diff --git a/src/Makefile.am b/src/Makefile.am index f269a419a6..485da7e273 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -433,6 +433,7 @@ util-lua-dnp3.c util-lua-dnp3.h \ util-lua-dnp3-objects.c util-lua-dnp3-objects.h \ util-lua-dns.c util-lua-dns.h \ util-lua-http.c util-lua-http.h \ +util-lua-ja3.c util-lua-ja3.h \ util-lua-tls.c util-lua-tls.h \ util-lua-ssh.c util-lua-ssh.h \ util-lua-smtp.c util-lua-smtp.h \ diff --git a/src/detect-lua-extensions.c b/src/detect-lua-extensions.c index c731b92cec..3edea09760 100644 --- a/src/detect-lua-extensions.c +++ b/src/detect-lua-extensions.c @@ -66,6 +66,7 @@ #include "util-lua-common.h" #include "util-lua-http.h" #include "util-lua-dns.h" +#include "util-lua-ja3.h" #include "util-lua-tls.h" #include "util-lua-ssh.h" #include "util-lua-smtp.h" @@ -532,6 +533,7 @@ int LuaRegisterExtensions(lua_State *lua_state) LuaRegisterFunctions(lua_state); LuaRegisterHttpFunctions(lua_state); LuaRegisterDnsFunctions(lua_state); + LuaRegisterJa3Functions(lua_state); LuaRegisterTlsFunctions(lua_state); LuaRegisterSshFunctions(lua_state); LuaRegisterSmtpFunctions(lua_state); diff --git a/src/output-lua.c b/src/output-lua.c index 8b5581c6c1..7555a0d90e 100644 --- a/src/output-lua.c +++ b/src/output-lua.c @@ -60,6 +60,7 @@ #include "util-lua-common.h" #include "util-lua-http.h" #include "util-lua-dns.h" +#include "util-lua-ja3.h" #include "util-lua-tls.h" #include "util-lua-ssh.h" #include "util-lua-smtp.h" @@ -636,6 +637,7 @@ static lua_State *LuaScriptSetup(const char *filename) * if the tx is registered in the state at runtime though. */ LuaRegisterHttpFunctions(luastate); LuaRegisterDnsFunctions(luastate); + LuaRegisterJa3Functions(luastate); LuaRegisterTlsFunctions(luastate); LuaRegisterSshFunctions(luastate); LuaRegisterSmtpFunctions(luastate); diff --git a/src/util-lua-ja3.c b/src/util-lua-ja3.c new file mode 100644 index 0000000000..962e6e8aa4 --- /dev/null +++ b/src/util-lua-ja3.c @@ -0,0 +1,92 @@ +/* Copyright (C) 2017 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + + +/** + * \file + * + * \author Mats Klepsland + * + */ + +#include "suricata-common.h" +#include "debug.h" +#include "detect.h" +#include "pkt-var.h" +#include "conf.h" + +#include "threads.h" +#include "threadvars.h" +#include "tm-threads.h" + +#include "util-print.h" +#include "util-unittest.h" + +#include "util-debug.h" + +#include "output.h" +#include "app-layer.h" +#include "app-layer-parser.h" +#include "app-layer-ssl.h" +#include "util-privs.h" +#include "util-buffer.h" +#include "util-proto-name.h" +#include "util-logopenfile.h" +#include "util-time.h" + +#ifdef HAVE_LUA + +#include +#include +#include + +#include "util-lua.h" +#include "util-lua-common.h" +#include "util-lua-ja3.h" + +static int Ja3GetHash(lua_State *luastate) +{ + if (!(LuaStateNeedProto(luastate, ALPROTO_TLS))) + return LuaCallbackError(luastate, "error: protocol is not tls"); + + Flow *f = LuaStateGetFlow(luastate); + if (f == NULL) + return LuaCallbackError(luastate, "internal error: no flow"); + + void *state = FlowGetAppState(f); + if (state == NULL) + return LuaCallbackError(luastate, "error: no app layer state"); + + SSLState *ssl_state = (SSLState *)state; + + if (ssl_state->ja3_hash == NULL) + return LuaCallbackError(luastate, "error: no JA3 hash"); + + return LuaPushStringBuffer(luastate, (uint8_t *)ssl_state->ja3_hash, + strlen(ssl_state->ja3_hash)); +} + +/** *\brief Register JA3 Lua extensions */ +int LuaRegisterJa3Functions(lua_State *luastate) +{ + lua_pushcfunction(luastate, Ja3GetHash); + lua_setglobal(luastate, "Ja3GetHash"); + + return 0; +} + +#endif /* HAVE_LUA */ diff --git a/src/util-lua-ja3.h b/src/util-lua-ja3.h new file mode 100644 index 0000000000..4bad867a4a --- /dev/null +++ b/src/util-lua-ja3.h @@ -0,0 +1,33 @@ +/* Copyright (C) 2017 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Mats Klepsland + */ + +#ifndef __UTIL_LUA_JA3_H__ +#define __UTIL_LUA_JA3_H__ + +#ifdef HAVE_LUA + +int LuaRegisterJa3Functions(lua_State *luastate); + +#endif /* HAVE_LUA */ + +#endif /* __UTIL_LUA_JA3_H__ */