quic: allow ja3.hash keyword

Ticket: #5624
3 years ago · 7cb40a1dfc
parent 286bd2a7ed
commit 7cb40a1dfc
2 changed files with 66 additions and 2 deletions
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@ -68,6 +68,30 @@ static bool DetectTlsJa3HashValidateCallback(const Signature *s,
       const char **sigerror);
 static int g_tls_ja3_hash_buffer_id = 0;

+static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        uint32_t b_len = 0;
+        const uint8_t *b = NULL;
+
+        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
+            return NULL;
+        if (b == NULL || b_len == 0)
+            return NULL;
+
+        uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
+        // this adds a final zero
+        SCMd5HashBufferToHex(b, b_len, ja3_hash, SC_MD5_HEX_LEN + 1);
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
 /**
 * \brief Registration function for keyword: ja3_hash
 */
@ -87,6 +111,12 @@ void DetectTlsJa3HashRegister(void)
    DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2,
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

+    DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
+            GetJa3Data, ALPROTO_QUIC, 1);
+
+    DetectAppLayerInspectEngineRegister2("ja3.hash", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
+            DetectEngineInspectBufferGeneric, GetJa3Data);
+
    DetectBufferTypeSetDescriptionByName("ja3.hash", "TLS JA3 hash");

    DetectBufferTypeRegisterSetupCallback("ja3.hash",
@ -114,8 +144,10 @@ static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const ch
    if (DetectBufferSetActiveList(s, g_tls_ja3_hash_buffer_id) < 0)
        return -1;

-    if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0)
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS && s->alproto != ALPROTO_QUIC) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting protocols.");
        return -1;
+    }

    /* try to enable JA3 */
    SSLEnableJA3();
--- a/src/detect-tls-ja3s-hash.c
+++ b/src/detect-tls-ja3s-hash.c
@ -68,6 +68,30 @@ static bool DetectTlsJa3SHashValidateCallback(const Signature *s,
       const char **sigerror);
 static int g_tls_ja3s_hash_buffer_id = 0;

+static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        uint32_t b_len = 0;
+        const uint8_t *b = NULL;
+
+        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
+            return NULL;
+        if (b == NULL || b_len == 0)
+            return NULL;
+
+        uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
+        // this adds a final zero
+        SCMd5HashBufferToHex(b, b_len, ja3_hash, SC_MD5_HEX_LEN + 1);
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
 /**
 * \brief Registration function for keyword: ja3s.hash
 */
@ -86,6 +110,12 @@ void DetectTlsJa3SHashRegister(void)
    DetectAppLayerMpmRegister2("ja3s.hash", SIG_FLAG_TOCLIENT, 2,
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

+    DetectAppLayerMpmRegister2("ja3s.hash", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
+            GetJa3Data, ALPROTO_QUIC, 1);
+
+    DetectAppLayerInspectEngineRegister2("ja3s.hash", ALPROTO_QUIC, SIG_FLAG_TOCLIENT, 1,
+            DetectEngineInspectBufferGeneric, GetJa3Data);
+
    DetectBufferTypeSetDescriptionByName("ja3s.hash", "TLS JA3S hash");

    DetectBufferTypeRegisterSetupCallback("ja3s.hash",
@ -112,8 +142,10 @@ static int DetectTlsJa3SHashSetup(DetectEngineCtx *de_ctx, Signature *s, const c
    if (DetectBufferSetActiveList(s, g_tls_ja3s_hash_buffer_id) < 0)
        return -1;

-    if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0)
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS && s->alproto != ALPROTO_QUIC) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting protocols.");
        return -1;
+    }

    /* try to enable JA3 */
    SSLEnableJA3();