detect-tls-ja3-hash: add content validation callback

Validate that the content that follows the 'ja3_hash' keyword has the correct length.
7 years ago · 4c9d448fa1
parent 52d9d45747
commit 4c9d448fa1
1 changed files with 29 additions and 0 deletions
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@ -64,6 +64,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
       const DetectEngineTransforms *transforms,
       Flow *_f, const uint8_t _flow_flags,
       void *txv, const int list_id);
+static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
+       const char **sigerror);
 static int g_tls_ja3_hash_buffer_id = 0;

 /**
@ -89,6 +91,9 @@ void DetectTlsJa3HashRegister(void)

    DetectBufferTypeSetDescriptionByName("ja3_hash", "TLS JA3 hash");

+    DetectBufferTypeRegisterValidateCallback("ja3_hash",
+            DetectTlsJa3HashValidateCallback);
+
    g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3_hash");
 }

@ -140,6 +145,30 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
    return buffer;
 }

+static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
+                                              const char **sigerror)
+{
+    const SigMatch *sm = s->init_data->smlists[g_tls_ja3_hash_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        if (cd->content_len == 32)
+            return TRUE;
+
+        *sigerror = "Invalid length of the specified JA3 hash (should "
+                    "be 32 characters long). This rule will therefore "
+                    "never match.";
+        SCLogWarning(SC_WARN_POOR_RULE,  "rule %u: %s", s->id, *sigerror);
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
 #ifndef HAVE_NSS

 static void DetectTlsJa3HashRegisterTests(void)