diff --git a/src/Makefile.am b/src/Makefile.am index be200cb628..37a134cd1f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -88,6 +88,7 @@ detect-detection-filter.c detect-detection-filter.h \ detect-distance.c detect-distance.h \ detect-dns-query.c detect-dns-query.h \ detect-tls-sni.c detect-tls-sni.h \ +detect-tls-cert-issuer.c detect-tls-cert-issuer.h \ detect-dsize.c detect-dsize.h \ detect-engine-address.c detect-engine-address.h \ detect-engine-address-ipv4.c detect-engine-address-ipv4.h \ diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index ade8ec0946..b6bbc86140 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -480,6 +480,8 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "dns query name content"); else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH) fprintf(rule_engine_analysis_FD, "tls sni extension content"); + else if (list_type == DETECT_SM_LIST_TLSISSUER_MATCH) + fprintf(rule_engine_analysis_FD, "tls issuer content"); fprintf(rule_engine_analysis_FD, "\" buffer.\n"); diff --git a/src/detect-engine-content-inspection.h b/src/detect-engine-content-inspection.h index 7636fdf2c0..9402a66fd8 100644 --- a/src/detect-engine-content-inspection.h +++ b/src/detect-engine-content-inspection.h @@ -50,6 +50,7 @@ enum { DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRHHD, DETECT_ENGINE_CONTENT_INSPECTION_MODE_DNSQUERY, DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSSNI, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSISSUER, DETECT_ENGINE_CONTENT_INSPECTION_MODE_FD_SMTP, DETECT_ENGINE_CONTENT_INSPECTION_MODE_BASE64, DETECT_ENGINE_CONTENT_INSPECTION_MODE_TEMPLATE_BUFFER, diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index be02ed57d7..aadb359941 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -107,6 +107,7 @@ AppLayerMpms app_mpms[] = { { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, 17}, { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, 18}, + { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, 19}, { NULL, 0, 0, 0, 0, 0, } }; @@ -1220,8 +1221,9 @@ void MpmStoreFixup(SigGroupHead *sgh) SET_TS(sgh, sgh->mpm_dnsquery_ctx_ts); SET_TS(sgh, sgh->mpm_tlssni_ctx_ts); + SET_TC(sgh, sgh->mpm_tlsissuer_ctx_ts); - BUG_ON(APP_MPMS_MAX != 19 || i != 19); + BUG_ON(APP_MPMS_MAX != 20 || i != 20); #undef SET_TS #undef SET_TC diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index dcbbc9c499..903920b353 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -88,8 +88,9 @@ #define DE_STATE_FLAG_DNSREQUEST_INSPECT BIT_U32(22) #define DE_STATE_FLAG_DNSRESPONSE_INSPECT BIT_U32(23) #define DE_STATE_FLAG_TLSSNI_INSPECT BIT_U32(24) -#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(25) -#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(26) +#define DE_STATE_FLAG_TLSISSUER_INSPECT BIT_U32(25) +#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(26) +#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(27) /* state flags */ #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 diff --git a/src/detect-engine-tls.c b/src/detect-engine-tls.c index 2cac96a01c..91e3ed2004 100644 --- a/src/detect-engine-tls.c +++ b/src/detect-engine-tls.c @@ -143,3 +143,102 @@ int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx, return cnt; } + +/** + * \brief TLS issuer match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx + * \param hrh Buffer to inspect + * \param hrh_len Buffer length + * \param flags Flags + * + * \retval ret Number of matches + */ +static inline uint32_t TlsIssuerPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *buffer, + const uint32_t buffer_len, + const uint8_t flags) +{ + SCEnter(); + + uint32_t ret = 0; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOSERVER); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_tlsissuer_ctx_ts == NULL); + + if (buffer_len >= det_ctx->sgh->mpm_tlsissuer_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_tlsissuer_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_tlsissuer_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, buffer, buffer_len); + } + + SCReturnUInt(ret); +} + +/** + * \brief Run the pattern matcher against the TLS issuer buffer + * + * \param det_ctx Detection engine thread ctx + * \param f Locked flow + * \param dns_state Initialized dns state + * \param flags Flags + * + * \retval cnt Number of matches + */ +uint32_t DetectTlsIssuerInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + SSLState *ssl_state, uint8_t flags) +{ + SCEnter(); + + uint8_t *buffer; + uint32_t buffer_len; + uint32_t cnt = 0; + + if (ssl_state->server_connp.cert0_issuerdn == NULL) + return 0; + + buffer = (uint8_t *)ssl_state->server_connp.cert0_issuerdn; + buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn); + + cnt = TlsIssuerPatternSearch(det_ctx, buffer, buffer_len, flags); + + SCReturnUInt(cnt); +} + +/** \brief Do the content inspection and validation for a signature + * + * \param de_ctx Detection engine context + * \param det_ctx Detection engine thread context + * \param s Signature to inspect + * \param sm SigMatch to inspect + * \param f Flow + * \param flags App layer flags + * \param state App layer state + * + * \retval 0 No match + * \retval 1 Match + */ +int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Signature *s, + Flow *f, uint8_t flags, void *alstate, void *txv, + uint64_t tx_id) +{ + uint8_t *buffer; + uint16_t buffer_len; + int cnt = 0; + + SSLState *ssl_state = (SSLState *)alstate; + + if (ssl_state->server_connp.cert0_issuerdn == NULL) + return 0; + + buffer = (uint8_t *)ssl_state->server_connp.cert0_issuerdn; + buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn); + + cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, + s->sm_lists[DETECT_SM_LIST_TLSISSUER_MATCH], + f, buffer, buffer_len, 0, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_TLSISSUER, NULL); + + return cnt; +} diff --git a/src/detect-engine-tls.h b/src/detect-engine-tls.h index 3a9d530f0c..b10d2a4000 100644 --- a/src/detect-engine-tls.h +++ b/src/detect-engine-tls.h @@ -28,4 +28,9 @@ int DetectEngineInspectTlsSni(ThreadVars *tv, DetectEngineCtx *de_ctx, Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id); +int DetectEngineInspectTlsIssuer(ThreadVars *tv, DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id); + #endif /* __DETECT_ENGINE_TLS_H__ */ diff --git a/src/detect-engine.c b/src/detect-engine.c index d7aee2242a..1b2cd0c9c0 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -364,6 +364,13 @@ void DetectEngineRegisterAppInspectionEngines(void) DE_STATE_FLAG_DNSRESPONSE_INSPECT, 1, DetectEngineInspectDnsResponse }, + /* TLS */ + { IPPROTO_TCP, + ALPROTO_TLS, + DETECT_SM_LIST_TLSISSUER_MATCH, + DE_STATE_FLAG_TLSISSUER_INSPECT, + 1, + DetectEngineInspectTlsIssuer }, /* specifically for UDP, register again * allows us to use the alproto w/o translation * in the detection engine */ @@ -2741,6 +2748,8 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) case DETECT_SM_LIST_TLSSNI_MATCH: return "tls sni extension"; + case DETECT_SM_LIST_TLSISSUER_MATCH: + return "tls issuer"; case DETECT_SM_LIST_MODBUS_MATCH: return "modbus"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index dc7d94c64e..55ceb6fa0c 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -137,6 +137,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchList(DETECT_SM_LIST_DNSQUERYNAME_MATCH, 2); SupportFastPatternForSigMatchList(DETECT_SM_LIST_TLSSNI_MATCH, 2); + SupportFastPatternForSigMatchList(DETECT_SM_LIST_TLSISSUER_MATCH, 2); #if 0 SCFPSupportSMList *tmp = sm_fp_support_smlist_list; @@ -205,7 +206,8 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL && s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL && s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL && - s->sm_lists_tail[DETECT_SM_LIST_TLSSNI_MATCH] == NULL) { + s->sm_lists_tail[DETECT_SM_LIST_TLSSNI_MATCH] == NULL && + s->sm_lists_tail[DETECT_SM_LIST_TLSISSUER_MATCH] == NULL) { SCLogWarning(SC_WARN_COMPATIBILITY, "fast_pattern found inside the " "rule, without a preceding content based keyword. " "Currently we provide fast_pattern support for content, " @@ -213,7 +215,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a "http_raw_header, http_method, http_cookie, " "http_raw_uri, http_stat_msg, http_stat_code, " "http_user_agent, http_host, http_raw_host, " - "dns_query or tls_sni option"); + "dns_query, tls_sni or tls_cert_issuer option"); return -1; } @@ -233,7 +235,8 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_TLSSNI_MATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_TLSSNI_MATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_TLSISSUER_MATCH]); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside " "the rule, without a content context. Please use a " diff --git a/src/detect-parse.c b/src/detect-parse.c index 9e970e3896..8b8158b5c5 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -165,6 +165,7 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_DNSRESPONSE_MATCH, "dns_response"); CASE_CODE_STRING(DETECT_SM_LIST_DNSQUERYNAME_MATCH, "dns_query"); CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni"); + CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer"); CASE_CODE_STRING(DETECT_SM_LIST_MODBUS_MATCH, "modbus"); CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template"); CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch"); @@ -206,6 +207,7 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_DNSRESPONSE_MATCH); CASE_CODE(DETECT_SM_LIST_DNSQUERYNAME_MATCH); CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH); + CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH); CASE_CODE(DETECT_SM_LIST_MODBUS_MATCH); CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH); CASE_CODE(DETECT_SM_LIST_POSTMATCH); @@ -1559,6 +1561,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, /* TLS */ if (sig->sm_lists[DETECT_SM_LIST_TLSSNI_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + if (sig->sm_lists[DETECT_SM_LIST_TLSISSUER_MATCH]) + sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_MODBUS_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c new file mode 100644 index 0000000000..0a9702f313 --- /dev/null +++ b/src/detect-tls-cert-issuer.c @@ -0,0 +1,101 @@ +/* Copyright (C) 2007-2016 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Mats Klepsland + * + * Implements support for tls_cert_issuer keyword. + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" +#include "detect.h" + +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-content.h" +#include "detect-pcre.h" + +#include "flow.h" +#include "flow-util.h" +#include "flow-var.h" + +#include "util-debug.h" +#include "util-unittest.h" +#include "util-spm.h" +#include "util-print.h" + +#include "stream-tcp.h" + +#include "app-layer.h" +#include "app-layer-ssl.h" + +#include "util-unittest.h" +#include "util-unittest-helper.h" + +static int DetectTlsIssuerSetup(DetectEngineCtx *, Signature *, char *); +static void DetectTlsIssuerRegisterTests(void); + +/** + * \brief Registration function for keyword: tls_cert_issuer + */ +void DetectTlsIssuerRegister(void) +{ + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls_cert_issuer"; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = "content modifier to match specifically and only on the TLS cert issuer buffer"; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Match = NULL; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].AppLayerMatch = NULL; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Free = NULL; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests; + + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_PAYLOAD; +} + + +/** + * \brief this function setup the tls_cert_issuer modifier keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectTlsIssuerSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) +{ + s->list = DETECT_SM_LIST_TLSISSUER_MATCH; + s->alproto = ALPROTO_TLS; + return 0; +} + +#ifdef UNITTESTS + /* TODO add unit tests */ +#endif + +static void DetectTlsIssuerRegisterTests(void) +{ +#ifdef UNITTESTS + /* TODO add unit tests */ +#endif +} diff --git a/src/detect-tls-cert-issuer.h b/src/detect-tls-cert-issuer.h new file mode 100644 index 0000000000..8febf749f1 --- /dev/null +++ b/src/detect-tls-cert-issuer.h @@ -0,0 +1,33 @@ +/* Copyright (C) 2016 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Mats Klepsland + */ + +#ifndef __DETECT_TLS_ISSUER_H__ +#define __DETECT_TLS_ISSUER_H__ + +#include "app-layer-ssl.h" + +void DetectTlsIssuerRegister(void); +uint32_t DetectTlsIssuerInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + SSLState *ssl_state, uint8_t flags); + +#endif /* __DETECT_TLS_ISSUER_H__ */ diff --git a/src/detect.c b/src/detect.c index b1d1c6d5a7..1c0640dc7a 100644 --- a/src/detect.c +++ b/src/detect.c @@ -49,6 +49,7 @@ #include "detect-engine-uri.h" #include "detect-dns-query.h" #include "detect-tls-sni.h" +#include "detect-tls-cert-issuer.h" #include "detect-engine-state.h" #include "detect-engine-analyzer.h" #include "detect-engine-filedata-smtp.h" @@ -1039,6 +1040,18 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, DetectTlsSniInspectMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSNI); } + } else if (p->flowflags & FLOW_PKT_TOCLIENT) { + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSISSUER) { + void *alstate = FlowGetAppState(p->flow); + if (alstate == NULL) { + SCLogDebug("no alstate"); + return; + } + + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSISSUER); + DetectTlsIssuerInspectMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSISSUER); + } } } else if (alproto == ALPROTO_SMTP && has_state) { if (p->flowflags & FLOW_PKT_TOSERVER) { @@ -4374,6 +4387,7 @@ void SigTableSetup(void) DetectIPRepRegister(); DetectDnsQueryRegister(); DetectTlsSniRegister(); + DetectTlsIssuerRegister(); DetectModbusRegister(); DetectAppLayerProtocolRegister(); DetectBase64DecodeRegister(); diff --git a/src/detect.h b/src/detect.h index e0f555674b..09d5bac6f1 100644 --- a/src/detect.h +++ b/src/detect.h @@ -125,6 +125,7 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_DNSQUERYNAME_MATCH, /**< per query in a tx list */ DETECT_SM_LIST_TLSSNI_MATCH, + DETECT_SM_LIST_TLSISSUER_MATCH, DETECT_SM_LIST_MODBUS_MATCH, @@ -936,9 +937,10 @@ typedef struct SigTableElmt_ { #define SIG_GROUP_HEAD_HAVEFILESIZE (1 << 22) #define SIG_GROUP_HEAD_MPM_DNSQUERY (1 << 23) #define SIG_GROUP_HEAD_MPM_TLSSNI (1 << 24) -#define SIG_GROUP_HEAD_MPM_FD_SMTP (1 << 25) +#define SIG_GROUP_HEAD_MPM_TLSISSUER (1 << 25) +#define SIG_GROUP_HEAD_MPM_FD_SMTP (1 << 26) -#define APP_MPMS_MAX 19 +#define APP_MPMS_MAX 20 enum MpmBuiltinBuffers { MPMB_TCP_PKT_TS, @@ -1017,6 +1019,7 @@ typedef struct SigGroupHead_ { const MpmCtx *mpm_hrhhd_ctx_ts; const MpmCtx *mpm_dnsquery_ctx_ts; const MpmCtx *mpm_tlssni_ctx_ts; + const MpmCtx *mpm_tlsissuer_ctx_ts; const MpmCtx *mpm_smtp_filedata_ctx_ts; }; struct { @@ -1218,6 +1221,8 @@ enum { DETECT_AL_DNS_QUERY, DETECT_AL_TLS_SNI, + DETECT_AL_TLS_CERT_ISSUER, + DETECT_AL_TLS_CERT_SUBJECT, DETECT_AL_MODBUS, DETECT_XBITS, diff --git a/src/suricata-common.h b/src/suricata-common.h index fedccf31ce..4b6ec9694b 100644 --- a/src/suricata-common.h +++ b/src/suricata-common.h @@ -328,6 +328,7 @@ typedef enum PacketProfileDetectId_ { PROF_DETECT_MPM_HRHHD, PROF_DETECT_MPM_DNSQUERY, PROF_DETECT_MPM_TLSSNI, + PROF_DETECT_MPM_TLSISSUER, PROF_DETECT_IPONLY, PROF_DETECT_RULES, PROF_DETECT_STATEFUL, diff --git a/src/util-profiling.c b/src/util-profiling.c index 5f6aa20660..ec09cbdc48 100644 --- a/src/util-profiling.c +++ b/src/util-profiling.c @@ -1226,6 +1226,7 @@ const char * PacketProfileDetectIdToString(PacketProfileDetectId id) CASE_CODE (PROF_DETECT_MPM_HUAD); CASE_CODE (PROF_DETECT_MPM_DNSQUERY); CASE_CODE (PROF_DETECT_MPM_TLSSNI); + CASE_CODE (PROF_DETECT_MPM_TLSISSUER); CASE_CODE (PROF_DETECT_IPONLY); CASE_CODE (PROF_DETECT_RULES); CASE_CODE (PROF_DETECT_PREFILTER);