1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \file detect-ssl-version.c
20 *
21 * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22 *
23 */
24
25 /**
26 * \test DetectSslVersionTestParse01 is a test to make sure that we parse the
27 * "ssl_version" option correctly when given valid ssl_version option
28 */
DetectSslVersionTestParse01(void)29 static int DetectSslVersionTestParse01(void)
30 {
31 DetectSslVersionData *ssl = NULL;
32 ssl = DetectSslVersionParse(NULL, "SSlv3");
33 FAIL_IF_NULL(ssl);
34 FAIL_IF_NOT(ssl->data[SSLv3].ver == SSL_VERSION_3);
35 DetectSslVersionFree(NULL, ssl);
36 PASS;
37 }
38
39 /**
40 * \test DetectSslVersionTestParse02 is a test to make sure that we parse the
41 * "ssl_version" option correctly when given an invalid ssl_version option
42 * it should return ssl = NULL
43 */
DetectSslVersionTestParse02(void)44 static int DetectSslVersionTestParse02(void)
45 {
46 DetectSslVersionData *ssl = NULL;
47 ssl = DetectSslVersionParse(NULL, "2.5");
48 FAIL_IF_NOT_NULL(ssl);
49 DetectSslVersionFree(NULL, ssl);
50 ssl = DetectSslVersionParse(NULL, "tls1.0, !");
51 FAIL_IF_NOT_NULL(ssl);
52 DetectSslVersionFree(NULL, ssl);
53 ssl = DetectSslVersionParse(NULL, "tls1.0, !tls1.0");
54 FAIL_IF_NOT_NULL(ssl);
55 DetectSslVersionFree(NULL, ssl);
56 ssl = DetectSslVersionParse(NULL, "tls1.1, tls1.1");
57 FAIL_IF_NOT_NULL(ssl);
58 DetectSslVersionFree(NULL, ssl);
59 ssl = DetectSslVersionParse(NULL, "tls1.1, !tls1.2");
60 FAIL_IF_NOT_NULL(ssl);
61 DetectSslVersionFree(NULL, ssl);
62 PASS;
63 }
64
65 /**
66 * \test DetectSslVersionTestParse03 is a test to make sure that we parse the
67 * "ssl_version" options correctly when given valid ssl_version options
68 */
DetectSslVersionTestParse03(void)69 static int DetectSslVersionTestParse03(void)
70 {
71 DetectSslVersionData *ssl = NULL;
72 ssl = DetectSslVersionParse(NULL, "SSlv3 , tls1.0");
73 FAIL_IF_NULL(ssl);
74 FAIL_IF_NOT(ssl->data[SSLv3].ver == SSL_VERSION_3);
75 FAIL_IF_NOT(ssl->data[TLS10].ver == TLS_VERSION_10);
76 DetectSslVersionFree(NULL, ssl);
77 ssl = DetectSslVersionParse(NULL, " !tls1.2");
78 FAIL_IF_NULL(ssl);
79 FAIL_IF_NOT(ssl->data[TLS12].ver == TLS_VERSION_12);
80 FAIL_IF_NOT(ssl->data[TLS12].flags & DETECT_SSL_VERSION_NEGATED);
81 DetectSslVersionFree(NULL, ssl);
82 PASS;
83 }
84
85 #include "stream-tcp-reassemble.h"
86
87 /** \test Send a get request in three chunks + more data. */
DetectSslVersionTestDetect01(void)88 static int DetectSslVersionTestDetect01(void)
89 {
90 Flow f;
91 uint8_t sslbuf1[] = { 0x16 };
92 uint32_t ssllen1 = sizeof(sslbuf1);
93 uint8_t sslbuf2[] = { 0x03 };
94 uint32_t ssllen2 = sizeof(sslbuf2);
95 uint8_t sslbuf3[] = { 0x01 };
96 uint32_t ssllen3 = sizeof(sslbuf3);
97 uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
98 uint32_t ssllen4 = sizeof(sslbuf4);
99 TcpSession ssn;
100 Packet *p = NULL;
101 Signature *s = NULL;
102 ThreadVars th_v;
103 DetectEngineThreadCtx *det_ctx = NULL;
104 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
105
106 memset(&th_v, 0, sizeof(th_v));
107 memset(&f, 0, sizeof(f));
108 memset(&ssn, 0, sizeof(ssn));
109
110 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
111
112 FLOW_INITIALIZE(&f);
113 f.protoctx = (void *)&ssn;
114 f.proto = IPPROTO_TCP;
115 p->flow = &f;
116 p->flowflags |= FLOW_PKT_TOSERVER;
117 p->flowflags |= FLOW_PKT_ESTABLISHED;
118 p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
119 f.alproto = ALPROTO_TLS;
120
121 StreamTcpInitConfig(TRUE);
122
123 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
124 FAIL_IF_NULL(de_ctx);
125
126 de_ctx->flags |= DE_QUIET;
127
128 s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
129 FAIL_IF_NULL(s);
130
131 SigGroupBuild(de_ctx);
132 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
133
134 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
135 STREAM_TOSERVER, sslbuf1, ssllen1);
136 FAIL_IF(r != 0);
137
138 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
139 sslbuf2, ssllen2);
140 FAIL_IF(r != 0);
141
142 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
143 sslbuf3, ssllen3);
144 FAIL_IF(r != 0);
145
146 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
147 sslbuf4, ssllen4);
148 FAIL_IF(r != 0);
149
150 SSLState *app_state = f.alstate;
151 FAIL_IF_NULL(app_state);
152
153 FAIL_IF(app_state->client_connp.content_type != 0x16);
154
155 FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
156
157 SCLogDebug("app_state is at %p, app_state->server_connp.version 0x%02X app_state->client_connp.version 0x%02X",
158 app_state, app_state->server_connp.version, app_state->client_connp.version);
159
160 /* do detect */
161 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
162
163 FAIL_IF_NOT(PacketAlertCheck(p, 1));
164
165 AppLayerParserThreadCtxFree(alp_tctx);
166 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
167 DetectEngineCtxFree(de_ctx);
168
169 StreamTcpFreeConfig(TRUE);
170 FLOW_DESTROY(&f);
171
172 UTHFreePackets(&p, 1);
173
174 PASS;
175 }
176
DetectSslVersionTestDetect02(void)177 static int DetectSslVersionTestDetect02(void)
178 {
179 Flow f;
180 uint8_t sslbuf1[] = { 0x16 };
181 uint32_t ssllen1 = sizeof(sslbuf1);
182 uint8_t sslbuf2[] = { 0x03 };
183 uint32_t ssllen2 = sizeof(sslbuf2);
184 uint8_t sslbuf3[] = { 0x01 };
185 uint32_t ssllen3 = sizeof(sslbuf3);
186 uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
187 uint32_t ssllen4 = sizeof(sslbuf4);
188 TcpSession ssn;
189 Packet *p = NULL;
190 Signature *s = NULL;
191 ThreadVars th_v;
192 DetectEngineThreadCtx *det_ctx = NULL;
193 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
194
195 memset(&th_v, 0, sizeof(th_v));
196 memset(&f, 0, sizeof(f));
197 memset(&ssn, 0, sizeof(ssn));
198
199 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
200
201 FLOW_INITIALIZE(&f);
202 f.protoctx = (void *)&ssn;
203 f.proto = IPPROTO_TCP;
204 p->flow = &f;
205 p->flowflags |= FLOW_PKT_TOSERVER;
206 p->flowflags |= FLOW_PKT_ESTABLISHED;
207 p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
208 f.alproto = ALPROTO_TLS;
209
210 StreamTcpInitConfig(TRUE);
211
212 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
213 FAIL_IF_NULL(de_ctx);
214
215 de_ctx->flags |= DE_QUIET;
216
217 s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
218 FAIL_IF_NULL(s);
219
220 SigGroupBuild(de_ctx);
221 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
222
223 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
224 STREAM_TOSERVER, sslbuf1, ssllen1);
225 FAIL_IF(r != 0);
226
227 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
228 sslbuf2, ssllen2);
229 FAIL_IF(r != 0);
230
231 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
232 sslbuf3, ssllen3);
233 FAIL_IF(r != 0);
234
235 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
236 sslbuf4, ssllen4);
237 FAIL_IF(r != 0);
238
239 SSLState *app_state = f.alstate;
240 FAIL_IF_NULL(app_state);
241
242 FAIL_IF(app_state->client_connp.content_type != 0x16);
243
244 FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
245
246 /* do detect */
247 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
248
249 FAIL_IF_NOT(PacketAlertCheck(p, 1));
250
251 AppLayerParserThreadCtxFree(alp_tctx);
252 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
253 DetectEngineCtxFree(de_ctx);
254 StreamTcpFreeConfig(TRUE);
255 FLOW_DESTROY(&f);
256 UTHFreePackets(&p, 1);
257
258 PASS;
259 }
260
261 /**
262 * \brief this function registers unit tests for DetectSslVersion
263 */
DetectSslVersionRegisterTests(void)264 static void DetectSslVersionRegisterTests(void)
265 {
266 UtRegisterTest("DetectSslVersionTestParse01", DetectSslVersionTestParse01);
267 UtRegisterTest("DetectSslVersionTestParse02", DetectSslVersionTestParse02);
268 UtRegisterTest("DetectSslVersionTestParse03", DetectSslVersionTestParse03);
269 UtRegisterTest("DetectSslVersionTestDetect01",
270 DetectSslVersionTestDetect01);
271 UtRegisterTest("DetectSslVersionTestDetect02",
272 DetectSslVersionTestDetect02);
273 }
274