aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect-tls-version: add support for 'raw' matching

Browse Source 
Add support for matching a 'raw' TLS version using a hex string, e.g:

  tls.version:0x7f12;

The above example matches TLSv1.3 draft 16.
pull/3478/head
Mats Klepsland 7 years ago
parent 4323e7840f
commit df9853b75c
2 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File

21
src/detect-tls-version.c
Unescape Escape View File

@ -121,9 +121,11 @@ static int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
SCLogDebug("client (toserver) version is 0x%02X", version); SCLogDebug("client (toserver) version is 0x%02X", version);
} }
/* Match all TLSv1.3 drafts as TLSv1.3 */ if ((tls_data->flags & DETECT_TLS_VERSION_FLAG_RAW) == 0) {
if (((version >> 8) & 0xff) == 0x7f) { /* Match all TLSv1.3 drafts as TLSv1.3 */
version = TLS_VERSION_13; if (((version >> 8) & 0xff) == 0x7f) {
version = TLS_VERSION_13;
}
} }
if (tls_data->ver == version) { if (tls_data->ver == version) {
@ -168,7 +170,7 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str)
} }
/* We have a correct id option */ /* We have a correct id option */
tls = SCMalloc(sizeof(DetectTlsVersionData)); tls = SCCalloc(1, sizeof(DetectTlsVersionData));
if (unlikely(tls == NULL)) if (unlikely(tls == NULL))
goto error; goto error;
@ -185,14 +187,17 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str)
tmp_str += 1; tmp_str += 1;
} }
if (strcmp("1.0", tmp_str) == 0) { if (strncmp("1.0", tmp_str, 3) == 0) {
temp = TLS_VERSION_10; temp = TLS_VERSION_10;
} else if (strcmp("1.1", tmp_str) == 0) { } else if (strncmp("1.1", tmp_str, 3) == 0) {
temp = TLS_VERSION_11; temp = TLS_VERSION_11;
} else if (strcmp("1.2", tmp_str) == 0) { } else if (strncmp("1.2", tmp_str, 3) == 0) {
temp = TLS_VERSION_12; temp = TLS_VERSION_12;
} else if (strcmp("1.3", tmp_str) == 0) { } else if (strncmp("1.3", tmp_str, 3) == 0) {
temp = TLS_VERSION_13; temp = TLS_VERSION_13;
} else if ((strncmp("0x", tmp_str, 2) == 0) && (strlen(str) == 6)) {
temp = (uint16_t)strtol(tmp_str, NULL, 0);
tls->flags |= DETECT_TLS_VERSION_FLAG_RAW;
} else { } else {
SCLogError(SC_ERR_INVALID_VALUE, "Invalid value"); SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
SCFree(orig); SCFree(orig);

3
src/detect-tls-version.h
Unescape Escape View File

@ -24,8 +24,11 @@
#ifndef __DETECT_TLS_VERSION_H__ #ifndef __DETECT_TLS_VERSION_H__
#define __DETECT_TLS_VERSION_H__ #define __DETECT_TLS_VERSION_H__
#define DETECT_TLS_VERSION_FLAG_RAW BIT_U8(0)
typedef struct DetectTlsVersionData_ { typedef struct DetectTlsVersionData_ {
uint16_t ver; /** tls version to match */ uint16_t ver; /** tls version to match */
uint8_t flags;
} DetectTlsVersionData; } DetectTlsVersionData;
/* prototypes */ /* prototypes */

Write Preview
Loading…
Cancel
Save