From 6cf4c3c26e41e755cf30e67fc5aac0e43e134e9c Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Sat, 24 Mar 2018 00:34:49 +0100
Subject: [PATCH] detect-tls-cert-serial: add setup callback to uppercase
 content

Add setup callback that uppercase the content that follows
'tls_cert_serial'.
---
 src/detect-tls-cert-serial.c | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c
index 6514ac5ef0..17a2e340e1 100644
--- a/src/detect-tls-cert-serial.c
+++ b/src/detect-tls-cert-serial.c
@@ -60,6 +60,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms,
         Flow *_f, const uint8_t _flow_flags,
         void *txv, const int list_id);
+static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx,
+        Signature *s);
 static _Bool DetectTlsSerialValidateCallback(const Signature *s,
         const char **sigerror);
 static int g_tls_cert_serial_buffer_id = 0;
@@ -90,6 +92,9 @@ void DetectTlsSerialRegister(void)
     DetectBufferTypeSetDescriptionByName("tls_cert_serial",
             "TLS certificate serial number");
 
+    DetectBufferTypeRegisterSetupCallback("tls_cert_serial",
+            DetectTlsSerialSetupCallback);
+
     DetectBufferTypeRegisterValidateCallback("tls_cert_serial",
             DetectTlsSerialValidateCallback);
 
@@ -170,6 +175,36 @@ static _Bool DetectTlsSerialValidateCallback(const Signature *s,
     return TRUE;
 }
 
+static void DetectTlsSerialSetupCallback(const DetectEngineCtx *de_ctx,
+                                         Signature *s)
+{
+    SigMatch *sm = s->init_data->smlists[g_tls_cert_serial_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        _Bool changed = FALSE;
+        uint32_t u;
+        for (u = 0; u < cd->content_len; u++)
+        {
+            if (islower(cd->content[u])) {
+                cd->content[u] = toupper(cd->content[u]);
+                changed = TRUE;
+            }
+        }
+
+        /* recreate the context if changes were made */
+        if (changed) {
+            SpmDestroyCtx(cd->spm_ctx);
+            cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
+                                     de_ctx->spm_global_thread_ctx);
+        }
+    }
+}
+
 #ifdef UNITTESTS
 
 /**
-- 
2.47.2