quic: ja3 code deduplication

As quic transactions are unidirectional, the same function is used to get ja3 from client or from server.
2 years ago · f75d18b077
parent 7cb40a1dfc
commit f75d18b077
6 changed files with 64 additions and 96 deletions
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@ -68,30 +68,6 @@ static bool DetectTlsJa3HashValidateCallback(const Signature *s,
       const char **sigerror);
 static int g_tls_ja3_hash_buffer_id = 0;

-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
-        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
-        const int list_id)
-{
-    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
-    if (buffer->inspect == NULL) {
-        uint32_t b_len = 0;
-        const uint8_t *b = NULL;
-
-        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
-            return NULL;
-        if (b == NULL || b_len == 0)
-            return NULL;
-
-        uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
-        // this adds a final zero
-        SCMd5HashBufferToHex(b, b_len, ja3_hash, SC_MD5_HEX_LEN + 1);
-
-        InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
-        InspectionBufferApplyTransforms(buffer, transforms);
-    }
-    return buffer;
-}
-
 /**
 * \brief Registration function for keyword: ja3_hash
 */
@ -112,10 +88,10 @@ void DetectTlsJa3HashRegister(void)
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

    DetectAppLayerMpmRegister2("ja3.hash", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
-            GetJa3Data, ALPROTO_QUIC, 1);
+            Ja3DetectGetHash, ALPROTO_QUIC, 1);

    DetectAppLayerInspectEngineRegister2("ja3.hash", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
-            DetectEngineInspectBufferGeneric, GetJa3Data);
+            DetectEngineInspectBufferGeneric, Ja3DetectGetHash);

    DetectBufferTypeSetDescriptionByName("ja3.hash", "TLS JA3 hash");

--- a/src/detect-tls-ja3-string.c
+++ b/src/detect-tls-ja3-string.c
@ -64,26 +64,6 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
       void *txv, const int list_id);
 static int g_tls_ja3_str_buffer_id = 0;

-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
-        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
-        const int list_id)
-{
-    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
-    if (buffer->inspect == NULL) {
-        uint32_t b_len = 0;
-        const uint8_t *b = NULL;
-
-        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
-            return NULL;
-        if (b == NULL || b_len == 0)
-            return NULL;
-
-        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
-        InspectionBufferApplyTransforms(buffer, transforms);
-    }
-    return buffer;
-}
-
 /**
 * \brief Registration function for keyword: ja3.string
 */
@ -104,10 +84,10 @@ void DetectTlsJa3StringRegister(void)
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

    DetectAppLayerMpmRegister2("ja3.string", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
-            GetJa3Data, ALPROTO_QUIC, 1);
+            Ja3DetectGetString, ALPROTO_QUIC, 1);

    DetectAppLayerInspectEngineRegister2("ja3.string", ALPROTO_QUIC, SIG_FLAG_TOSERVER, 1,
-            DetectEngineInspectBufferGeneric, GetJa3Data);
+            DetectEngineInspectBufferGeneric, Ja3DetectGetString);

    DetectBufferTypeSetDescriptionByName("ja3.string", "TLS JA3 string");

--- a/src/detect-tls-ja3s-hash.c
+++ b/src/detect-tls-ja3s-hash.c
@ -68,30 +68,6 @@ static bool DetectTlsJa3SHashValidateCallback(const Signature *s,
       const char **sigerror);
 static int g_tls_ja3s_hash_buffer_id = 0;

-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
-        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
-        const int list_id)
-{
-    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
-    if (buffer->inspect == NULL) {
-        uint32_t b_len = 0;
-        const uint8_t *b = NULL;
-
-        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
-            return NULL;
-        if (b == NULL || b_len == 0)
-            return NULL;
-
-        uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
-        // this adds a final zero
-        SCMd5HashBufferToHex(b, b_len, ja3_hash, SC_MD5_HEX_LEN + 1);
-
-        InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
-        InspectionBufferApplyTransforms(buffer, transforms);
-    }
-    return buffer;
-}
-
 /**
 * \brief Registration function for keyword: ja3s.hash
 */
@ -111,10 +87,10 @@ void DetectTlsJa3SHashRegister(void)
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

    DetectAppLayerMpmRegister2("ja3s.hash", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
-            GetJa3Data, ALPROTO_QUIC, 1);
+            Ja3DetectGetHash, ALPROTO_QUIC, 1);

    DetectAppLayerInspectEngineRegister2("ja3s.hash", ALPROTO_QUIC, SIG_FLAG_TOCLIENT, 1,
-            DetectEngineInspectBufferGeneric, GetJa3Data);
+            DetectEngineInspectBufferGeneric, Ja3DetectGetHash);

    DetectBufferTypeSetDescriptionByName("ja3s.hash", "TLS JA3S hash");

--- a/src/detect-tls-ja3s-string.c
+++ b/src/detect-tls-ja3s-string.c
@ -64,26 +64,6 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
       void *txv, const int list_id);
 static int g_tls_ja3s_str_buffer_id = 0;

-static InspectionBuffer *GetJa3Data(DetectEngineThreadCtx *det_ctx,
-        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
-        const int list_id)
-{
-    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
-    if (buffer->inspect == NULL) {
-        uint32_t b_len = 0;
-        const uint8_t *b = NULL;
-
-        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
-            return NULL;
-        if (b == NULL || b_len == 0)
-            return NULL;
-
-        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
-        InspectionBufferApplyTransforms(buffer, transforms);
-    }
-    return buffer;
-}
-
 /**
 * \brief Registration function for keyword: ja3s.string
 */
@ -104,10 +84,10 @@ void DetectTlsJa3SStringRegister(void)
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, 0);

    DetectAppLayerMpmRegister2("ja3s.string", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
-            GetJa3Data, ALPROTO_QUIC, 1);
+            Ja3DetectGetString, ALPROTO_QUIC, 1);

    DetectAppLayerInspectEngineRegister2("ja3s.string", ALPROTO_QUIC, SIG_FLAG_TOCLIENT, 1,
-            DetectEngineInspectBufferGeneric, GetJa3Data);
+            DetectEngineInspectBufferGeneric, Ja3DetectGetString);

    DetectBufferTypeSetDescriptionByName("ja3s.string", "TLS JA3S string");

--- a/src/util-ja3.c
+++ b/src/util-ja3.c
@ -28,6 +28,8 @@
 #include "util-validate.h"
 #include "util-ja3.h"

+#include "detect-engine.h"
+
 #define MD5_STRING_LENGTH 33

 /**
@ -259,3 +261,47 @@ int Ja3IsDisabled(const char *type)

    return 0;
 }
+
+InspectionBuffer *Ja3DetectGetHash(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        uint32_t b_len = 0;
+        const uint8_t *b = NULL;
+
+        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
+            return NULL;
+        if (b == NULL || b_len == 0)
+            return NULL;
+
+        uint8_t ja3_hash[SC_MD5_HEX_LEN + 1];
+        // this adds a final zero
+        SCMd5HashBufferToHex(b, b_len, (char *)ja3_hash, SC_MD5_HEX_LEN + 1);
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, ja3_hash, SC_MD5_HEX_LEN);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
+InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        uint32_t b_len = 0;
+        const uint8_t *b = NULL;
+
+        if (rs_quic_tx_get_ja3(txv, &b, &b_len) != 1)
+            return NULL;
+        if (b == NULL || b_len == 0)
+            return NULL;
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
--- a/src/util-ja3.h
+++ b/src/util-ja3.h
@ -26,6 +26,8 @@

 #define JA3_BUFFER_INITIAL_SIZE 128

+#include "detect.h"
+
 typedef struct JA3Buffer_ {
    char *data;
    size_t size;
@ -39,5 +41,13 @@ int Ja3BufferAddValue(JA3Buffer **, uint32_t);
 char *Ja3GenerateHash(JA3Buffer *);
 int Ja3IsDisabled(const char *);

+InspectionBuffer *Ja3DetectGetHash(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id);
+
+InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id);
+
 #endif /* __UTIL_JA3_H__ */