sni == NULL) - return 0; - - buffer = (uint8_t *)ssl_state->client_connp.sni; - buffer_len = strlen(ssl_state->client_connp.sni); - - cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, buffer, buffer_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); - - return cnt; -} - int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, diff --git a/src/detect-engine-tls.h b/src/detect-engine-tls.h index 76e4e88856..63d9c77cae 100644 --- a/src/detect-engine-tls.h +++ b/src/detect-engine-tls.h @@ -23,14 +23,6 @@ #ifndef __DETECT_ENGINE_TLS_H__ #define __DETECT_ENGINE_TLS_H__ -int PrefilterTxTlsSniRegister(DetectEngineCtx *de_ctx, - SigGroupHead *sgh, MpmCtx *mpm_ctx); - -int DetectEngineInspectTlsSni(ThreadVars *tv, - DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, - const Signature *s, const SigMatchData *smd, - Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id); - int DetectEngineInspectTlsValidity(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index 9b490092ad..ab7f94c82e 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -48,7 +48,7 @@ #include "app-layer.h" #include "app-layer-ssl.h" -#include "detect-engine-tls.h" +#include "detect-engine-prefilter.h" #include "detect-tls-sni.h" #include "util-unittest.h" @@ -56,6 +56,10 @@ static int DetectTlsSniSetup(DetectEngineCtx *, Signature *, const char *); static void DetectTlsSniRegisterTests(void); +static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, + Flow *_f, const uint8_t _flow_flags, + void *txv, const int list_id); static int g_tls_sni_buffer_id = 0; /** @@ -73,12 +77,14 @@ void DetectTlsSniRegister(void) sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT; - DetectAppLayerMpmRegister("tls_sni", SIG_FLAG_TOSERVER, 2, - PrefilterTxTlsSniRegister); + DetectAppLayerInspectEngineRegister2("tls_sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, + DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerInspectEngineRegister("tls_sni", - ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectTlsSni); + DetectAppLayerMpmRegister2("tls_sni", SIG_FLAG_TOSERVER, 2, + PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0); + + DetectBufferTypeSetDescriptionByName("tls_sni", + "TLS Server Name Indication (SNI) extension"); g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls_sni"); } @@ -95,11 +101,35 @@ void DetectTlsSniRegister(void) */ static int DetectTlsSniSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) { - s->init_data->list = g_tls_sni_buffer_id; + DetectBufferSetActiveList(s, g_tls_sni_buffer_id); s->alproto = ALPROTO_TLS; return 0; } +static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, + const uint8_t _flow_flags, void *txv, const int list_id) +{ + BUG_ON(det_ctx->inspect_buffers == NULL); + InspectionBuffer *buffer = &det_ctx->inspect_buffers[list_id]; + + if (buffer->inspect == NULL) { + SSLState *ssl_state = (SSLState *)_f->alstate; + + if (ssl_state->client_connp.sni == NULL) { + return NULL; + } + + const uint32_t data_len = strlen(ssl_state->client_connp.sni); + const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; + + InspectionBufferSetup(buffer, data, data_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + #ifdef UNITTESTS /**