const char **sigerror);
static int g_tls_ja3_hash_buffer_id = 0;
-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
- const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
- const int list_id)
-{
- InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
- if (buffer->inspect == NULL) {
- uint32_t b_len = 0;
- const uint8_t *b = NULL;
-
- if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
- return NULL;
- if (b == NULL || b_len == 0)
- return NULL;
-
- uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
- // this adds a final zero
- SCMd5HashBufferToHex(b, b_len, ja3_hash, SC_MD5_HEX_LEN + 1);
-
- InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
- InspectionBufferApplyTransforms(buffer, transforms);
- }
- return buffer;
-}
-
/**
* \brief Registration function for keyword: ja3_hash
*/
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
- GetJa3Data, ALPROTO_QUIC, 1);
+ Ja3DetectGetHash, ALPROTO_QUIC, 1);
DetectAppLayerInspectEngineRegister2("ja3.hash", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
- DetectEngineInspectBufferGeneric, GetJa3Data);
+ DetectEngineInspectBufferGeneric, Ja3DetectGetHash);
DetectBufferTypeSetDescriptionByName("ja3.hash", "TLS JA3 hash");
void *txv, const int list_id);
static int g_tls_ja3_str_buffer_id = 0;
-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
- const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
- const int list_id)
-{
- InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
- if (buffer->inspect == NULL) {
- uint32_t b_len = 0;
- const uint8_t *b = NULL;
-
- if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
- return NULL;
- if (b == NULL || b_len == 0)
- return NULL;
-
- InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
- InspectionBufferApplyTransforms(buffer, transforms);
- }
- return buffer;
-}
-
/**
* \brief Registration function for keyword: ja3.string
*/
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
DetectAppLayerMpmRegister2("ja3.string", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
- GetJa3Data, ALPROTO_QUIC, 1);
+ Ja3DetectGetString, ALPROTO_QUIC, 1);
DetectAppLayerInspectEngineRegister2("ja3.string", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
- DetectEngineInspectBufferGeneric, GetJa3Data);
+ DetectEngineInspectBufferGeneric, Ja3DetectGetString);
DetectBufferTypeSetDescriptionByName("ja3.string", "TLS JA3 string");
const char **sigerror);
static int g_tls_ja3s_hash_buffer_id = 0;
-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
- const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
- const int list_id)
-{
- InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
- if (buffer->inspect == NULL) {
- uint32_t b_len = 0;
- const uint8_t *b = NULL;
-
- if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
- return NULL;
- if (b == NULL || b_len == 0)
- return NULL;
-
- uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
- // this adds a final zero
- SCMd5HashBufferToHex(b, b_len, ja3_hash, SC_MD5_HEX_LEN + 1);
-
- InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
- InspectionBufferApplyTransforms(buffer, transforms);
- }
- return buffer;
-}
-
/**
* \brief Registration function for keyword: ja3s.hash
*/
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
DetectAppLayerMpmRegister2("ja3s.hash", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
- GetJa3Data, ALPROTO_QUIC, 1);
+ Ja3DetectGetHash, ALPROTO_QUIC, 1);
DetectAppLayerInspectEngineRegister2("ja3s.hash", ALPROTO_QUIC, SIG_FLAG_TOCLIENT, 1,
- DetectEngineInspectBufferGeneric, GetJa3Data);
+ DetectEngineInspectBufferGeneric, Ja3DetectGetHash);
DetectBufferTypeSetDescriptionByName("ja3s.hash", "TLS JA3S hash");
void *txv, const int list_id);
static int g_tls_ja3s_str_buffer_id = 0;
-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
- const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
- const int list_id)
-{
- InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
- if (buffer->inspect == NULL) {
- uint32_t b_len = 0;
- const uint8_t *b = NULL;
-
- if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
- return NULL;
- if (b == NULL || b_len == 0)
- return NULL;
-
- InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
- InspectionBufferApplyTransforms(buffer, transforms);
- }
- return buffer;
-}
-
/**
* \brief Registration function for keyword: ja3s.string
*/
PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);
DetectAppLayerMpmRegister2("ja3s.string", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
- GetJa3Data, ALPROTO_QUIC, 1);
+ Ja3DetectGetString, ALPROTO_QUIC, 1);
DetectAppLayerInspectEngineRegister2("ja3s.string", ALPROTO_QUIC, SIG_FLAG_TOCLIENT, 1,
- DetectEngineInspectBufferGeneric, GetJa3Data);
+ DetectEngineInspectBufferGeneric, Ja3DetectGetString);
DetectBufferTypeSetDescriptionByName("ja3s.string", "TLS JA3S string");
#include "util-validate.h"
#include "util-ja3.h"
+#include "detect-engine.h"
+
#define MD5_STRING_LENGTH 33
/**
return 0;
}
+
+InspectionBuffer *Ja3DetectGetHash(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+ const int list_id)
+{
+ InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+ if (buffer->inspect == NULL) {
+ uint32_t b_len = 0;
+ const uint8_t *b = NULL;
+
+ if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
+ return NULL;
+ if (b == NULL || b_len == 0)
+ return NULL;
+
+ uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
+ // this adds a final zero
+ SCMd5HashBufferToHex(b, b_len, (char *)ja3_hash, SC_MD5_HEX_LEN + 1);
+
+ InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
+ InspectionBufferApplyTransforms(buffer, transforms);
+ }
+ return buffer;
+}
+
+InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+ const int list_id)
+{
+ InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+ if (buffer->inspect == NULL) {
+ uint32_t b_len = 0;
+ const uint8_t *b = NULL;
+
+ if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
+ return NULL;
+ if (b == NULL || b_len == 0)
+ return NULL;
+
+ InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
+ InspectionBufferApplyTransforms(buffer, transforms);
+ }
+ return buffer;
+}
#define JA3_BUFFER_INITIAL_SIZE 128
+#include "detect.h"
+
typedef struct JA3Buffer_ {
char *data;
size_t size;
char *Ja3GenerateHash(JA3Buffer *);
int Ja3IsDisabled(const char *);
+InspectionBuffer *Ja3DetectGetHash(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+ const int list_id);
+
+InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+ const int list_id);
+
#endif /* __UTIL_JA3_H__ */
projects / thirdparty / suricata.git / commitdiff
