summaryrefslogtreecommitdiffstats
path: root/src/detect-ssl-version.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/detect-ssl-version.c335
1 files changed, 335 insertions, 0 deletions
diff --git a/src/detect-ssl-version.c b/src/detect-ssl-version.c
new file mode 100644
index 0000000..b4e142b
--- /dev/null
+++ b/src/detect-ssl-version.c
@@ -0,0 +1,335 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file detect-ssl-version.c
+ *
+ * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
+ *
+ * Implements the ssl_version keyword
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+
+#include "app-layer.h"
+#include "app-layer-parser.h"
+
+#include "detect-ssl-version.h"
+
+#include "stream-tcp.h"
+#include "app-layer-ssl.h"
+
+
+static int DetectSslVersionMatch(DetectEngineThreadCtx *,
+ Flow *, uint8_t, void *, void *,
+ const Signature *, const SigMatchCtx *);
+static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, const char *);
+#ifdef UNITTESTS
+static void DetectSslVersionRegisterTests(void);
+#endif
+static void DetectSslVersionFree(DetectEngineCtx *, void *);
+static int g_tls_generic_list_id = 0;
+
+/**
+ * \brief Registration function for keyword: ssl_version
+ */
+void DetectSslVersionRegister(void)
+{
+ sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
+ sigmatch_table[DETECT_AL_SSL_VERSION].desc = "match version of SSL/TLS record";
+ sigmatch_table[DETECT_AL_SSL_VERSION].url = "/rules/tls-keywords.html#ssl-version";
+ sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
+ sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
+ sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
+#ifdef UNITTESTS
+ sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
+#endif
+
+ g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
+}
+
+/**
+ * \brief match the specified version on a ssl session
+ *
+ * \param t pointer to thread vars
+ * \param det_ctx pointer to the pattern matcher thread
+ * \param p pointer to the current packet
+ * \param m pointer to the sigmatch that we will cast into DetectSslVersionData
+ *
+ * \retval 0 no match
+ * \retval 1 match
+ */
+static int DetectSslVersionMatch(DetectEngineThreadCtx *det_ctx,
+ Flow *f, uint8_t flags, void *state, void *txv,
+ const Signature *s, const SigMatchCtx *m)
+{
+ SCEnter();
+
+ int ret = 0;
+ uint16_t ver = 0;
+ uint8_t sig_ver = TLS_UNKNOWN;
+
+ const DetectSslVersionData *ssl = (const DetectSslVersionData *)m;
+ SSLState *app_state = (SSLState *)state;
+ if (app_state == NULL) {
+ SCLogDebug("no app state, no match");
+ SCReturnInt(0);
+ }
+
+ if (flags & STREAM_TOCLIENT) {
+ SCLogDebug("server (toclient) version is 0x%02X",
+ app_state->server_connp.version);
+ ver = app_state->server_connp.version;
+ } else if (flags & STREAM_TOSERVER) {
+ SCLogDebug("client (toserver) version is 0x%02X",
+ app_state->client_connp.version);
+ ver = app_state->client_connp.version;
+ }
+
+ switch (ver) {
+ case SSL_VERSION_2:
+ if (ver == ssl->data[SSLv2].ver)
+ ret = 1;
+ sig_ver = SSLv2;
+ break;
+ case SSL_VERSION_3:
+ if (ver == ssl->data[SSLv3].ver)
+ ret = 1;
+ sig_ver = SSLv3;
+ break;
+ case TLS_VERSION_10:
+ if (ver == ssl->data[TLS10].ver)
+ ret = 1;
+ sig_ver = TLS10;
+ break;
+ case TLS_VERSION_11:
+ if (ver == ssl->data[TLS11].ver)
+ ret = 1;
+ sig_ver = TLS11;
+ break;
+ case TLS_VERSION_12:
+ if (ver == ssl->data[TLS12].ver)
+ ret = 1;
+ sig_ver = TLS12;
+ break;
+ case TLS_VERSION_13_DRAFT28:
+ case TLS_VERSION_13_DRAFT27:
+ case TLS_VERSION_13_DRAFT26:
+ case TLS_VERSION_13_DRAFT25:
+ case TLS_VERSION_13_DRAFT24:
+ case TLS_VERSION_13_DRAFT23:
+ case TLS_VERSION_13_DRAFT22:
+ case TLS_VERSION_13_DRAFT21:
+ case TLS_VERSION_13_DRAFT20:
+ case TLS_VERSION_13_DRAFT19:
+ case TLS_VERSION_13_DRAFT18:
+ case TLS_VERSION_13_DRAFT17:
+ case TLS_VERSION_13_DRAFT16:
+ case TLS_VERSION_13_PRE_DRAFT16:
+ if (((ver >> 8) & 0xff) == 0x7f)
+ ver = TLS_VERSION_13;
+ /* fall through */
+ case TLS_VERSION_13:
+ if (ver == ssl->data[TLS13].ver)
+ ret = 1;
+ sig_ver = TLS13;
+ break;
+ }
+
+ if (sig_ver == TLS_UNKNOWN)
+ SCReturnInt(0);
+
+ SCReturnInt(ret ^ ((ssl->data[sig_ver].flags & DETECT_SSL_VERSION_NEGATED) ? 1 : 0));
+}
+
+struct SSLVersionKeywords {
+ const char *word;
+ int index;
+ uint16_t value;
+};
+
+struct SSLVersionKeywords ssl_version_keywords[TLS_SIZE] = {
+ { "sslv2", SSLv2, SSL_VERSION_2 },
+ { "sslv3", SSLv3, SSL_VERSION_3 },
+ { "tls1.0", TLS10, TLS_VERSION_10 },
+ { "tls1.1", TLS11, TLS_VERSION_11 },
+ { "tls1.2", TLS12, TLS_VERSION_12 },
+ { "tls1.3", TLS13, TLS_VERSION_13 },
+};
+
+/**
+ * \brief This function is used to parse ssl_version data passed via
+ * keyword: "ssl_version"
+ *
+ * \param de_ctx Pointer to the detection engine context
+ * \param str Pointer to the user provided options
+ *
+ * \retval ssl pointer to DetectSslVersionData on success
+ * \retval NULL on failure
+ */
+static DetectSslVersionData *DetectSslVersionParse(DetectEngineCtx *de_ctx, const char *str)
+{
+ DetectSslVersionData *ssl = NULL;
+ const char *tmp_str = str;
+ size_t tmp_len = 0;
+ uint8_t found = 0;
+
+ /* We have a correct ssl_version options */
+ ssl = SCCalloc(1, sizeof(DetectSslVersionData));
+ if (unlikely(ssl == NULL))
+ goto error;
+
+ // skip leading space
+ while (tmp_str[0] != 0 && isspace(tmp_str[0])) {
+ tmp_str++;
+ }
+ if (tmp_str[0] == 0) {
+ SCLogError("Invalid empty value");
+ goto error;
+ }
+ // iterate every version separated by comma
+ while (tmp_str[0] != 0) {
+ uint8_t neg = 0;
+ if (tmp_str[0] == '!') {
+ neg = 1;
+ tmp_str++;
+ }
+ // counts word length
+ tmp_len = 0;
+ while (tmp_str[tmp_len] != 0 && !isspace(tmp_str[tmp_len]) && tmp_str[tmp_len] != ',') {
+ tmp_len++;
+ }
+
+ bool is_keyword = false;
+ for (size_t i = 0; i < TLS_SIZE; i++) {
+ if (tmp_len == strlen(ssl_version_keywords[i].word) &&
+ strncasecmp(ssl_version_keywords[i].word, tmp_str, tmp_len) == 0) {
+ if (ssl->data[ssl_version_keywords[i].index].ver != 0) {
+ SCLogError("Invalid duplicate value");
+ goto error;
+ }
+ ssl->data[ssl_version_keywords[i].index].ver = ssl_version_keywords[i].value;
+ if (neg == 1)
+ ssl->data[ssl_version_keywords[i].index].flags |= DETECT_SSL_VERSION_NEGATED;
+ is_keyword = true;
+ break;
+ }
+ }
+ if (!is_keyword) {
+ SCLogError("Invalid unknown value");
+ goto error;
+ }
+
+ /* check consistency between negative and positive values :
+ * if there is a negative value, it overrides positive values
+ */
+ if (found == 0) {
+ found |= 1 << neg;
+ } else if (found != 1 << neg) {
+ SCLogError("Invalid value mixing negative and positive forms");
+ goto error;
+ }
+
+ tmp_str += tmp_len;
+ while (isspace(tmp_str[0]) || tmp_str[0] == ',') {
+ tmp_str++;
+ }
+ }
+
+ return ssl;
+
+error:
+ if (ssl != NULL)
+ DetectSslVersionFree(de_ctx, ssl);
+ return NULL;
+
+}
+
+/**
+ * \brief this function is used to add the parsed "id" option
+ * \brief into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param idstr pointer to the user provided "id" option
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+ DetectSslVersionData *ssl = NULL;
+ SigMatch *sm = NULL;
+
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
+
+ ssl = DetectSslVersionParse(de_ctx, str);
+ if (ssl == NULL)
+ goto error;
+
+ /* Okay so far so good, lets get this into a SigMatch
+ * and put it in the Signature. */
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+
+ sm->type = DETECT_AL_SSL_VERSION;
+ sm->ctx = (void *)ssl;
+
+ SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
+ return 0;
+
+error:
+ if (ssl != NULL)
+ DetectSslVersionFree(de_ctx, ssl);
+ if (sm != NULL)
+ SCFree(sm);
+ return -1;
+}
+
+/**
+ * \brief this function will free memory associated with DetectSslVersionData
+ *
+ * \param id_d pointer to DetectSslVersionData
+ */
+void DetectSslVersionFree(DetectEngineCtx *de_ctx, void *ptr)
+{
+ if (ptr != NULL)
+ SCFree(ptr);
+}
+
+#ifdef UNITTESTS
+#include "tests/detect-ssl-version.c"
+#endif
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-23 09:49:09 +0000