1 /* Copyright (C) 2019 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 #ifndef HAVE_NSS
19
DetectTlsJa3SStringRegisterTests(void)20 static void DetectTlsJa3SStringRegisterTests(void)
21 {
22 /* Don't register any tests */
23 }
24
25 #else /* HAVE_NSS */
26
27 /**
28 * \test Test matching on a simple client hello packet
29 */
DetectTlsJa3SStringTest01(void)30 static int DetectTlsJa3SStringTest01(void)
31 {
32 /* client hello */
33 uint8_t client_hello[] = {
34 0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
35 0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
36 0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
37 0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
38 0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
39 0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
40 0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
41 0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
42 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
43 0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
44 0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
45 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
46 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
47 0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
48 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
49 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
50 0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
51 0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
52 0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
53 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
54 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
55 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
56 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
57 0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
58 0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
59 0x03, 0x04, 0x02, 0x02, 0x02
60 };
61
62 /* server hello */
63 uint8_t server_hello[] = {
64 0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
65 0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
66 0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
67 0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
68 0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
69 0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
70 0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
71 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
72 0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
73 0x0b, 0x00, 0x02, 0x01, 0x00
74 };
75
76 Flow f;
77 SSLState *ssl_state = NULL;
78 TcpSession ssn;
79 Packet *p1 = NULL;
80 Packet *p2 = NULL;
81 ThreadVars tv;
82 DetectEngineThreadCtx *det_ctx = NULL;
83 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
84
85 memset(&tv, 0, sizeof(ThreadVars));
86 memset(&f, 0, sizeof(Flow));
87 memset(&ssn, 0, sizeof(TcpSession));
88
89 p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
90 "192.168.1.5", "192.168.1.1", 51251, 443);
91 p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
92 "192.168.1.1", "192.168.1.5", 443, 51251);
93
94 FLOW_INITIALIZE(&f);
95 f.flags |= FLOW_IPV4;
96 f.proto = IPPROTO_TCP;
97 f.protomap = FlowGetProtoMapping(f.proto);
98 f.alproto = ALPROTO_TLS;
99
100 p1->flow = &f;
101 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
102 p1->flowflags |= FLOW_PKT_TOSERVER;
103 p1->flowflags |= FLOW_PKT_ESTABLISHED;
104 p1->pcap_cnt = 1;
105
106 p2->flow = &f;
107 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
108 p2->flowflags |= FLOW_PKT_TOCLIENT;
109 p2->flowflags |= FLOW_PKT_ESTABLISHED;
110 p2->pcap_cnt = 2;
111
112 StreamTcpInitConfig(TRUE);
113
114 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
115 FAIL_IF_NULL(de_ctx);
116
117 de_ctx->mpm_matcher = mpm_default_matcher;
118 de_ctx->flags |= DE_QUIET;
119
120 Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
121 "(msg:\"Test ja3s_hash\"; "
122 "ja3s.string; "
123 "content:\"771,49199,65281-0-35-16-11\"; "
124 "sid:1;)");
125 FAIL_IF_NULL(s);
126
127 SigGroupBuild(de_ctx);
128 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
129
130 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
131 STREAM_TOSERVER, client_hello,
132 sizeof(client_hello));
133
134 FAIL_IF(r != 0);
135
136 ssl_state = f.alstate;
137 FAIL_IF_NULL(ssl_state);
138
139 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
140
141 FAIL_IF(PacketAlertCheck(p1, 1));
142
143 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
144 server_hello, sizeof(server_hello));
145
146 FAIL_IF(r != 0);
147
148 FAIL_IF_NULL(ssl_state->server_connp.ja3_str);
149
150 SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
151
152 FAIL_IF_NOT(PacketAlertCheck(p2, 1));
153
154 AppLayerParserThreadCtxFree(alp_tctx);
155 DetectEngineThreadCtxDeinit(&tv, det_ctx);
156 DetectEngineCtxFree(de_ctx);
157 StreamTcpFreeConfig(TRUE);
158 FLOW_DESTROY(&f);
159 UTHFreePacket(p1);
160 UTHFreePacket(p2);
161
162 PASS;
163 }
164
DetectTlsJa3SStringRegisterTests(void)165 static void DetectTlsJa3SStringRegisterTests(void)
166 {
167 UtRegisterTest("DetectTlsJa3SStringTest01", DetectTlsJa3SStringTest01);
168 }
169
170 #endif /* HAVE_NSS */
171