lua: add Ja3GetHash function

Add Ja3GetHash() to return the content of the JA3 hash buffer from the TLS session. Example: function init (args) local needs = {} needs["protocol"] = "tls" return needs end function setup (args) filename = SCLogPath() .. "/ja3_hash.log" file = assert(io.open(filename, "a")) end function log (args) ja3_hash = Ja3GetHash() if ja3_hash == nil then return end file:write(ja3_hash .. "\n") file:flush() end function deinit (args) file:close() end In the (useless) example above, each JA3 hash is logged to a log file.
8 years ago · 195fa9d272
parent a357f52fa5
commit 195fa9d272
5 changed files with 130 additions and 0 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -433,6 +433,7 @@ util-lua-dnp3.c util-lua-dnp3.h \
 util-lua-dnp3-objects.c util-lua-dnp3-objects.h \
 util-lua-dns.c util-lua-dns.h \
 util-lua-http.c util-lua-http.h \
+util-lua-ja3.c util-lua-ja3.h \
 util-lua-tls.c util-lua-tls.h \
 util-lua-ssh.c util-lua-ssh.h \
 util-lua-smtp.c util-lua-smtp.h \
--- a/src/detect-lua-extensions.c
+++ b/src/detect-lua-extensions.c
@ -66,6 +66,7 @@
 #include "util-lua-common.h"
 #include "util-lua-http.h"
 #include "util-lua-dns.h"
+#include "util-lua-ja3.h"
 #include "util-lua-tls.h"
 #include "util-lua-ssh.h"
 #include "util-lua-smtp.h"
@ -532,6 +533,7 @@ int LuaRegisterExtensions(lua_State *lua_state)
    LuaRegisterFunctions(lua_state);
    LuaRegisterHttpFunctions(lua_state);
    LuaRegisterDnsFunctions(lua_state);
+    LuaRegisterJa3Functions(lua_state);
    LuaRegisterTlsFunctions(lua_state);
    LuaRegisterSshFunctions(lua_state);
    LuaRegisterSmtpFunctions(lua_state);
--- a/src/output-lua.c
+++ b/src/output-lua.c
@ -60,6 +60,7 @@
 #include "util-lua-common.h"
 #include "util-lua-http.h"
 #include "util-lua-dns.h"
+#include "util-lua-ja3.h"
 #include "util-lua-tls.h"
 #include "util-lua-ssh.h"
 #include "util-lua-smtp.h"
@ -636,6 +637,7 @@ static lua_State *LuaScriptSetup(const char *filename)
     * if the tx is registered in the state at runtime though. */
    LuaRegisterHttpFunctions(luastate);
    LuaRegisterDnsFunctions(luastate);
+    LuaRegisterJa3Functions(luastate);
    LuaRegisterTlsFunctions(luastate);
    LuaRegisterSshFunctions(luastate);
    LuaRegisterSmtpFunctions(luastate);
--- a/src/util-lua-ja3.c
+++ b/src/util-lua-ja3.c
@ -0,0 +1,92 @@
+/* Copyright (C) 2017 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+
+/**
+ * \file
+ *
+ * \author Mats Klepsland <mats.klepsland@gmail.com>
+ *
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "detect.h"
+#include "pkt-var.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "threadvars.h"
+#include "tm-threads.h"
+
+#include "util-print.h"
+#include "util-unittest.h"
+
+#include "util-debug.h"
+
+#include "output.h"
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssl.h"
+#include "util-privs.h"
+#include "util-buffer.h"
+#include "util-proto-name.h"
+#include "util-logopenfile.h"
+#include "util-time.h"
+
+#ifdef HAVE_LUA
+
+#include <lua.h>
+#include <lualib.h>
+#include <lauxlib.h>
+
+#include "util-lua.h"
+#include "util-lua-common.h"
+#include "util-lua-ja3.h"
+
+static int Ja3GetHash(lua_State *luastate)
+{
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol is not tls");
+
+    Flow *f = LuaStateGetFlow(luastate);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+
+    if (ssl_state->ja3_hash == NULL)
+        return LuaCallbackError(luastate, "error: no JA3 hash");
+
+    return LuaPushStringBuffer(luastate, (uint8_t *)ssl_state->ja3_hash,
+                               strlen(ssl_state->ja3_hash));
+}
+
+/** *\brief Register JA3 Lua extensions */
+int LuaRegisterJa3Functions(lua_State *luastate)
+{
+    lua_pushcfunction(luastate, Ja3GetHash);
+    lua_setglobal(luastate, "Ja3GetHash");
+
+    return 0;
+}
+
+#endif /* HAVE_LUA */
--- a/src/util-lua-ja3.h
+++ b/src/util-lua-ja3.h
@ -0,0 +1,33 @@
+/* Copyright (C) 2017 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Mats Klepsland <mats.klepsland@gmail.com>
+ */
+
+#ifndef __UTIL_LUA_JA3_H__
+#define __UTIL_LUA_JA3_H__
+
+#ifdef HAVE_LUA
+
+int LuaRegisterJa3Functions(lua_State *luastate);
+
+#endif /* HAVE_LUA */
+
+#endif /* __UTIL_LUA_JA3_H__ */