aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: remove incomplete tests

Browse Source 
These tests are incompatible with the incomplete API usage and should
have been pcap based tests in the first place.
pull/7896/head
Victor Julien 3 years ago
parent 82e03bd8fc
commit 214e466b29
15 changed files with 0 additions and 4076 deletions
Show Stats Download Patch File Download Diff File

5
src/Makefile.am
Unescape Escape View File

@ -1255,11 +1255,6 @@ EXTRA_DIST = \
tests/detect-tls-cert-subject.c \
tests/detect-tls-cert-validity.c \
tests/detect-tls-certs.c \
tests/detect-tls-ja3-hash.c \
tests/detect-tls-ja3-string.c \
tests/detect-tls-ja3s-hash.c \
tests/detect-tls-ja3s-string.c \
tests/detect-tls-sni.c \
tests/detect-tls-version.c \
tests/detect.c \
tests/stream-tcp.c

2355
src/app-layer-ssl.c
View File

File diff suppressed because it is too large Load Diff

10
src/detect-tls-ja3-hash.c
Unescape Escape View File

@ -58,9 +58,6 @@
#include "util-unittest-helper.h"
static int DetectTlsJa3HashSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectTlsJa3HashRegisterTests(void);
#endif
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *f, const uint8_t flow_flags,
@ -81,9 +78,6 @@ void DetectTlsJa3HashRegister(void)
sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer";
sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash";
sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_TLS_JA3_HASH].RegisterTests = DetectTlsJa3HashRegisterTests;
#endif
sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
@ -219,7 +213,3 @@ static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
}
}
}
#ifdef UNITTESTS
#include "tests/detect-tls-ja3-hash.c"
#endif

10
src/detect-tls-ja3-string.c
Unescape Escape View File

@ -58,9 +58,6 @@
#include "util-unittest-helper.h"
static int DetectTlsJa3StringSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectTlsJa3StringRegisterTests(void);
#endif
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *f, const uint8_t flow_flags,
@ -97,9 +94,6 @@ void DetectTlsJa3StringRegister(void)
sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "sticky buffer to match the JA3 string buffer";
sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = "/rules/ja3-keywords.html#ja3-string";
sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_TLS_JA3_STRING].RegisterTests = DetectTlsJa3StringRegisterTests;
#endif
sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
@ -176,7 +170,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
return buffer;
}
#ifdef UNITTESTS
#include "tests/detect-tls-ja3-string.c"
#endif

10
src/detect-tls-ja3s-hash.c
Unescape Escape View File

@ -58,9 +58,6 @@
#include "util-unittest-helper.h"
static int DetectTlsJa3SHashSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectTlsJa3SHashRegisterTests(void);
#endif
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *f, const uint8_t flow_flags,
@ -80,9 +77,6 @@ void DetectTlsJa3SHashRegister(void)
sigmatch_table[DETECT_AL_TLS_JA3S_HASH].desc = "sticky buffer to match the JA3S hash buffer";
sigmatch_table[DETECT_AL_TLS_JA3S_HASH].url = "/rules/ja3-keywords.html#ja3s-hash";
sigmatch_table[DETECT_AL_TLS_JA3S_HASH].Setup = DetectTlsJa3SHashSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_TLS_JA3S_HASH].RegisterTests = DetectTlsJa3SHashRegisterTests;
#endif
sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
@ -217,7 +211,3 @@ static void DetectTlsJa3SHashSetupCallback(const DetectEngineCtx *de_ctx,
}
}
}
#ifdef UNITTESTS
#include "tests/detect-tls-ja3s-hash.c"
#endif

10
src/detect-tls-ja3s-string.c
Unescape Escape View File

@ -58,9 +58,6 @@
#include "util-unittest-helper.h"
static int DetectTlsJa3SStringSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectTlsJa3SStringRegisterTests(void);
#endif
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *f, const uint8_t flow_flags,
@ -97,9 +94,6 @@ void DetectTlsJa3SStringRegister(void)
"sticky buffer to match the JA3S string buffer";
sigmatch_table[DETECT_AL_TLS_JA3S_STRING].url = "/rules/ja3-keywords.html#ja3s-string";
sigmatch_table[DETECT_AL_TLS_JA3S_STRING].Setup = DetectTlsJa3SStringSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_TLS_JA3S_STRING].RegisterTests = DetectTlsJa3SStringRegisterTests;
#endif
sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
@ -176,7 +170,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
return buffer;
}
#ifdef UNITTESTS
#include "tests/detect-tls-ja3s-string.c"
#endif

10
src/detect-tls-sni.c
Unescape Escape View File

@ -54,9 +54,6 @@
#include "util-unittest-helper.h"
static int DetectTlsSniSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectTlsSniRegisterTests(void);
#endif
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *f, const uint8_t flow_flags,
@ -74,9 +71,6 @@ void DetectTlsSniRegister(void)
"sticky buffer to match specifically and only on the TLS SNI buffer";
sigmatch_table[DETECT_AL_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni";
sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests;
#endif
sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER;
@ -135,7 +129,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
return buffer;
}
#ifdef UNITTESTS
#include "tests/detect-tls-sni.c"
#endif

406
src/tests/detect-ssl-state.c
Unescape Escape View File

@ -89,411 +89,6 @@ static int DetectSslStateTest06(void)
PASS;
}
/**
* \test Test a valid dce_iface entry for a bind and bind_ack
*/
static int DetectSslStateTest07(void)
{
uint8_t chello_buf[] = {
0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00,
0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00,
0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02,
0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39,
0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00,
0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00,
0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16,
0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00,
0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00,
0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64,
0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00,
0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a,
0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80,
0x21
};
uint32_t chello_buf_len = sizeof(chello_buf);
uint8_t shello_buf[] = {
0x16, 0x03, 0x00, 0x00, 0x4a, 0x02,
0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94,
0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88,
0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6,
0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd,
0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb,
0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe,
0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6,
0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e,
0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35,
0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00,
0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a,
0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f,
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31,
0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13,
0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54,
0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06,
0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e,
0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c,
0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c,
0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43,
0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13,
0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53,
0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c,
0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73,
0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e,
0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30,
0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34,
0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38,
0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37,
0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b,
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06,
0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e,
0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65,
0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61,
0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31,
0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64,
0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65,
0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61,
0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c,
0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77,
0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69,
0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde,
0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6,
0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba,
0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73,
0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4,
0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f,
0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45,
0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12,
0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c,
0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b,
0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7,
0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd,
0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e,
0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53,
0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90,
0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89,
0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55,
0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10,
0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b,
0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d,
0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16,
0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c,
0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f,
0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01,
0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81,
0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75,
0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e,
0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d,
0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23,
0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9,
0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5,
0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b,
0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f,
0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14,
0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23,
0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2,
0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34,
0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53,
0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad,
0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2,
0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e,
0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e,
0x00, 0x00, 0x00
};
uint32_t shello_buf_len = sizeof(shello_buf);
uint8_t client_change_cipher_spec_buf[] = {
0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00,
0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38,
0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61,
0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a,
0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e,
0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f,
0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80,
0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a,
0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80,
0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59,
0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76,
0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84,
0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7,
0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7,
0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2,
0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7,
0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb,
0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16,
0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35,
0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a,
0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81,
0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90,
0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1,
0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76,
0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79,
0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18,
0x4c, 0xfc, 0x75, 0x56
};
uint32_t client_change_cipher_spec_buf_len =
sizeof(client_change_cipher_spec_buf);
uint8_t server_change_cipher_spec_buf[] = {
0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03,
0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59,
0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a,
0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86,
0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7,
0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3,
0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89,
0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27,
0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2,
0x4d, 0x9f, 0x6b
};
uint32_t server_change_cipher_spec_buf_len =
sizeof(server_change_cipher_spec_buf);
uint8_t toserver_app_data_buf[] = {
0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e,
0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c,
0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10,
0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb,
0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa,
0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5,
0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e,
0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20,
0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7,
0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f,
0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78,
0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c,
0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f,
0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0,
0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0,
0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0,
0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc,
0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1,
0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67,
0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f,
0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10,
0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4,
0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0,
0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68,
0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f,
0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4,
0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10,
0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f,
0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60,
0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8,
0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8,
0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09,
0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a,
0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd,
0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7,
0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a,
0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63,
0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b,
0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1,
0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60,
0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87,
0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7,
0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed,
0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc,
0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43,
0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58,
0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d,
0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39,
0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99,
0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92,
0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40,
0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef,
0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2,
0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6,
0x8a, 0xa2, 0x9e, 0xcd, 0xfa
};
uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf);
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
SSLState *ssl_state = NULL;
int r = 0;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&p, 0, sizeof(p));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; ssl_state:client_hello; "
"sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:server_hello; "
"sid:2;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:client_keyx; "
"sid:3;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:server_keyx; "
"sid:4;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:!client_hello; "
"sid:5;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER | STREAM_START, chello_buf,
chello_buf_len);
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF(ssl_state == NULL);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FAIL_IF(PacketAlertCheck(p, 5));
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
shello_buf, shello_buf_len);
FAIL_IF(r != 0);
/* do detect */
p->alerts.cnt = 0;
p->flowflags = (FLOW_PKT_TOCLIENT | FLOW_PKT_ESTABLISHED);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(!PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FAIL_IF(!PacketAlertCheck(p, 5));
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
client_change_cipher_spec_buf,
client_change_cipher_spec_buf_len);
FAIL_IF(r != 0);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(!PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_change_cipher_spec_buf,
server_change_cipher_spec_buf_len);
FAIL_IF(r != 0);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
toserver_app_data_buf, toserver_app_data_buf_len);
FAIL_IF(r != 0);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
/**
* \brief Test that the "|" character still works as a separate for
* compatibility with older Suricata rules.
@ -536,7 +131,6 @@ static void DetectSslStateRegisterTests(void)
UtRegisterTest("DetectSslStateTest04", DetectSslStateTest04);
UtRegisterTest("DetectSslStateTest05", DetectSslStateTest05);
UtRegisterTest("DetectSslStateTest06", DetectSslStateTest06);
UtRegisterTest("DetectSslStateTest07", DetectSslStateTest07);
UtRegisterTest("DetectSslStateTest08", DetectSslStateTest08);
UtRegisterTest("DetectSslStateTestParseNegate",
DetectSslStateTestParseNegate);

180
src/tests/detect-ssl-version.c
Unescape Escape View File

@ -84,182 +84,6 @@ static int DetectSslVersionTestParse03(void)
PASS;
}
#include "stream-tcp-reassemble.h"
/** \test Send a get request in three chunks + more data. */
static int DetectSslVersionTestDetect01(void)
{
Flow f;
uint8_t sslbuf1[] = { 0x16 };
uint32_t ssllen1 = sizeof(sslbuf1);
uint8_t sslbuf2[] = { 0x03 };
uint32_t ssllen2 = sizeof(sslbuf2);
uint8_t sslbuf3[] = { 0x01 };
uint32_t ssllen3 = sizeof(sslbuf3);
uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
uint32_t ssllen4 = sizeof(sslbuf4);
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, sslbuf1, ssllen1);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf2, ssllen2);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf3, ssllen3);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf4, ssllen4);
FAIL_IF(r != 0);
SSLState *app_state = f.alstate;
FAIL_IF_NULL(app_state);
FAIL_IF(app_state->client_connp.content_type != 0x16);
FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
SCLogDebug("app_state is at %p, app_state->server_connp.version 0x%02X app_state->client_connp.version 0x%02X",
app_state, app_state->server_connp.version, app_state->client_connp.version);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
static int DetectSslVersionTestDetect02(void)
{
Flow f;
uint8_t sslbuf1[] = { 0x16 };
uint32_t ssllen1 = sizeof(sslbuf1);
uint8_t sslbuf2[] = { 0x03 };
uint32_t ssllen2 = sizeof(sslbuf2);
uint8_t sslbuf3[] = { 0x01 };
uint32_t ssllen3 = sizeof(sslbuf3);
uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
uint32_t ssllen4 = sizeof(sslbuf4);
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, sslbuf1, ssllen1);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf2, ssllen2);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf3, ssllen3);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf4, ssllen4);
FAIL_IF(r != 0);
SSLState *app_state = f.alstate;
FAIL_IF_NULL(app_state);
FAIL_IF(app_state->client_connp.content_type != 0x16);
FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
/**
* \brief this function registers unit tests for DetectSslVersion
*/
@ -268,8 +92,4 @@ static void DetectSslVersionRegisterTests(void)
UtRegisterTest("DetectSslVersionTestParse01", DetectSslVersionTestParse01);
UtRegisterTest("DetectSslVersionTestParse02", DetectSslVersionTestParse02);
UtRegisterTest("DetectSslVersionTestParse03", DetectSslVersionTestParse03);
UtRegisterTest("DetectSslVersionTestDetect01",
DetectSslVersionTestDetect01);
UtRegisterTest("DetectSslVersionTestDetect02",
DetectSslVersionTestDetect02);
}

220
src/tests/detect-tls-ja3-hash.c
Unescape Escape View File

@ -1,220 +0,0 @@
/* Copyright (C) 2019 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
*/
#include "detect-engine-build.h"
#include "app-layer-parser.h"
/**
* \test Test matching on a simple client hello packet
*/
static int DetectTlsJa3HashTest01(void)
{
/* Client hello */
uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E,
0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
0x6F, 0x6D, };
Flow f;
SSLState *ssl_state = NULL;
Packet *p = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 443);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test ja3.hash\"; ja3.hash; "
"content:\"e7eca2baf4458d095b7f45da28c16c34\"; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, buf, sizeof(buf));
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
FAIL_IF_NULL(ssl_state->client_connp.ja3_hash);
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
/**
* \test Test matching on a simple client hello packet
*/
static int DetectTlsJa3HashTest02(void)
{
/* Client hello */
uint8_t buf[] = { 0x16, 0x03, 0x01, 0x00, 0xc0, 0x01, 0x00, 0x00, 0xbc,
0x03, 0x03, 0x03, 0xb7, 0x16, 0x16, 0x5a, 0xe7, 0xc1,
0xbd, 0x46, 0x2f, 0xff, 0xf3, 0x68, 0xb8, 0x6f, 0x6e,
0x93, 0xdf, 0x06, 0x6a, 0xa7, 0x2d, 0xa0, 0xea, 0x9f,
0x48, 0xb5, 0xe7, 0x91, 0x20, 0xd7, 0x25, 0x00, 0x00,
0x1c, 0x0a, 0x0a, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c,
0xc0, 0x30, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x13, 0xc0,
0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35,
0x00, 0x0a, 0x01, 0x00, 0x00, 0x77, 0x1a, 0x1a, 0x00,
0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x12, 0x00, 0x10, 0x00, 0x00, 0x0d, 0x77, 0x77, 0x77,
0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e,
0x6f, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00,
0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01,
0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x05, 0x00,
0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00,
0x00, 0x00, 0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68,
0x32, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e,
0x31, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a,
0x00, 0x0a, 0x00, 0x08, 0xba, 0xba, 0x00, 0x1d, 0x00,
0x17, 0x00, 0x18, 0x0a, 0x0a, 0x00, 0x01, 0x00 };
Flow f;
SSLState *ssl_state = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 443);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test ja3.hash\"; ja3.hash; "
"content:\"bc6c386f480ee97b9d9e52d472b772d8\"; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, buf, sizeof(buf));
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
FAIL_IF_NULL(ssl_state->client_connp.ja3_hash);
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
static void DetectTlsJa3HashRegisterTests(void)
{
UtRegisterTest("DetectTlsJa3HashTest01", DetectTlsJa3HashTest01);
UtRegisterTest("DetectTlsJa3HashTest02", DetectTlsJa3HashTest02);
}

123
src/tests/detect-tls-ja3-string.c
Unescape Escape View File

@ -1,123 +0,0 @@
/* Copyright (C) 2019 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
*/
#include "detect-engine-build.h"
#include "app-layer-parser.h"
/**
* \test Test matching on a simple client hello packet
*/
static int DetectTlsJa3StringTest01(void)
{
/* Client hello */
uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E,
0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
0x6F, 0x6D, };
Flow f;
SSLState *ssl_state = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 443);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test ja3.string\"; ja3.string; "
"content:\"-65-68-69-102-103-104-105-106-107-132-135-255,0,,\"; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, buf, sizeof(buf));
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
FAIL_IF_NULL(ssl_state->client_connp.ja3_str);
FAIL_IF_NULL(ssl_state->client_connp.ja3_str->data);
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
static void DetectTlsJa3StringRegisterTests(void)
{
UtRegisterTest("DetectTlsJa3StringTest01", DetectTlsJa3StringTest01);
}

169
src/tests/detect-tls-ja3s-hash.c
Unescape Escape View File

@ -1,169 +0,0 @@
/* Copyright (C) 2019 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
*/
#include "detect-engine-build.h"
#include "app-layer-parser.h"
/**
* \test Test matching on a JA3S hash from a ServerHello record
*/
static int DetectTlsJa3SHashTest01(void)
{
/* client hello */
uint8_t client_hello[] = {
0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
0x03, 0x04, 0x02, 0x02, 0x02
};
/* server hello */
uint8_t server_hello[] = {
0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00
};
Flow f;
SSLState *ssl_state = NULL;
TcpSession ssn;
Packet *p1 = NULL;
Packet *p2 = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1", 51251, 443);
p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_TLS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->pcap_cnt = 1;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->pcap_cnt = 2;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test ja3s.hash\"; "
"ja3s.hash; "
"content:\"8217013c502e3461d19c75bb02a12aaf\"; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, client_hello,
sizeof(client_hello));
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
FAIL_IF(PacketAlertCheck(p1, 1));
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_hello, sizeof(server_hello));
FAIL_IF(r != 0);
FAIL_IF_NULL(ssl_state->server_connp.ja3_hash);
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
FAIL_IF_NOT(PacketAlertCheck(p2, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
PASS;
}
void DetectTlsJa3SHashRegisterTests(void)
{
UtRegisterTest("DetectTlsJa3SHashTest01", DetectTlsJa3SHashTest01);
}

162
src/tests/detect-tls-ja3s-string.c
Unescape Escape View File

@ -1,162 +0,0 @@
/* Copyright (C) 2019 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "detect-engine-build.h"
#include "app-layer-parser.h"
/**
* \test Test matching on a simple client hello packet
*/
static int DetectTlsJa3SStringTest01(void)
{
/* client hello */
uint8_t client_hello[] = {
0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
0x03, 0x04, 0x02, 0x02, 0x02
};
/* server hello */
uint8_t server_hello[] = {
0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00
};
Flow f;
SSLState *ssl_state = NULL;
TcpSession ssn;
Packet *p1 = NULL;
Packet *p2 = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1", 51251, 443);
p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_TLS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->pcap_cnt = 1;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->pcap_cnt = 2;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test ja3s_hash\"; "
"ja3s.string; "
"content:\"771,49199,65281-0-35-16-11\"; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, client_hello,
sizeof(client_hello));
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
FAIL_IF(PacketAlertCheck(p1, 1));
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_hello, sizeof(server_hello));
FAIL_IF(r != 0);
FAIL_IF_NULL(ssl_state->server_connp.ja3_str);
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
FAIL_IF_NOT(PacketAlertCheck(p2, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
PASS;
}
static void DetectTlsJa3SStringRegisterTests(void)
{
UtRegisterTest("DetectTlsJa3SStringTest01", DetectTlsJa3SStringTest01);
}

216
src/tests/detect-tls-sni.c
Unescape Escape View File

@ -1,216 +0,0 @@
/* Copyright (C) 2007-2019 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mats Klepsland <mats.klepsland@gmail.com>
*
*/
#include "detect-engine-build.h"
#include "app-layer-parser.h"
/**
* \test Test matching on a simple google.com SNI
*/
static int DetectTlsSniTest01(void)
{
/* client hello */
uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E,
0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
0x6F, 0x6D, };
Flow f;
SSLState *ssl_state = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 443);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls.sni option\"; "
"tls.sni; content:\"google.com\"; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, buf, sizeof(buf));
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
/**
* \test Test matching on a simple google.com SNI with pcre
*/
static int DetectTlsSniTest02(void)
{
/* client hello */
uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E,
0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
0x6F, 0x6D, };
Flow f;
SSLState *ssl_state = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 443);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls.sni option\"; "
"tls.sni; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls.sni option\"; "
"tls.sni; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, buf, sizeof(buf));
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
FAIL_IF_NOT(PacketAlertCheck(p, 2));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
static void DetectTlsSniRegisterTests(void)
{
UtRegisterTest("DetectTlsSniTest01", DetectTlsSniTest01);
UtRegisterTest("DetectTlsSniTest02", DetectTlsSniTest02);
}

190
src/tests/detect-tls-version.c
Unescape Escape View File

@ -53,192 +53,6 @@ static int DetectTlsVersionTestParse02 (void)
PASS;
}
#include "stream-tcp-reassemble.h"
/** \test Send a get request in three chunks + more data. */
static int DetectTlsVersionTestDetect01(void)
{
Flow f;
uint8_t tlsbuf1[] = { 0x16 };
uint32_t tlslen1 = sizeof(tlsbuf1);
uint8_t tlsbuf2[] = { 0x03 };
uint32_t tlslen2 = sizeof(tlsbuf2);
uint8_t tlsbuf3[] = { 0x01 };
uint32_t tlslen3 = sizeof(tlsbuf3);
uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
uint32_t tlslen4 = sizeof(tlsbuf4);
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, tlsbuf1, tlslen1);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
tlsbuf2, tlslen2);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
tlsbuf3, tlslen3);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
tlsbuf4, tlslen4);
FAIL_IF(r != 0);
SSLState *ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
FAIL_IF(ssl_state->client_connp.content_type != 0x16);
FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10);
SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X "
"ssl_state->client_version 0x%02X",
ssl_state, ssl_state->server_connp.version,
ssl_state->client_connp.version);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
static int DetectTlsVersionTestDetect02(void)
{
Flow f;
uint8_t tlsbuf1[] = { 0x16 };
uint32_t tlslen1 = sizeof(tlsbuf1);
uint8_t tlsbuf2[] = { 0x03 };
uint32_t tlslen2 = sizeof(tlsbuf2);
uint8_t tlsbuf3[] = { 0x01 };
uint32_t tlslen3 = sizeof(tlsbuf3);
uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
uint32_t tlslen4 = sizeof(tlsbuf4);
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(true);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, tlsbuf1, tlslen1);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
tlsbuf2, tlslen2);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
tlsbuf3, tlslen3);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
tlsbuf4, tlslen4);
FAIL_IF(r != 0);
SSLState *ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
FAIL_IF(ssl_state->client_connp.content_type != 0x16);
FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(true);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
/**
* \brief this function registers unit tests for DetectTlsVersion
*/
@ -246,8 +60,4 @@ static void DetectTlsVersionRegisterTests(void)
{
UtRegisterTest("DetectTlsVersionTestParse01", DetectTlsVersionTestParse01);
UtRegisterTest("DetectTlsVersionTestParse02", DetectTlsVersionTestParse02);
UtRegisterTest("DetectTlsVersionTestDetect01",
DetectTlsVersionTestDetect01);
UtRegisterTest("DetectTlsVersionTestDetect02",
DetectTlsVersionTestDetect02);
}

Write Preview
Loading…
Cancel
Save