diff options
Diffstat (limited to 'framework/src/suricata/src/detect-ssl-version.c')
| -rw-r--r-- | framework/src/suricata/src/detect-ssl-version.c | 804 |
1 files changed, 804 insertions, 0 deletions
diff --git a/framework/src/suricata/src/detect-ssl-version.c b/framework/src/suricata/src/detect-ssl-version.c new file mode 100644 index 00000000..599d26b8 --- /dev/null +++ b/framework/src/suricata/src/detect-ssl-version.c @@ -0,0 +1,804 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file detect-ssl-version.c + * + * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com> + * + * Implements the ssl_version keyword + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" + +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" + +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "app-layer.h" +#include "app-layer-parser.h" + +#include "detect-ssl-version.h" + +#include "stream-tcp.h" +#include "app-layer-ssl.h" + +/** + * \brief Regex for parsing "id" option, matching number or "number" + */ +#define PARSE_REGEX "^\\s*(!?[A-z0-9.]+)\\s*,?\\s*(!?[A-z0-9.]+)?\\s*\\,?\\s*" \ + "(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*$" + +static pcre *parse_regex; +static pcre_extra *parse_regex_study; + +int DetectSslVersionMatch(ThreadVars *, DetectEngineThreadCtx *, Flow *, + uint8_t, void *, Signature *, SigMatch *); +static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, char *); +void DetectSslVersionRegisterTests(void); +void DetectSslVersionFree(void *); + +/** + * \brief Registration function for keyword: ssl_version + */ +void DetectSslVersionRegister(void) +{ + sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version"; + sigmatch_table[DETECT_AL_SSL_VERSION].Match = NULL; + sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerMatch = DetectSslVersionMatch; + sigmatch_table[DETECT_AL_SSL_VERSION].alproto = ALPROTO_TLS; + sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup; + sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree; + sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests; + + const char *eb; + int eo; + int opts = 0; + + SCLogDebug("registering ssl_version rule option"); + + parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); + if (parse_regex == NULL) { + SCLogError(SC_ERR_PCRE_COMPILE, "Compile of \"%s\" failed at offset %" PRId32 ": %s", + PARSE_REGEX, eo, eb); + goto error; + } + + parse_regex_study = pcre_study(parse_regex, 0, &eb); + if (eb != NULL) { + SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb); + goto error; + } + + return; + +error: + return; +} + +/** + * \brief match the specified version on a ssl session + * + * \param t pointer to thread vars + * \param det_ctx pointer to the pattern matcher thread + * \param p pointer to the current packet + * \param m pointer to the sigmatch that we will cast into DetectSslVersionData + * + * \retval 0 no match + * \retval 1 match + */ +int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) +{ + SCEnter(); + + int ret = 0; + uint16_t ver = 0; + uint8_t sig_ver = TLS_UNKNOWN; + + DetectSslVersionData *ssl = (DetectSslVersionData *)m->ctx; + SSLState *app_state = (SSLState *)state; + if (app_state == NULL) { + SCLogDebug("no app state, no match"); + SCReturnInt(0); + } + + if (flags & STREAM_TOCLIENT) { + SCLogDebug("server (toclient) version is 0x%02X", + app_state->server_connp.version); + ver = app_state->server_connp.version; + } else if (flags & STREAM_TOSERVER) { + SCLogDebug("client (toserver) version is 0x%02X", + app_state->client_connp.version); + ver = app_state->client_connp.version; + } + + switch (ver) { + case SSL_VERSION_2: + if (ver == ssl->data[SSLv2].ver) + ret = 1; + sig_ver = SSLv2; + break; + case SSL_VERSION_3: + if (ver == ssl->data[SSLv3].ver) + ret = 1; + sig_ver = SSLv3; + break; + case TLS_VERSION_10: + if (ver == ssl->data[TLS10].ver) + ret = 1; + sig_ver = TLS10; + break; + case TLS_VERSION_11: + if (ver == ssl->data[TLS11].ver) + ret = 1; + sig_ver = TLS11; + break; + case TLS_VERSION_12: + if (ver == ssl->data[TLS12].ver) + ret = 1; + sig_ver = TLS12; + break; + } + + if (sig_ver == TLS_UNKNOWN) + SCReturnInt(0); + + SCReturnInt(ret ^ ((ssl->data[sig_ver].flags & DETECT_SSL_VERSION_NEGATED) ? 1 : 0)); +} + +/** + * \brief This function is used to parse ssl_version data passed via + * keyword: "ssl_version" + * + * \param str Pointer to the user provided options + * + * \retval ssl pointer to DetectSslVersionData on success + * \retval NULL on failure + */ +DetectSslVersionData *DetectSslVersionParse(char *str) +{ + DetectSslVersionData *ssl = NULL; + #define MAX_SUBSTRINGS 30 + int ret = 0, res = 0; + int ov[MAX_SUBSTRINGS]; + + ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0, + ov, MAX_SUBSTRINGS); + + if (ret < 1 || ret > 5) { + SCLogError(SC_ERR_PCRE_MATCH, "invalid ssl_version option"); + goto error; + } + + if (ret > 1) { + const char *str_ptr[5]; + char *orig; + uint8_t found = 0, neg = 0; + char *tmp_str; + + /* We have a correct ssl_version options */ + ssl = SCCalloc(1, sizeof (DetectSslVersionData)); + if (unlikely(ssl == NULL)) + goto error; + + int i; + for (i = 1; i < ret; i++) { + res = pcre_get_substring((char *) str, ov, MAX_SUBSTRINGS, i, &str_ptr[i]); + if (res < 0) { + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + if (found == 0) + goto error; + break; + } + + orig = SCStrdup((char*) str_ptr[i]); + if (unlikely(orig == NULL)) { + goto error; + } + tmp_str = orig; + + /* Let's see if we need to scape "'s */ + if (tmp_str[0] == '"') { + tmp_str[strlen(tmp_str) - 1] = '\0'; + tmp_str += 1; + } + + + if (tmp_str[0] == '!') { + neg = 1; + tmp_str++; + } + + if (strncasecmp("sslv2", tmp_str, 5) == 0) { + ssl->data[SSLv2].ver = SSL_VERSION_2; + if (neg == 1) + ssl->data[SSLv2].flags |= DETECT_SSL_VERSION_NEGATED; + } else if (strncasecmp("sslv3", tmp_str, 5) == 0) { + ssl->data[SSLv3].ver = SSL_VERSION_3; + if (neg == 1) + ssl->data[SSLv3].flags |= DETECT_SSL_VERSION_NEGATED; + } else if (strncasecmp("tls1.0", tmp_str, 6) == 0) { + ssl->data[TLS10].ver = TLS_VERSION_10; + if (neg == 1) + ssl->data[TLS10].flags |= DETECT_SSL_VERSION_NEGATED; + } else if (strncasecmp("tls1.1", tmp_str, 6) == 0) { + ssl->data[TLS11].ver = TLS_VERSION_11; + if (neg == 1) + ssl->data[TLS11].flags |= DETECT_SSL_VERSION_NEGATED; + } else if (strncasecmp("tls1.2", tmp_str, 6) == 0) { + ssl->data[TLS12].ver = TLS_VERSION_12; + if (neg == 1) + ssl->data[TLS12].flags |= DETECT_SSL_VERSION_NEGATED; + } else if (strcmp(tmp_str, "") == 0) { + SCFree(orig); + if (found == 0) + goto error; + break; + } else { + SCLogError(SC_ERR_INVALID_VALUE, "Invalid value"); + SCFree(orig); + goto error; + } + + found = 1; + neg = 0; + SCFree(orig); + } + } + + return ssl; + +error: + if (ssl != NULL) + DetectSslVersionFree(ssl); + return NULL; + +} + +/** + * \brief this function is used to add the parsed "id" option + * \brief into the current signature + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param idstr pointer to the user provided "id" option + * + * \retval 0 on Success + * \retval -1 on Failure + */ +static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) +{ + DetectSslVersionData *ssl = NULL; + SigMatch *sm = NULL; + + ssl = DetectSslVersionParse(str); + if (ssl == NULL) + goto error; + + /* Okay so far so good, lets get this into a SigMatch + * and put it in the Signature. */ + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_AL_SSL_VERSION; + sm->ctx = (void *)ssl; + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); + + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + goto error; + } + + s->alproto = ALPROTO_TLS; + return 0; + +error: + if (ssl != NULL) + DetectSslVersionFree(ssl); + if (sm != NULL) + SCFree(sm); + return -1; +} + +/** + * \brief this function will free memory associated with DetectSslVersionData + * + * \param id_d pointer to DetectSslVersionData + */ +void DetectSslVersionFree(void *ptr) +{ + if (ptr != NULL) + SCFree(ptr); +} + +/**********************************Unittests***********************************/ + +#ifdef UNITTESTS /* UNITTESTS */ + +/** + * \test DetectSslVersionTestParse01 is a test to make sure that we parse the + * "ssl_version" option correctly when given valid ssl_version option + */ +int DetectSslVersionTestParse01(void) +{ + DetectSslVersionData *ssl = NULL; + ssl = DetectSslVersionParse("SSlv3"); + if (ssl != NULL && ssl->data[SSLv3].ver == SSL_VERSION_3) { + DetectSslVersionFree(ssl); + return 1; + } + + return 0; +} + +/** + * \test DetectSslVersionTestParse02 is a test to make sure that we parse the + * "ssl_version" option correctly when given an invalid ssl_version option + * it should return ssl = NULL + */ +int DetectSslVersionTestParse02(void) +{ + DetectSslVersionData *ssl = NULL; + ssl = DetectSslVersionParse("2.5"); + if (ssl == NULL) { + DetectSslVersionFree(ssl); + return 1; + } + + return 0; +} + +/** + * \test DetectSslVersionTestParse03 is a test to make sure that we parse the + * "ssl_version" options correctly when given valid ssl_version options + */ +int DetectSslVersionTestParse03(void) +{ + DetectSslVersionData *ssl = NULL; + ssl = DetectSslVersionParse("SSlv3,tls1.0, !tls1.2"); + if (ssl != NULL && ssl->data[SSLv3].ver == SSL_VERSION_3 && + ssl->data[TLS10].ver == TLS_VERSION_10 && + ssl->data[TLS12].ver == TLS_VERSION_12 && + ssl->data[TLS12].flags & DETECT_SSL_VERSION_NEGATED) + { + DetectSslVersionFree(ssl); + return 1; + } + + return 0; +} + +#include "stream-tcp-reassemble.h" + +/** \test Send a get request in three chunks + more data. */ +static int DetectSslVersionTestDetect01(void) +{ + int result = 0; + Flow f; + uint8_t sslbuf1[] = { 0x16 }; + uint32_t ssllen1 = sizeof(sslbuf1); + uint8_t sslbuf2[] = { 0x03 }; + uint32_t ssllen2 = sizeof(sslbuf2); + uint8_t sslbuf3[] = { 0x01 }; + uint32_t ssllen3 = sizeof(sslbuf3); + uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 }; + uint32_t ssllen4 = sizeof(sslbuf4); + TcpSession ssn; + Packet *p = NULL; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; + f.alproto = ALPROTO_TLS; + + StreamTcpInitConfig(TRUE); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SCMutexLock(&f.m); + int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf1, ssllen1); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf2, ssllen2); + if (r != 0) { + printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf3, ssllen3); + if (r != 0) { + printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf4, ssllen4); + if (r != 0) { + printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + SCMutexUnlock(&f.m); + + SSLState *app_state = f.alstate; + if (app_state == NULL) { + printf("no ssl state: "); + goto end; + } + + if (app_state->client_connp.content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type); + goto end; + } + + if (app_state->client_connp.version != TLS_VERSION_10) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version); + goto end; + } + + SCLogDebug("app_state is at %p, app_state->server_connp.version 0x%02X app_state->client_connp.version 0x%02X", + app_state, app_state->server_connp.version, app_state->client_connp.version); + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + goto end; + } + + result = 1; + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + + UTHFreePackets(&p, 1); + return result; +} + +static int DetectSslVersionTestDetect02(void) +{ + int result = 0; + Flow f; + uint8_t sslbuf1[] = { 0x16 }; + uint32_t ssllen1 = sizeof(sslbuf1); + uint8_t sslbuf2[] = { 0x03 }; + uint32_t ssllen2 = sizeof(sslbuf2); + uint8_t sslbuf3[] = { 0x01 }; + uint32_t ssllen3 = sizeof(sslbuf3); + uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 }; + uint32_t ssllen4 = sizeof(sslbuf4); + TcpSession ssn; + Packet *p = NULL; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; + f.alproto = ALPROTO_TLS; + + StreamTcpInitConfig(TRUE); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SCMutexLock(&f.m); + int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf1, ssllen1); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf2, ssllen2); + if (r != 0) { + printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf3, ssllen3); + if (r != 0) { + printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf4, ssllen4); + if (r != 0) { + printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + SCMutexUnlock(&f.m); + + SSLState *app_state = f.alstate; + if (app_state == NULL) { + printf("no ssl state: "); + goto end; + } + + if (app_state->client_connp.content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type); + goto end; + } + + if (app_state->client_connp.version != TLS_VERSION_10) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + printf("signature 1 didn't match while it should have: "); + goto end; + } + + result = 1; + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +static int DetectSslVersionTestDetect03(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + Flow f; + uint8_t sslbuf1[] = { 0x16 }; + uint32_t ssllen1 = sizeof(sslbuf1); + uint8_t sslbuf2[] = { 0x03 }; + uint32_t ssllen2 = sizeof(sslbuf2); + uint8_t sslbuf3[] = { 0x01 }; + uint32_t ssllen3 = sizeof(sslbuf3); + uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 }; + uint32_t ssllen4 = sizeof(sslbuf4); + TcpSession ssn; + Packet *p = NULL; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + p->tcph->th_seq = htonl(1000); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; + f.alproto = ALPROTO_TLS; + f.proto = p->proto; + + StreamTcpInitConfig(TRUE); + + StreamMsg *stream_msg = StreamMsgGetFromPool(); + if (stream_msg == NULL) { + printf("no stream_msg: "); + goto end; + } + + memcpy(stream_msg->data, sslbuf4, ssllen4); + stream_msg->data_len = ssllen4; + + ssn.toserver_smsg_head = stream_msg; + ssn.toserver_smsg_tail = stream_msg; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; content:\"|01 00 00 AD|\"; sid:1;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SCMutexLock(&f.m); + int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf1, ssllen1); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf2, ssllen2); + if (r != 0) { + printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf3, ssllen3); + if (r != 0) { + printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf4, ssllen4); + if (r != 0) { + printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); + SCMutexUnlock(&f.m); + goto end; + } + SCMutexUnlock(&f.m); + + SSLState *app_state = f.alstate; + if (app_state == NULL) { + printf("no ssl state: "); + goto end; + } + + if (app_state->client_connp.content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type); + goto end; + } + + if (app_state->client_connp.version != TLS_VERSION_10) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + printf("signature 1 didn't match while it should have: "); + goto end; + } + + result = 1; + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + } + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +#endif /* UNITTESTS */ + +/** + * \brief this function registers unit tests for DetectSslVersion + */ +void DetectSslVersionRegisterTests(void) +{ +#ifdef UNITTESTS /* UNITTESTS */ + UtRegisterTest("DetectSslVersionTestParse01", DetectSslVersionTestParse01, 1); + UtRegisterTest("DetectSslVersionTestParse02", DetectSslVersionTestParse02, 1); + UtRegisterTest("DetectSslVersionTestParse03", DetectSslVersionTestParse03, 1); + UtRegisterTest("DetectSslVersionTestDetect01", DetectSslVersionTestDetect01, 1); + UtRegisterTest("DetectSslVersionTestDetect02", DetectSslVersionTestDetect02, 1); + UtRegisterTest("DetectSslVersionTestDetect03", DetectSslVersionTestDetect03, 1); +#endif /* UNITTESTS */ + + return; +} |