/* Copyright (C) 2007-2020 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free * Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * version 2 along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301, USA. */ /** * \file detect-ssl-version.c * * \author Gurvinder Singh * * Implements the ssl_version keyword */ #include "suricata-common.h" #include "threads.h" #include "debug.h" #include "decode.h" #include "detect.h" #include "detect-parse.h" #include "detect-engine.h" #include "detect-engine-mpm.h" #include "detect-engine-state.h" #include "flow.h" #include "flow-var.h" #include "flow-util.h" #include "util-debug.h" #include "util-unittest.h" #include "util-unittest-helper.h" #include "app-layer.h" #include "app-layer-parser.h" #include "detect-ssl-version.h" #include "stream-tcp.h" #include "app-layer-ssl.h" /** * \brief Regex for parsing "id" option, matching number or "number" */ #define PARSE_REGEX "^\\s*(!?[A-z0-9.]+)\\s*,?\\s*(!?[A-z0-9.]+)?\\s*\\,?\\s*" \ "(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*$" static DetectParseRegex parse_regex; static int DetectSslVersionMatch(DetectEngineThreadCtx *, Flow *, uint8_t, void *, void *, const Signature *, const SigMatchCtx *); static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, const char *); #ifdef UNITTESTS static void DetectSslVersionRegisterTests(void); #endif static void DetectSslVersionFree(DetectEngineCtx *, void *); static int g_tls_generic_list_id = 0; /** * \brief Registration function for keyword: ssl_version */ void DetectSslVersionRegister(void) { sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version"; sigmatch_table[DETECT_AL_SSL_VERSION].desc = "match version of SSL/TLS record"; sigmatch_table[DETECT_AL_SSL_VERSION].url = "/rules/tls-keywords.html#ssl-version"; sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch; sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup; sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree; #ifdef UNITTESTS sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests; #endif DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic"); } /** * \brief match the specified version on a ssl session * * \param t pointer to thread vars * \param det_ctx pointer to the pattern matcher thread * \param p pointer to the current packet * \param m pointer to the sigmatch that we will cast into DetectSslVersionData * * \retval 0 no match * \retval 1 match */ static int DetectSslVersionMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, void *txv, const Signature *s, const SigMatchCtx *m) { SCEnter(); int ret = 0; uint16_t ver = 0; uint8_t sig_ver = TLS_UNKNOWN; const DetectSslVersionData *ssl = (const DetectSslVersionData *)m; SSLState *app_state = (SSLState *)state; if (app_state == NULL) { SCLogDebug("no app state, no match"); SCReturnInt(0); } if (flags & STREAM_TOCLIENT) { SCLogDebug("server (toclient) version is 0x%02X", app_state->server_connp.version); ver = app_state->server_connp.version; } else if (flags & STREAM_TOSERVER) { SCLogDebug("client (toserver) version is 0x%02X", app_state->client_connp.version); ver = app_state->client_connp.version; } switch (ver) { case SSL_VERSION_2: if (ver == ssl->data[SSLv2].ver) ret = 1; sig_ver = SSLv2; break; case SSL_VERSION_3: if (ver == ssl->data[SSLv3].ver) ret = 1; sig_ver = SSLv3; break; case TLS_VERSION_10: if (ver == ssl->data[TLS10].ver) ret = 1; sig_ver = TLS10; break; case TLS_VERSION_11: if (ver == ssl->data[TLS11].ver) ret = 1; sig_ver = TLS11; break; case TLS_VERSION_12: if (ver == ssl->data[TLS12].ver) ret = 1; sig_ver = TLS12; break; case TLS_VERSION_13_DRAFT28: case TLS_VERSION_13_DRAFT27: case TLS_VERSION_13_DRAFT26: case TLS_VERSION_13_DRAFT25: case TLS_VERSION_13_DRAFT24: case TLS_VERSION_13_DRAFT23: case TLS_VERSION_13_DRAFT22: case TLS_VERSION_13_DRAFT21: case TLS_VERSION_13_DRAFT20: case TLS_VERSION_13_DRAFT19: case TLS_VERSION_13_DRAFT18: case TLS_VERSION_13_DRAFT17: case TLS_VERSION_13_DRAFT16: case TLS_VERSION_13_PRE_DRAFT16: if (((ver >> 8) & 0xff) == 0x7f) ver = TLS_VERSION_13; /* fall through */ case TLS_VERSION_13: if (ver == ssl->data[TLS13].ver) ret = 1; sig_ver = TLS13; break; } if (sig_ver == TLS_UNKNOWN) SCReturnInt(0); SCReturnInt(ret ^ ((ssl->data[sig_ver].flags & DETECT_SSL_VERSION_NEGATED) ? 1 : 0)); } /** * \brief This function is used to parse ssl_version data passed via * keyword: "ssl_version" * * \param de_ctx Pointer to the detection engine context * \param str Pointer to the user provided options * * \retval ssl pointer to DetectSslVersionData on success * \retval NULL on failure */ static DetectSslVersionData *DetectSslVersionParse(DetectEngineCtx *de_ctx, const char *str) { DetectSslVersionData *ssl = NULL; int ret = 0, res = 0; int ov[MAX_SUBSTRINGS]; ret = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS); if (ret < 1 || ret > 5) { SCLogError(SC_ERR_PCRE_MATCH, "invalid ssl_version option"); goto error; } if (ret > 1) { uint8_t found = 0, neg = 0; char *tmp_str; /* We have a correct ssl_version options */ ssl = SCCalloc(1, sizeof (DetectSslVersionData)); if (unlikely(ssl == NULL)) goto error; int i; for (i = 1; i < ret; i++) { char ver_ptr[64]; res = pcre_copy_substring((char *) str, ov, MAX_SUBSTRINGS, i, ver_ptr, sizeof(ver_ptr)); if (res < 0) { SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); if (found == 0) goto error; break; } tmp_str = ver_ptr; /* Let's see if we need to scape "'s */ if (tmp_str[0] == '"') { tmp_str[strlen(tmp_str) - 1] = '\0'; tmp_str += 1; } if (tmp_str[0] == '!') { neg = 1; tmp_str++; } if (strcasecmp("sslv2", tmp_str) == 0) { ssl->data[SSLv2].ver = SSL_VERSION_2; if (neg == 1) ssl->data[SSLv2].flags |= DETECT_SSL_VERSION_NEGATED; } else if (strcasecmp("sslv3", tmp_str) == 0) { ssl->data[SSLv3].ver = SSL_VERSION_3; if (neg == 1) ssl->data[SSLv3].flags |= DETECT_SSL_VERSION_NEGATED; } else if (strcasecmp("tls1.0", tmp_str) == 0) { ssl->data[TLS10].ver = TLS_VERSION_10; if (neg == 1) ssl->data[TLS10].flags |= DETECT_SSL_VERSION_NEGATED; } else if (strcasecmp("tls1.1", tmp_str) == 0) { ssl->data[TLS11].ver = TLS_VERSION_11; if (neg == 1) ssl->data[TLS11].flags |= DETECT_SSL_VERSION_NEGATED; } else if (strcasecmp("tls1.2", tmp_str) == 0) { ssl->data[TLS12].ver = TLS_VERSION_12; if (neg == 1) ssl->data[TLS12].flags |= DETECT_SSL_VERSION_NEGATED; } else if (strcasecmp("tls1.3", tmp_str) == 0) { ssl->data[TLS13].ver = TLS_VERSION_13; if (neg == 1) ssl->data[TLS13].flags |= DETECT_SSL_VERSION_NEGATED; } else if (strcmp(tmp_str, "") == 0) { if (found == 0) goto error; break; } else { SCLogError(SC_ERR_INVALID_VALUE, "Invalid value"); goto error; } found = 1; neg = 0; } } return ssl; error: if (ssl != NULL) DetectSslVersionFree(de_ctx, ssl); return NULL; } /** * \brief this function is used to add the parsed "id" option * \brief into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param idstr pointer to the user provided "id" option * * \retval 0 on Success * \retval -1 on Failure */ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str) { DetectSslVersionData *ssl = NULL; SigMatch *sm = NULL; if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) return -1; ssl = DetectSslVersionParse(de_ctx, str); if (ssl == NULL) goto error; /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_AL_SSL_VERSION; sm->ctx = (void *)ssl; SigMatchAppendSMToList(s, sm, g_tls_generic_list_id); return 0; error: if (ssl != NULL) DetectSslVersionFree(de_ctx, ssl); if (sm != NULL) SCFree(sm); return -1; } /** * \brief this function will free memory associated with DetectSslVersionData * * \param id_d pointer to DetectSslVersionData */ void DetectSslVersionFree(DetectEngineCtx *de_ctx, void *ptr) { if (ptr != NULL) SCFree(ptr); } #ifdef UNITTESTS #include "tests/detect-ssl-version.c" #endif